It's a new Pluralsight course! Yes, I know I said that yesterday too, but this is a new new Pluralsight course and it's the second part in our series on Creating a Security-centric Culture. As I wrote there back in Jan, we're doing this course on a quarterly basis and putting it out in front of the paywall so in other words, it's free! It's also a combination of video and screencast which means you see a lot of this:
As for the topic in the title, shadow IT has always been an interesting one and certainly something I spent a great deal of time dealing with in the corporate environment. A quick definition for those who may not be familiar with the term:
Shadow IT is information-technology systems and solutions built and used inside organisations without explicit organisational approval
Frequently, this practice reared its head in discussions like these:
Bob from accounting: Hey Troy, we need help with our Access database
Troy: Uh, ok, first I've heard but what's the issue Bob?
Bob: Well, the system we use to track all our marketing spend on the new campaign has started running really slow. I mean it was fine when just I was using it, but then Jane and the team needed access too so I put it on a file share.
Troy: So hang on - you've got a bunch of people using an Access database on a file share, this doesn't do anything important, right?!
Bob: Oh yeah, it's critical, we can't be without it. The whole team needs it which is why it's on that file share, it's got a heap of really important sensitive info in it they all need to use.
I no longer work there. This sort of thing happens all the time in organisations of all sizes. But it was one thing to have an exposed Access database within an organisation a few years ago, it's quite another thing when today the equivalent is an exposed S3 bucket facing the world! And that's one of the things that's really increased the risk of shadow IT; the easy access to cloud services that by design, allow anyone to publish data to the world. And often they do.
This course looks at how shadow IT is changing, what it means in a cloud era and what practices we can apply to address it. Importantly though, it recognises that shadow IT exists for a reason! For example, I talk a lot about the incident from back in December with British politicians openly admitting to sharing their passwords. This was clearly the wrong thing for them to do but equally, it wasn't done out of malice but rather because they clearly hadn't been given the support they needed to use the delegated access controls built into Office 365.
This is a very pragmatic, practical course and it's also only 39 minutes long so it's easily consumable (we're targeting about 45 mins for these, the first one went over then this one obviously went under). I hope it helps people think differently about shadow IT, not just in terms of the risks it presents, but in terms of the role we as technology professionals have to play by ensuring there are better ways available to the businesses we support.