by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : September 15, 2015
S 24 The right policies and technologies can help agencies gain control over unauthorized IT products and services. “ Shadow IT” sounds scary, and for many agencies, it is. The term refers to when individual users, teams or other entities within an organization acquire IT products and services themselves, without involving the IT department or following organizational policies and procedures. Shadow IT has been around for a long time, but its use has exploded in recent years with the increased adoption of cloud- based Software as a Service (SaaS) applications. These applications can be used on a subscription basis at low cost. A recent report from Skyhigh Networks reveals some startling numbers. The average public-sector leader believes that his or her organization uses 60 to 70 shadow IT solutions, but in reality the number is 10 times that. Based on this revelation, federal IT leaders must face three important questions: • Why is shadow IT so commonplace in federal agencies? • What security concerns arise with shadow IT? • How can agencies mitigate these concerns? Reasons for Shadow IT One of the main reasons that shadow IT has taken root at federal agencies is that users have immediate needs that are not met by the IT department. This may be due to slow agency procurement processes and security requirements that are perceived as being too strict. Cost is another driver of shadow IT. Some users may find it less expensive to directly acquire cloud services instead of going through an agency’s IT department. Further, employees are increasingly demanding access to the hardware, operating systems and especially applications that they prefer, instead of accepting tools provided by the IT department. The bring-your-own-device movement is a great example of this. Security Concerns with Shadow IT Agency IT leaders have a wide variety of security concerns related to shadow IT. At the most basic level, many IT administrators are unable to determine whether a particular SaaS application is even a possible candidate for the agency to use. For example, an application may be partially or wholly hosted in another country, which could cause a serious compromise of privacy and security. The terms of service of any cloud agreement also can raise significant concerns. A user acquiring a SaaS application is highly unlikely to conduct a formal review of its terms of service, but such a review might determine that the SaaS provider, law enforcement agencies or other parties have the right to monitor and access the users’ data, which could lead to security and privacy violations. A higher-level concern is that shadow IT users are unlikely to conduct a risk assessment before acquiring and using these services. Without assessing risk, IT leaders have no way to determine what vulnerabilities are present and how they should be mitigated to bring risk down to an acceptable level. SaaS providers vary greatly with regard to the strength of their security controls. Some providers assume that users’ IT departments will take care of security, so their own security measures are minimal. They may not encrypt data at rest, for example. This allows the SaaS provider to keep prices lower, but it puts users’ data at much higher risk of compromise. Users who CYBERSECURITY The percentage of organizations that have a cloud security awareness training program for users or plan to create one. Source: Cloud Security Alliance, “Cloud Adoption Practices & Priorities Survey Report,” January 2015 58% BRINGING SHADOW I.T. INTO THE LIGHT
August 30, 2015
September 30, 2015