Saturday, December 3, 2016

A concern for decentralisation ... and shadow IT

I read with interest about the article "Confirmed: Cloud no longer purchased or managed just by IT" from ComputerWorld Malaysia.

It just shows a concern I have about the growth of shadow IT , and IT dept decentralisation.

When I say shadow IT, I mean that certain IT related roles & jobs (IT services , IT systems setup & deployment, data storage , etc) are being taken & done by individual departments, without IT department consultation or knowledge.

When I say decentralisation, I mean that certain departments are taking the role of running certain systems ( example : cloud based applications, online ERP system , online office productivity & collaboraiton solutions ) from the IT department , thus decentralizing IT services.

Why the concern? The concern is simple.

When other departments run IT solutions on their own, they just want to use it to get their work done. They do not look into various aspects WHICH INCLUDES :

a) Compliance to ISO27001/2/3 or Information Security management standards, and good IT management and governance (etc COBIT).
b) Evaluation (features , requirements, suitability to users , support given, emphasis on security, infrastructure requirements & feasibility)
c) Third party assessments ( IDC, Gartner, products reviews, etc )
d) Product lifecycle & upgrade cycles .
e) Comparison between various vendor offerings, and possible internal IT & cloud solutions provided by parent companies / HQ (features, deliverables, cost).
f) Return on investment of product (ROI) and fulfillment inline with company business goals.
g) Compatibility with existing IT systems (if not it will become a silo system).

..............And the list goes on.

These aspects are usually evaluated and filtered by the IT department.

If these are not evaluated, they could end up giving more cost (or risk) to the company, and not getting what you want with the money spent.

And if something goes wrong, or there was an data loss / security incident, or there is incompliance, they fall back to the IT department, who had no role in it, in the first place.

This can create additional workload for IT department, in terms of troubleshooting, compliance and compatibility integration of this new system to the current IT systems. More of often than not, business owners would want data from the new system to be integrated with existing IT systems, which may not be readily compatible. Not only that , in the case of incidents of data loss , leakage, or security breach , IT department would need to do investigations and countermeasures, which includes additional costs.

In the article, it is mentioned that "84 percent of respondents now also believe the IT department should be responsible for helping other lines of business to drive innovation and must set the strategic direction and be accountable for security".

If so, how can IT department be accountable for something they were not involved in?

The solution is simple : In driving towards innovation and business goals, it is important to have IT department on board , all the way, not half the way.

Based on the article "IT Centralization or Decentralization? - Harvard Business Review" , it mentions that "Decisions rights define who makes what decisions about IT. In allocating rights, a loose rule of thumb is that line managers should have authority over what services are delivered and IT should have authority over how the services are delivered."

Put it simply, business related departments should state what services are required , and IT will handle how it is delivered.

In the article "Following both sides of the decentralized vs. centralized IT debate - SearchDataCenter", there is some good points in the debate between a centralized & decentralized IT. Centralized IT benefits includes (i) to meet centralized compliance requirements, (ii) reduces data processing costs by server consolidation by merging systems and virtualization, (iii)  reduces hardware and software costs through bulk purchases & discounts, (iv) centralized functions and reduces redundant IT staffing, & (v) cost effective maintenance. All this can lead to faster & effective service delivery, under one authority , that is IT.

All in all, despite the growth and automation offered by cloud platform solutions , centralized IT dept is STILL the way to go in the long term.

Reference :
a. Confirmed: Cloud no longer purchased or managed just by IT - ComputerWorld Malaysia -

b. IT Centralization or Decentralization? - Harvard Business Review (July 2008) -

c. Following both sides of the decentralized vs. centralized IT debate - SearchDataCenter -

Sunday, November 20, 2016

The antivirus has failed ....... a survey opinion, and points on countermeasures.

I was reading in shock , concerning this article "Antivirus Fails to Stop Ransomware 100% of the Time" from InfoSecurity Magazine website.

It seems , in general IT survey opinion , that antivirus on all times, fails to contain the ransomware infection. It also states that the firewall, the anti-malware , the email filtering and security awareness also were not good at repelling ransomware.

Also worth noting is that despite the attacks, the companies involved did not alter / countermeasure much on the ongoing threat.

Points I would like to note here :

a. I have always highlighted that cybersecurity requires proactive measures, to be successful. Constant improvements & monitoring with regards to latest threats, and updated security awareness campaign to all staffs, is crucial.

b. In my field of work, I did not leave it to chance for my antivirus & email filtering solutions to stop the ransomware threat. I did some extra measures, that is typical & latest ransomware file types were manually blocked in the email filters, as well as filename patterns & keywords. This is despite the email filter scannning was able to detect the ransomware on their own, given the chance. Those extra measures provided another layer of protection and assurance from ransomware penetration.

c. Other extra measures were tightening/removing the USB drives usage, as it is also another vector for ransomware infection. Latest antivirus solutions have features to control & limit USB drives capability, to stop USB based infections.

d. Also , autorun.inf and program execution from USB drives can be disabled by either using the antivirus solution policies, or Active Directory security group policies. This can stop auto execution of any programs (legitimate & malicious), and allow time for antivirus solution to scan he USB drive and contain any threat.

e. Contants bugs and vulnerabilities patching is a must.

I strongly believe that proper expertise in fixing the gaps and flaw is necessary, as strong knowledge can really help make good countermaeasure solutions. Knee-jerk fixes does not solve the problem, and I believe that is what was done by these companies.

"Proper deployment , constant monitoring , patching and daily updates , for combination of proven firewall/IPS & email filters & antivirus solutions can certainly go a long way in putting ransomware infections to a stop."

Prevention is better than cure .......

Reference :