“While we might applaud Mr. Maude’s desire to get the job done, his willingness to endanger the security of the parliamentary network, systems and data is incredible,” said Rik Ferguson, cybersecurity expert at Trend Micro, in a mail to Infosecurity. “If he really has installed his own WiFi as the story suggests, then that network segment will not be configured, managed or audited by security experts in the House of Commons, rendering them blind to the risks it represents.”
Ferguson warmed to his theme, elaborating on the specific risks. “It will almost certainly connect networks not designed to be connected, effectively punching a hole through numerous firewalls,” he said. “It will allow access to those systems from unmanaged devices (phone and iPad) which reside outside of the corporate network and represents a massive security breach and a disaster waiting to happen. Quite aside from the worrying practical concerns, it will make compliance with almost any standard you care to mention extremely problematic, if not impossible.”
Maude’s move is an end-run around antiquated computer systems at the Houses of Parliament, with a source telling the Telegraph that he reall had WiFi put in "so he can use his phone and iPad in his office" because of the "clunky" and "rubbish" Cabinet Office systems.
"Despite all our efforts are still miles from getting the technology you are able to get at home,” the source said.
The shadow IT phenomenon is nothing new – employees are often frustrated with slow or hassle-filled corporate processes that are often meant to secure the environment, but which users see as simply cutting down on productivity.
“Shadow systems grow up in the dark spaces under desks and in the cupboards and pockets of employees who are simply trying to get the job done, employees like Mr. Maude,” Ferguson said. “In an effort to access, process or disseminate information quickly and effectively they will buy, install and use whatever technology works. Very often congratulating themselves on their canny technology combinations and their wily ways around the system.”
He added, “Shadow IT is the USB stick in your pocket, it’s the DSL link under your desk or the wireless access point in the cupboard.”
The news emerged as Maude himself announced a radical security overhaul for security classifications, the first since World War II. The existing levels of protective marking replaced with just three: Official, Secret and Top Secret. The new markings will be used by over 700,000 civil servants and military personnel from April 2014, and are set to be adopted by the wider public sector in due course.
But for all the concern over document security, consumerization’s effect on cybersecurity is another matter. “In the new paradigm of consumerization and cloud the problem [of shadow IT] is exacerbated. Webmail becomes a covert channel, unmanaged file-synchronization services a back door and virtual servers in someone else’s cloud often end up holding the crown jewels of the organization outside every process and oversight of the business owner,” Ferguson said.