I was on a call with a rather large enterprise the other day and the topic of finding Shadow IT came up. While I think Shadow IT (IT that no one knows to exist) is a fairly well-understood aspect of computer security, it dawned on me that there is a pretty large gap in our nomenclature. What about once it’s known?
There is one type of IT that people do know exist, but attributes like where it is located, who manages it, how often it is patched, etc. are all unknown. This is often what happens when Shadow IT is uncovered. It starts off as completely unknown and graduates quickly into “Orphaned IT”. There is a process of hunting down the team it belongs to and trying to identify attributes that may help you define its owner- to change it from Orphaned IT to just normal IT that is properly managed.
However, Orphaned IT can continue to stay orphaned forever. It’s entirely possible you find that the website is running on a box in a rack somewhere, but that doesn’t tell you anything about who set it up. Or who, if anyone, is still managing it. That investigative process while often fruitful can sometimes lead to a dead end. Especially when it turns out everyone involved in that project is long gone. It is an infrastructure that needs a home and may never get one.
The point at which Shadow IT is found- it no longer is Shadow IT. It is now either just normal IT because you know what you need to know about it and it is properly managed, or it is Orphaned IT still looking for a home. I don’t like having more new terms out there in the world, but I think it’s useful to describe the true attributes of any infrastructure. While on the call I was having a hard time explaining what I meant as a result of lacking that crucial term that is a very common state for IT to be in – a state of unknown ownership. Hence the birth of a new term – and I know we all love those new terms. Orphaned IT cannot be properly managed until an owner is found, therefore it’s almost as bad as Shadow IT.
