How DOT CIO discovered a network compromised by shadow IT

0 Posted by - 23rd February 2017 - Technology

When Richard McKinney set out to migrate the Department of Transportation (DOT) to Microsoft Office 365, he got a valuable lesson in shadow IT, one that could serve as a cautionary tale for other government leaders as they look to upgrade and consolidate their systems.

McKinney, who only recently stepped down as CIO at DOT, had been leading a turnaround mission at the department since his arrival, but when it came time for the Office 365 rollout, he quickly discovered how chaotic the situation was, with hundreds of unauthorized devices running undetected on the sprawling network.

“No one sat down many years ago and designed a network for the Department of Transportation,” McKinney tells in a recent interview, describing how various outposts in the department’s sprawling operations had “stitched together” networking equipment as needs emerged. “We didn’t have an overarching, as-is blueprint for the department’s network.”

So McKinney set out to create one. He hired a vendor called Decisive Communications to comb through the DOT’s network and identify the unauthorized devices running in that far-flung environment. Decisive used technology from Riverbed to analyze the network, and quickly found more than 200 previously undetected networking devices, including many that still had factory-issued passwords.

[ Related: CIOs vastly underestimate extent of shadow IT ]

As it turned out, it had not been uncommon for staffers at the various administrative outposts of the Transportation Department to take it upon themselves to beef up networking capacity at the local office. Say a 16-port switch filled up and the office was still adding more staff — the solution might be to go to Best Buy and buy a new switch to accommodate additional users.

“It was like self-serving, if you will,” McKinney says. “They tended to be more like consumer devices,” he explains, whereas “we would buy more enterprise-ready equipment.”

“That brought us a laundry list of equipment that we needed to replace,” McKinney says.

Security and the ‘weakest link’ via #CIO, #Technology