Starting with last week’s challenge:

One of the more risky things an organization can do is incorporate software into their ecosystem that hasn’t been vetted to their satisfaction. Most companies will develop their own standards as they grow and/or undergo various certifications (I’m looking at you SOC2).

Your question of the week: what knobs are at your disposal to help you mitigate this risk?

For this question, I’ve seen different things from just putting it out there if you love to live dangerously. Logging it in a project tracker or risk management tool “just in case.” In either case, you’re still letting it mix with your network. Lets just say this is the fastest and riskiest.

There is the second approach of sticking it inside its own bubble of a Harry Potter closet. It has restricted access to your network and controls in place to ensure that there is no cross-pollination between the two worlds. This would be the safest, but as you can imagine, this would require some duplicate infrastructure and is definitely a more lengthy patching/update process. However you will have the safeguards and assurances to incorporate it into the rest of your ecosystem once it has been brought up to standards. This is perhaps the safest approach.

These are the two extremes you have at your disposal. As will all things, there are shades of grey, you can open up some access between the no-man’s land the conveyed apps sit in and your security/analytics appliances to ensure proper auditing/risk detection. You can create some carve-outs as each application is vetted/remediated to bring things in, etc.

Just whatever you do, please don’t roll the dice.

cab