Cheat Sheet: Grey nets

You're worried about grey nets? Well, a bit of bicarbonate of soda in your wash will get those curtains sparkling.
I'm laughing inside, truly. But these grey nets are not really grey and they're not really nets. Instead they are networks of applications and devices. They are generally installed by end users and enter a company behind the backs of the IT department. While they are not sanctioned, they are very much in use.

Such as?
IM is an example of something which has crept into many a company behind the backs of the IT department. Ask IT bosses how many of their staff use consumer instant messaging at work and then ask the staff. You may well get very different answers.

And they're called 'grey nets' because?
Because they're about the grey area between the permitted, or white-listed and the outlawed, or black-listed applications and devices. The use of grey nets is not necessarily a bad thing but it could carry risks which in turn may be exacerbated by the fact the IT department is oblivious to their presence.

Any other examples of things which exist on a grey net?
Absolutely - this really could be anything which is unapproved on the network. It might be iPods or other removable storage media being brought in by staff and plugged into the network, or it could be employees using applications the IT department hasn't approved such as IM, webmail or Skype within the enterprise.

Throw into this mix a growing list of online applications where users might be sharing data intended for internal use only and these grey nets are far-reaching and complex beasts.

What about something like file sharing on peer-to-peer networks?
Good question and we may get into a semantic debate here. Very few companies would officially sanction the use of the kinds of peer-to-peer services I suspect you're thinking of - those used for downloading music or movies. If those are used in the enterprise they almost certainly exist in the 'grey net' underbelly of the network.

However, given these services have been singled out in the past as a route onto the network for illegal content, many companies would argue there is no grey area here at all. They may say these are very much blacklisted applications. However if that's the case and the company still has problems with such services then it has to ask why.

So grey nets don't include the 'bad things'?
Well, much of what might be classed 'grey net' is not dangerous per se.

A grey net tends to grow as emerging technologies register with consumers long before corporate IT departments formulate a plan for dealing with them. IM really was the classic case of this.

What can companies do about their 'grey net' problem?
Companies need to understand what is happening on their networks - after all how can you secure something you don't know about?

Therefore effective asset management and proper policy enforcement at both a technical and educational level is required. Staff must understand that while they may believe their actions are innocuous anything which undermines network security poses significant risk.