Shadow data – robbing cloud’s silver lining

Welcome to the dark, scary world of “shadow data”, which can easily turn into a nightmare for enterprises from data governance, compliance, reputation and financial losses points of view… Are you sitting comfortably? Yamini Kona, principal consultant, financial services at Infosys, is going to tell a chilling tale.

Imagine a scenario where an employee shares a file via a cloud or a private file sharing application with a colleague who, in turn, shares it with somebody outside the organisation and that person shares it with somebody else, with the file going viral intentionally or unintentionally. There is no reckoning whether the file contains harmless data or confidential information like company’s merger plans, undisclosed financial results, personally identifiable information (PII) of customers, sensitive health records, credit card information, source code etc, until it is too late.

Data sharing is not always an outbound one-way traffic. Another scenario, which is often ignored, is the inbound threat where employees may receive equally compromising sensitive data from outside through similar channels and store it on company network folders which is equally damning from data privacy perspective. Organisations may be inadvertently gaining access to a lot of compliance sensitive data, which they would rather not be accountable for.

From an enterprise perspective, shadow data refers to all the sensitive data stored, uploaded and shared by employees within and outside the organisation via cloud applications without explicit sanction from IT department and information security personnel.

The cloud now comes with an unwritten caveat of possible shadow data threat instead of a silver lining.

Shadow IT infrastructure
Apart from authorised cloud services, many unofficial cloud applications run in an organisation because of employees using free Software-as-a-Service (SaaS) applications without concerned IT department’s knowledge or direct control. All these unauthorised applications and technologies comprise shadow IT infrastructure in the enterprise.

Well-intentioned employees use these free applications assuming that they avoid having to purchase expensive software and going through long drawn out complex approval process for the same. What they do not realise is the serious breach of security they commit and the risky consequences for their organisation. Shadow IT infrastructure thus encumbers IT security managers with the responsibility to fight a threat they are not even aware exists in their organisation.

Thanks to shadow data and shadow IT, the revolutionary cloud-computing concept does not make the CTOs and IT departments feel warm and fuzzy anymore for it is not easy to control completely what kind of data is uploaded and shared by the employees via cloud. The cloud now comes with an unwritten caveat of possible shadow data threat instead of a silver lining.

How shadow data creeps in
Cloud-driven collaborative tools have made sharing files within and outside the organisation a little too easy. Sometimes, all it takes an outsider to access a document is to just click on a web link without going through any authorisation protocols, which puts the organisation in danger of risky exposure. Unsafe practices and usages undermining the benefits of cloud is a grave concern for an IT department.

More often than not, the primary culprit of data leakage is sharing sensitive information with a broader audience than necessary, for example, sharing a file containing confidential data with entire organisation or entire department instead of a small target group. Not implementing rigid entitlements such that nobody outside the target audience group within or outside the organisation can access the information is a close second.

An alarming amount of data storage and sharing via cloud is happening outside IT departments’ control. Traditional tools employed by IT departments to prevent unauthorised information sharing by detecting files containing certain pre-defined key words are no longer enough. When files are shared via a cloud-based file sharing application, only a web link is being shared which bypasses this preventive mechanism. It is not only the data that is going out but also the data that is stealthily coming into the organisation that is dodging the data security systems which creates a serious compliance exposure and much more.

Prevention of shadow data risks
If sensitive data is received, stored or shared via cloud without strict entitlements, unauthorised users can misuse the data by destroying it, exfiltrating it or selling it for improper use. This can lead to devastating ramifications in terms of violation of data governance and compliance regulation, negative publicity, loss of reputation and enormous financial losses in the form of fines from regulators and litigation if the customers decide to sue. Considering the enormity of risks, prevention of shadow data to the extent possible is definitely better than costly remediation.

Preventive measures include:

• Provide secure, convenient and dependable file sharing alternatives to employees to prevent the need to resort to unsanctioned cloud applications.
• Periodic audit of existing applications and governing policies with an eye on new developments and applications, especially if free, in the market which may lure the employees.
• Develop the ability to discover and classify cloud apps as sanctioned and unsanctioned which need to be monitored and blocked respectively.
• Test shadow IT infrastructure creation opportunities from employee point of view. If you can, they can too.
• Keep a closer eye on departments dealing with confidential data and limit communications only to intended audience subject to strict entitlements to restrict internal over exposure.
• Establish a rigid data access management system such that employees who changed positions, departments, geographies or left the organization automatically lose entitlements.
• Launch mandatory periodic training programs to educate employees, new and existing, about data management and security hazards and take stringent disciplinary action for violations.
• Monitor all BYOD (bring your own device) devices connecting to company network including smart TVs used in conference rooms and connecting to the internet.

While all such preemptive methods are effective, there is not a really fool proof mechanism to completely curb shadow data or shadow IT infrastructure in an organisation. One sure fire way for IT security to stay ahead in the game is to think like the violators and consider having a fulltime in-house hacker to predict, prevent or at least minimise possible risks and damage.