Most enterprise technology experts are aware of the security risks posed by shadow IT.
But there is a parallel yet rather different risk that may be even more dangerous: Shadow data.
Shadow IT is the deployment and use of systems and applications without the knowledge or explicit consent of an organisation’s IT department. These days, that typically means cloud or software-as-a-service (SaaS) applications.
The cloud’s ability to provision an application very rapidly, either for free or for an ongoing subscription that is well within a department’s discretionary budget, has resulted in many employees dabbling with the dark side.
Shadow data encompasses that and goes some way beyond it. It includes all the sensitive content that users upload, store and share via the cloud, whether they use shadow IT or permitted apps.
Just because an organisation has selected and approved a secureable file sharing app such as Box or Office365, that does not mean it is now covered in terms of data governance or compliance.
It also goes much further than just file-sharing apps. Users may now store documents and other data in a wide variety of places online, such as collaboration tools, CRM apps or even video sharing services. In many ways then, detecting and protecting your shadow data is data leak prevention (DLP) for the cloud generation.
How does shadow data arise?
Sometimes, shadow data may simply derive from administrative oversight.
For example, the difficulty of keeping directories up-to-date might result in an organisation sharing documents or data with employees or contractors who have left the company. Alternatively, an authorised user might discover inherited folder permissions that are inappropriate.
At other times it can be an issue of geography. Multinational organisations increasingly find they must deal with data residency and sovereignty rules that require certain types of data to remain in a state or regional border. How do they ensure this controlled data is not stored in ways that violate their own policies or local laws and regulations?
Then there is over-sharing. Cloud security developer Elastica’s vice-president Eric Andrews says the company’s threat team analysed 63 million documents stored by its customers in 2015, looking for shadow data threats.
It discovered that 25% of the documents owned by the average user were broadly shared; for example, shared with everyone in the company, with outside contractors or accessible to anyone with the web link.
Of those broadly-shared documents, 12.5% (so 3% overall) contained sensitive or compliance-related data. The type of data at risk varied by industry.
Read more about compliance and storage
- Cloud compliance is an issue for anyone using cloud storage or backup services. What do you need to know about your data, and how do you ensure it is compliant when in the cloud?
- Vigitrust CEO Mathieu Gorge surveys the key challenges of data growth, regulation and mobile and legacy data that impact on legal and regulatory compliance in 2015 and 2016.
For example, in tech firms it was often source code, in healthcare the biggest risk was to personal health information, in education it was personally identifiable data, and in the telecom and entertainment industries the risk to payment card information was notably higher than the average.
Recent cyber crime analysis suggests health data is a particularly prized and valuable target, probably because it can be leveraged for a variety of criminal purposes, in particular identity theft.
The Elastica study also found that, overall, 23% of documents were shared publicly, meaning that anyone with the appropriate link could access them. Such files can be found by automated tools such as web crawlers, which trawl the web looking for content, or perhaps even via Google Search.
Of course, not all of these documents will have been business-critical or sensitive – and some were probably shared deliberately, as part of a marketing or client-information exercise. Some may even belong to a business partner, which has shared them with the organisation under analysis.
The challenge for IT and security staff is telling them apart.
Detect and protect shadow data
The threats detected against shadow data include exfiltration, data destruction and account takeovers.
That is partly because users may use the same credentials for the cloud as for their internal systems, especially when transferring production data onto shadow IT. But it is also because of the power a cloud service log-in can give to an attacker, such as the ability to rapidly delete an entire virtual machine or data store.
An organisation therefore needs to acquire several key capabilities. The first is the ability to discover, inventory and classify its cloud apps, says Sander. Are they permitted apps, via business or personal log-ins, are they to be monitored or should they be blocked?
The top collaboration and file-sharing apps are Box, Office365, Dropbox, Google Drive and Evernote. But there are also many more, including newer and niche file-sharing apps and other SaaS applications that are not obvious shadow data threats, yet which can also be used to store and exfiltrate data.
As well as detecting shadow IT usage, you need to provide functional and useful alternatives. Fortunately there are now many enterprise-grade collaboration apps that provide proper permission controls.
With shadow data, the worst-case scenario is that someone forwards a document link to a colleague, they forward it to someone else and somehow it goes viral. With enterprise-grade tools, the third-party can still pass on the link, but the file’s owner needs to approve each and every request for access to it.
Then there is the ability to detect threats and respond appropriately.
Baldur Scherabon, OneLogin
Many shadow data threats involve anomalous behaviour, so this is an important detection factor. This might mean detecting a series of multiple failed log-ins, or that a user has accessed or shared dozens of files very rapidly, for example.
Another anomalous behaviour that is perhaps less obviously threatening is rapid use of the preview function typically offered by cloud storage services – this function can be abused together with a screen recorder to quickly steal files without triggering alarms.
There is also the need for ongoing data governance and regulatory compliance, typically via identity management and/or single sign-on (SSO) software. This includes aspects such as credential management and making sure people understand the scope of their responsibility.
“There is a different architecture and security concept when you go to a SaaS model, but you need to guarantee all are equally secure for security and governance, so now your identity manager must cover external cloud services too.
“Enterprises have to change how they control access to cloud services. It’s not efficient to control out-of-premise, it needs different authentication too.”