Shadow data is a logical derivative of shadow IT, an organizational issue that we have approached in a previous article on our MobileCurated publication. When “intra-enterprise information-technology solutions (…) compensate the busy schedule of the official IT department”, organizational data meets uncharted territories and often leaves unwanted traces.
Shadow systems (alternatively “data shadow systems”) all have in common their character of escaping the control of the organization’s IT department.
Since the organization itself is not even aware of the information unofficially disseminated or stored, it is only natural that no protective measures are being taken. The so-called shadow data endangers the entire enterprise because it is in no way covered by its official cyber-security strategy.
A more accurate definition of data shadow (although you might want to notice how the two terms switched places) is available on Techopedia: “small traces of information that an individual leaves behind through everyday activities”.
Adding up the previous elements, we can understand shadow data as the information traces left behind in the cloud and other storage environments by employees engaged in shadow IT practices during their work-related activities.
The Elastica report on shadow data
Almost all recent online sources on tis topic discuss and analyze the Elastica report on shadow data. This report originates from a team of SaaS providers professionals located in Silicon Valley, and it promotes their specific platform as a solution to this risk management issue.
By analyzing 100 million employee files shared via public cloud applications, the study determined the existence of a 20 percentage of sensitive data files, out of which 60 percent comprised PII (personally identifiable information), 30 percent contained protected health information and 10 percent payment-related details. The IT and cyber-security managers have no control over what happens with all this data – and this transforms it into a potential threat. There is no certainty if, when or how information from this category might end up in malicious hands and how they could be used against the companies or against their employees.
To have all the study premises right, we should mention that Elastica offered its platform as an analyzing medium, while Blue Coat conducted the study involving renowned cloud applications such as Microsoft Office 365, Google Drive, or Salesforce. Let’s see some more of the resulting figures:
- The average financial exposure per business revealed by the study equals $ 13.85 million – a figure that is worth serious consideration.
- Signs of malicious activity have also been detected for just over one percent of the analyzed cases, so this data theft “opportunity” is relatively untapped yet by malicious entities, but is not completely neglected, either.
Other relevant studies on shadow data
Another relevant study on shadow data belongs to the Cloud Security Alliance (CSA). Their 2015 Cloud Adoption Practices & Priorities Survey Report approached the challenges of cloud computing in what enterprises are concerned, shadow data issue included. Although the term listed in the study is actually “shadow IT”, defined as the “technology spending and implementation that occurs outside the IT department, including cloud apps adopted by individual employees, teams, and business units”, shadow data is implied when reviewing the corporate data security concerns.
A third overlapping notion would be “shadow cloud” – basically designating the same issue: company data that circulates via the cloud without benefiting from the due privacy protection and that further remains as such in the virtual environment or continues to exist as remnant data, still potentially available for attackers.
On a more specific note, HIMSS (a health IT group) mentioned shadow IT as a threat in their 2015 cyber-security survey as a big threat in healthcare, since compliance policies and security measures rarely affect the way employees share data via cloud services. The ease of connectivity and synchronization is a much too compelling factor that overpowers punctual precautions. Therefore, in view of the situation reported in the study, healthcare IT should consider different means of data protection and not just rely on individual reasoning.
Potential solutions for shadow data threat
Since shadow data represents company data that goes around vulnerable and unprotected, its existence constitutes a threat as long as no monitoring and defense mechanisms are applied.
The fact that employees share data within and outside the work premises is inherent to modern work environments – trying to stop the phenomenon would mean going against the tide. Since this trend is here to stay and expand, containing the risks would be a better policy.
There are a few important steps before taking any real efficient measures:
- Acknowledging the phenomenon (many work environments are not adapting to it, preferring to deny its existence altogether; restrictions and limitations may be set, but nevertheless when needing applications or shortcuts in order to get the job done, employees will most certainly use them, regardless of their official status);
- Once acknowledged, mapping the shadow connectivity channels, so that a realistic initial image would allow a proper, effective adaptive policy;
- Assessing the previous shadow data activities and adding them to the ongoing and future data-sharing activities in view of monitoring and protecting their status;
- Laying down all available options;
- Choosing and implementing the most suited methodology for each situation, depending on the company.
It seems simple and clear – at first glance. Nevertheless, it is useful to compare the juxtaposed figures coming from the IT departments with those coming from employees’ answers to a survey. Where IT knows of 51 active cloud services, the survey points out 730 (!) services. The same Aruba Networks survey on employee attitudes worldwide reveals that 77 percent of employees manage by themselves when it comes to self-service IT. The estimate of 1000 external services per company in 2016 amplifies the issue. So companies are facing a serious problem they might not even be aware of at the moment, at least some of them.
An example of online security risk assessment is available here for the companies willing to find out just how much their data is exposed to risks.
The article quoted above recommends an interesting solution: shifting the IT department role towards a brokerage position, acting as an intermediary between employees and applications, monitoring the data traffic and improving the security protection.
In addition, you might check a message on the same topic coming from an IT specialist. It underlines the related compliance issues and the fact that communication is essential inside the enterprise in order to better rearrange the priorities and help the IT department regain control over the new connectivity, in what cyber-security is concerned.
