Shadow Data refers to the sensitive content that users are uploading, storing and sharing via cloud apps, often without the oversight or knowledge of IT or security personnel. In other words, just because an organisation has selected a robust file sharing app, like Box or Office 365, does not mean they are out of the woods in terms of data governance or compliance liability.
"We've reached a point in the security lifecycle where shadow IT should no longer be the primary focus. By now, organisations should have a grip on cloud applications available and have enforceable policies in place with the ability to control which are in use," said Rehan Jalil, who founded CASB innovator Elastica (now part of Blue Coat). "It's time to start focusing on the real problems, which are the need to know what types of information employees are sharing, who is able to access data and how to stop high-risk exposures that lead to data breaches."
The Blue Coat Elastica Cloud Threat Labs team recently released the Q4 2015 Shadow Data Report, which provides analytics revealing how the threat of shadow data is on the rise as employees use cloud apps to share information within their organisations, among partners, and with customers.
Among the most salient findings was that organisations are not aware that 26 per cent of documents stored in cloud apps are broadly shared, meaning that any employee can access them, that they are shared externally with contractors and partners, and in some cases publicly accessible and discoverable through Google search. Equally alarming are findings showing that one out of 10 documents shared broadly contain data that is sensitive and/or subject to compliance regulations, such as source code (48 per cent), Personally Identifiable Information (33 per cent), Protected Health Information (14 per cent), and Payment Card Industry data (5 per cent).
Analysis presented in the report revealed that there were three primary threats facing organisations using sanctioned and unsanctioned cloud apps: data theft, data destruction, and account takeover.
So how can you get a handle on Shadow IT and Shadow Data?
1.Identify risky applications to ensure your employees are only using secure cloud applications and services appropriate for your organisation. A CASB solution enables visibility by discovering cloud based applications and provides control and management centrally allowing the business to weigh the value of a service against its inherent risks. This enables your organisation to make smart choices regarding which applications to sanction while appropriately managing inappropriate or risky applications by restricting or limiting access. Look for discovery solutions that take advantage of real-time threat information feeds to ensure your cloud risk ratings are as accurate as possible and that can leverage integrated data feeds from other security solutions in your infrastructure.
Sign up for CIO Asia eNewsletters.