Fighting Shadow IT: 10 Best Practices to Prevent Enterprise Data Leaks

by Chris Preimesberger

Data fragmentation, or data outside IT-managed systems stored on personal computers, devices and cloud services, is a real risk to corporate security. Shadow IT fragments business data and creates conflicting versions of information, increasing the chance of data leakage or loss. Enterprises need to protect all forms of business data by empowering IT to take the lead on data encryption and backup practices and create guidelines for management of data on personal or “nonauthorized” devices and services.

Businesses should establish policies and procedures for data types to determine what data is most valuable and how long it should be retained. Where possible, automation should be used to transfer less used or old data to an archive, freeing storage space while retaining the older data for specific usage later. This reduces the storage costs of data for immediate use, which generally increase incrementally due to the tendency to retain all information.

Enterprises can reduce storage cost by using archiving systems to manage information that needs to be kept long-term when it is no longer active. By leveraging the cloud, businesses can use an always-online cloud service that enables access to data via a browser or mobile app. This effectively turns an archive into a valuable interactive repository of historical business data.

Companies are increasingly using the cloud to create a shared infrastructure model for IT utilizing both on-premises and cloud services. By using a single platform to manage information in the data center, at the edge and in the cloud, IT can make access to data secure while ensuring that laptops and desktops can be backed up with the same software that protects the data center.

Whether on a desktop, laptop or mobile device, employees expect access to company data. If enterprises don’t provide a secure solution for access to corporate data, employees will find their own ways to manage information to work efficiently using consumer products that can put the organization at risk. By efficiently managing, syncing and protecting data, IT organizations can provide employees with anywhere/anytime access to information on-the-go while maintaining secure controls and adhering to corporate policies.

Confusion is often the result when copies of the same document are being saved by multiple people in several different places; this drives employees to save documents using third-party consumer solutions. Through global deduplication, businesses can ensure that one copy of the document exists and can provide employees with access to it only through the secure enterprise solution the IT manages and chooses to use for the organization.

Visibility into what employees are doing is critical for compliance, deploying and deactivating applications, and other requirements. However, many organizations use this visibility to enforce control. The result is that employee productivity is negatively affected, giving rise to shadow IT apps and processes. Successful companies embrace modern tools and platforms that allow centralized visibility and manage control in a trusted manner that empowers users.

Identity management has moved beyond the days when it was acceptable to simply authenticate users at the network perimeter and trust their actions thereafter. With the growing acceptance of mobility, cloud and shadow IT, enterprises need to evolve beyond perimeter-based authentication. They need to have context about all the employees and know what actions users are trying to complete; they also need to know if the user should be permitted to take the specific action he or she wants to take.

Shadow IT is partly driven by business users and developers becoming frustrated with traditional IT procurement and deployment cycles. Give users and developers the access and control they crave by creating self-service portals for provisioning IT resources and services. This is more than the old help desk ticket portal; this means building an enterprise app store for users and IT services portal for developers. Provisioning from these portals should be automated (with approvals built into the workflow as needed), which means the underlying resources—compute, storage, network, firewall, app delivery, monitoring—need to be programmable.

If you want to change behavior, you need to explain why the IT way is better than the shadow-IT way. Shadow IT presents a headache for IT for lots of reasons: security, cost, troubleshooting time and so on. But that’s not what makes a compelling case to users and developers who are working around the system. Instead, put the benefits (and risks) in their terms. For example, IT can provide performance service-level agreements that shadow IT may not be able to provide, and IT can negotiate vendor agreements at scale that get better prices than shadow side deals.