The Shadow Data Threat: What It Is and How to Safeguard Against It

Organizations making more and more use of cloud apps should be aware of shadow data threats as well as shadow IT.

Shadow IT is the use of cloud applications that have not been approved by IT security teams. The concerns around shadow IT have been fueled by proliferation of third-party cloud services and SaaS applications. Shadow data, a threat identified by the Blue Coat Elastica Cloud Threat Labs (BCECTL), is the sharing of sensitive and regulated information in popular cloud apps without IT security teams’ knowledge, consent or control. This even applies to data that is residing in IT-approved cloud apps. Most enterprises are unaware of the high volume of data—and especially sensitive content—being broadly shared via their cloud applications.

Accidental risks can be identified as sharing data to the public, to an organization, to anyone with a link or with terminated employees due to hierarchical folder permissions. The Symantec BCECTL report addresses key trends and challenges faced by enterprises securing data stored and shared via cloud apps and services. The report shows that 23% of all files stored in the cloud are broadly shared, and, of those broadly shared documents, 12% contain compliance-related data or confidential data such as source code and legal information. According to the Verizon Data Breach Investigations Report 2016, miscellaneous errors and insider/privilege misuse were the No. 1 and No. 2 most common reasons, respectively, for a security incident in 2015.

Security incidents can be broadly categorized as data exfiltration, data destruction and account takeovers by hackers. Anomalous frequent downloads, file sharing and frequent logins constitute the majority of the most destructive shadow data incidents.

IDC predicts that more than 1.5 billion people—or about a fourth of the world’s population—will be affected by data breaches by 2020. Across all industries, files are being shared that contain highly sensitive data, such as personal health information (PHI), payment card information (PCI) and personally identifiable information (PII). The potential financial impact on the average enterprise organization resulting from the sharing of this sensitive data could be devastating.

The Symantec BCECTL report calculated that the potential financial impact on the average organization from the leakage of sensitive cloud data was just over $2 million. Certain industries, such as health care, pose even higher financial risks. The report reveals that the average cost of a PHI data breach to an organization is $10 million. In addition, the finance, telecom and education industries also face high financial costs if PII and PCI data is leaked. For example, in February of this year, the FCC released PII violation orders to six telecom organizations with penalties ranging from $1.7 million to $9.6 million.

To safeguard against a potential data breach, organizations must implement security strategies that allow for consistent visibility across their organization—from data stored on a corporate network to applications running in the cloud. When running business in the cloud, IT security teams must have access to the tools needed to evaluate employees’ user activities and educate these users on potential risks shadow data presents. It is important for organizations to extend data loss prevention (DLP) policies to the cloud to cover shadow data. Good cloud access security brokers (CASBs) offer DLP capabilities for the cloud, but the best solution involves extending enterprisewide DLP to cover shadow data in the cloud by integrating existing DLP with full CASB capabilities.

Business readiness is determined by whether the cloud app in use has attributes that meet certain security standards. These attributes fall into seven categories: compliance, data protection, administrative controls, access controls, service availability, business availability and informational. Symantec’s BCECTL Shadow Data Report shows that an astounding 99% of all enterprise apps are not business ready. Of those apps, 10 percent are partially business ready, meaning they may be suitable for limited business use, at least within companies with minimal sensitive data or compliance requirements. The remainder are typically too risky for most businesses to adopt.

General Data Protection Regulation (GDPR) is a regulation by which the European Commission intends to strengthen data protection for individuals within the European Union. As a result, doing business in the EU can bring added regulatory challenges—a risk that is dramatically increased with the introduction of cloud services, many of which are hosted outside of the EU. IDC predicts that GDPR regulations are likely to have a substantial impact on many areas of an organization’s business operations and will be a game-changer for any company dealing in personal data of EU citizens or businesses.

A comprehensive CASB solution will help to determine which cloud apps your employees are adopting and using. In fact, Gartner predicts that by 2020, 85% of large enterprises will use a CASB, significantly up from fewer than 5% today. A CASB solution can help identify which applications are business ready and satisfy your specific security requirements such as GDPR regulations and business readiness. It is also important to understand that the most successful type of CASB solution involves extending DLP to the cloud to cover shadow data by integrating existing DLP with full CASB capabilities. Additionally, CASBs assist in classifying your data and setting corporate usage policies around cloud applications—which is a critical step to avoid falling victim to the shadow data threat.