Q
Problem solve Get help with specific problems with your technologies, process and projects.

How can enterprises prevent shadow data leakage?

The increased use of cloud applications has caused a parallel increase in shadow data loss. Expert Dan Sullivan explains how to prevent the risk.

A recent study found "shadow data" leaking out of enterprises through approved cloud apps and services. What is...

shadow data, and what's the best way to prevent it from leaking out of my company?

Shadow data is data that is not properly managed by security controls and governance procedures.
It is typically found on file-sharing services -- such as Google Drive, Dropbox and Box -- outside the oversight of centralized IT.

Cloud access security broker Elastica Inc. conducted a study of its customers' content in monitored file-sharing services and found high levels of loose access controls. For example, researchers found 25% of content is broadly shared, meaning it is accessible to the entire organization, external parties and/or the public Internet.

Certainly, some of these documents are intentionally shared, but others are unintentionally shared. Elastica further classified "broadly shared data" and found that 31% of it included protected health information (PHI); PHI is particularly valuable to cybercriminals as it contains useful personal information needed to commit identity theft.

There are three broad approaches to mitigating the risk of improperly managed data on SaaS file-sharing services.

  1. Data loss prevention (DLP) systems can scan network traffic leaving an on-premises network to search for sensitive data. For example, a DLP could scan documents for Social Security numbers or credit card numbers. This approach is useful if the goal is to generally block the egress of sensitive information. Companies that do not formally allow or provide approved SaaS services to employees and business partners may use this approach. An alternative is needed when file sharing services are sanctioned for use by the organization.
  2. File-sharing services offer both consumer and enterprise options. Consumer services are designed to be easy to use and to offer a high degree of sharing flexibility. Enterprise offerings include centralized controls, such as authentication, authorization, policy enforcement, activity monitoring and reporting. Enterprise administrators can use these tools to enforce fine-grained access controls and verify appropriate controls are in place. Some enterprise document-sharing services -- such as Enterprise Box or Egnyte -- are HIPAA- and EU Safe Harbor-compliant.
  3. Use a cloud access security broker to monitor on-premises-to-cloud transactions. These services typically offer a broad range of access control and monitoring services, and are appropriate for organizations that use multiple SaaS providers.

Ask the Expert:
Perplexed about cloud security? Send Dan Sullivan your questions today. (All questions are anonymous.)

Next Steps

Get help discovering shadow cloud use in the workplace

Learn more on cloud DLP and cloud access security brokers

This was last published in November 2015

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Does your enterprise have an issue with shadow data?
Cancel

-ADS BY GOOGLE

SearchSecurity

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly

Close