How can enterprises prevent shadow data leakage?

The increased use of cloud applications has caused a parallel increase in shadow data loss. Expert Dan Sullivan explains how to prevent the risk.

A recent study found "shadow data" leaking out of enterprises through approved cloud apps and services. What is shadow data, and what's the best way to prevent it from leaking out of my company?

Shadow data is data that is not properly managed by security controls and governance procedures.
It is typically found on file-sharing services -- such as Google Drive, Dropbox and Box -- outside the oversight of centralized IT.

Cloud access security broker Elastica Inc. conducted a study of its customers' content in monitored file-sharing services and found high levels of loose access controls. For example, researchers found 25% of content is broadly shared, meaning it is accessible to the entire organization, external parties and/or the public Internet.

Certainly, some of these documents are intentionally shared, but others are unintentionally shared. Elastica further classified "broadly shared data" and found that 31% of it included protected health information (PHI); PHI is particularly valuable to cybercriminals as it contains useful personal information needed to commit identity theft.

There are three broad approaches to mitigating the risk of improperly managed data on SaaS file-sharing services.

  1. Data loss prevention (DLP) systems can scan network traffic leaving an on-premises network to search for sensitive data. For example, a DLP could scan documents for Social Security numbers or credit card numbers. This approach is useful if the goal is to generally block the egress of sensitive information. Companies that do not formally allow or provide approved SaaS services to employees and business partners may use this approach. An alternative is needed when file sharing services are sanctioned for use by the organization.
  2. File-sharing services offer both consumer and enterprise options. Consumer services are designed to be easy to use and to offer a high degree of sharing flexibility. Enterprise offerings include centralized controls, such as authentication, authorization, policy enforcement, activity monitoring and reporting. Enterprise administrators can use these tools to enforce fine-grained access controls and verify appropriate controls are in place. Some enterprise document-sharing services -- such as Enterprise Box or Egnyte -- are HIPAA- and EU safe harbor-compliant.
  3. Use a cloud access security broker to monitor on-premises-to-cloud transactions. These services typically offer a broad range of access control and monitoring services, and are appropriate for organizations that use multiple SaaS providers.

Ask the Expert:
Perplexed about cloud security? Send Dan Sullivan your questions today. (All questions are anonymous.)

Next Steps

Get help discovering shadow cloud use in the workplace

Learn more on cloud DLP and cloud access security brokers

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices