Shadow data: A growing risk to your organization’s security. Learn how to tackle and mitigate this growing threat. Businesses are embracing the cloud for multiple reasons, including cost savings and business acceleration. But these gains are accompanied by growing public cloud data risks.
Many business users subscribe to productivity tools without involving IT teams or their respective cloud Centers of Excellence (CoE). This often leads to shadow IT usage and uncontrolled growth in costs and service redundancies.
Shadow data is a growing risk
Data is a critical asset for organizations, but it can also be a source of risk. As companies move to the cloud, they are storing and deploying vast amounts of data in new locations. These data stores are often outside of the IT infrastructure and not governed by an organization’s data management framework. This creates shadow data risks. Shadow data is information that does not reside under the control of IT teams, exposing organizations to risks like privacy breaches and regulatory non-compliance.
The problem of shadow data is growing as business units and individual users sign up for cloud services without the involvement of IT. These subscriptions to cloud services may contain sensitive information, including confidential customer information, and could expose the company to data security, transaction integrity and regulatory compliance issues.
Moreover, these shadow services often have lax access control processes, making it easier for unauthorized individuals to get hold of sensitive information. These systems can also be difficult to track, as the underlying structures are often complex and change at a much faster rate than centralized databases. In addition, some of these data storage structures include image repositories, big data lakes and data blob servers that are challenging to scan in a cost-effective manner.
It is important to recognize the risks of shadow data so that steps can be taken to address them. The first step is to gain visibility into all data environments and to identify and tag the most sensitive data, regardless of where it resides in the organization’s environment. This can be done manually or through automated tools that leverage pattern matching and machine learning to detect sensitive information.
Finally, it is important to regularly cleanse the environment of unused or low-value data. For example, each time a developer replicates a data store for testing or an operations team mirrors a database prior to an upgrade, this information should be removed once the test or the upgrade is complete.
The key to reducing shadow data is visibility and consistency. To have this, IT and business leaders need to work together to ensure that the right data is available at the right time for the right use cases. This will allow them to achieve the speed of business they are pursuing while also improving the efficiency and quality of their analytics, reporting and machine learning.
Shadow data is a growing threat
The tendency by business units and individuals to sign up for cloud services without involving their IT organization creates serious risks for enterprises, technology consulting firm PwC warned last week. These include issues with data security, transaction integrity and business continuity. It also can undermine compliance with internal and regulatory requirements, such as those around privacy and data governance. Cyberattacks that target these shadow data sources are often more dangerous than those targeting a company’s core systems, because the attackers have inside knowledge of the information being shared or stored in the cloud service and can therefore bypass the security systems and policies in place at a company. This can lead to exfiltration of confidential information, account takeovers and even the destruction of the data.
The dangers of shadow data are exacerbated by the fact that many of these cloud services have a consumer-like experience and are easy for users to sign up for, which can bypass the internal security controls. As a result, it’s not uncommon for employees to store confidential information in these cloud services or share it with others. This can happen unintentionally, either by a malicious attack or through lax security policies and training. More often, though, it happens through inadvertent sharing through common collaboration or file-sharing tools such as Box, Office365 and Dropbox. The dangers of these shadow data leaks are multiplied by the fact that cyberthreats and compliance obligations continue to escalate, making it harder than ever for companies to prioritise security.
However, the opportunity for companies to leverage cloud to deliver a broader range of powerful use cases continues to grow. For example, the ability of cloud to speed development and iteration can allow businesses to quickly turn ideas into valuable new products that can transform their operations. It’s not just high tech, oil and gas or retail industries that can benefit, with all sectors showing the potential to generate significant value from cloud-based initiatives in 2030.
The trillion-dollar prize will only be won by organizations that develop a clear, focused strategy for taking advantage of the power and opportunities of cloud. Successful cloud adoption requires a fundamental change to the way that business and IT teams operate. That must include a DevSecFinOps approach that puts rapid iterative delivery at the centre, policies that embed security into the development lifecycle and end-to-end process automation.
Shadow data is a growing problem
Shadow data is a growing problem for most businesses because it increases the attack surface and makes data more vulnerable. It can include anything from a backup copy of a production database that isn’t cleaned up to unmanaged data stored in an external tool. These unmanaged repositories can be exploited by hackers to exfiltrate sensitive information and cause serious security breaches. It also leads to higher-than-expected cloud storage costs because this data is often sitting idle.
Workgroups and individual employees are increasingly using their own subscriptions to public cloud services because it’s easy and relatively inexpensive for them to do so, according to Cara Beston, cloud risk assurance leader at PwC. These services can include cloud collaboration software, file sharing apps, customer relationship management software and more. This creates significant risks for organizations because it’s impossible to control who is using these services and what they are doing with them.
Another issue is that many of these services are disconnected automatically when a user’s account is terminated. As a result, the company can lose access to critical information such as customer contracts, drawings and project documentation. For companies that are regulated, this poses a serious risk because the organization could breach regulatory guidelines without even realizing it.
The good news is that there are ways to reduce the amount of shadow data created by business users. The first step is for data teams to prioritize data minimization by only storing data in their systems and services that is necessary for current projects and day-to-day operations. Then, they must use comprehensive monitoring tools to quickly detect and alert them of new and existing data in their environments.
As part of this effort, data teams should be able to see all the locations where their data is located, including both managed and unmanaged repositories. These tools can then help them identify and consolidate unnecessary data and eliminate duplicate repositories. Additionally, they should be able to provide visibility into data that is being used for testing and development purposes. This will help them better understand the data they need to protect and prioritize the right controls, such as access limits, minimal privileges, checking for anomalous behavior, alerting to threats and remediating misconfigurations.
Shadow data is a growing opportunity
Shadow data is any organizational data that has been copied, backed up or otherwise stored outside your organization’s preferred security structure and may not be visible to the tools you use to monitor, log and control access. It’s essentially your “known unknown” and the biggest target for cybercriminals because, in many cases, you don’t even know that you have it. And, as the proliferation of public cloud services grows, so too does the scope and scale of shadow data.
The benefits of the cloud enable a “fail fast” mentality where teams can experiment with applications and new business models without large up-front capital investments. In addition, cloud enables organizations to scale more easily to meet demand with an on-demand model. But, to fully harness the cloud’s potential and reduce tech risks, organizations need to transform their operations. This includes adopting a DevSecFinOps approach with small cross-functional teams working in iterative cycles to deliver business value, policies that embed security into development and end-to-end process automation.
It’s no wonder that companies with the highest levels of cloud maturity reap significant benefits, outpacing their peers. A recent third-party primary research survey of 705 companies that use public cloud found that those with higher cloud maturity exhibit a number of distinct adoption mindsets. For example, these companies are early adopters of cutting-edge technology and aggressively innovate, embracing the cloud as a strategic asset.
In contrast, companies with lower cloud maturity often rely on existing solutions and have limited or no visibility into their public cloud usage. In fact, the average company surveyed in 2021 had ten times as much unmanaged SaaS (software-as-a-service) sprawl compared to known cloud usage.
As the pace of public cloud adoption accelerates, enterprises must rethink their strategies to reduce shadow IT and protect the information they’re storing in public clouds. They should also invest in technologies such as attack surface management tools that continuously scan an organization’s internet-facing assets to discover cloud-based applications and evaluate them for vulnerabilities. In addition, they should implement a CASB that protects cloud-based assets and secures connections to those assets.
