How to maintain data oversight to avoid ‘shadow data’

In connection with shadow IT, shadow data occurs when employees engage in behaviors that expose their company to data risks.

shadow IT

Data at risk

Before his retirement, an employee of the Office of the Comptroller of the Currency (OCC) uploaded more than 10,000 OCC records onto two removable thumb drives. He retired in November 2015; the agency didn’t discover the breach until the following September. That left almost a year between breach and detection. The OCC was not able to recover the thumb drives.

It illustrates what happens when business administrators fail to adequately oversee how employees handle sensitive corporate data. Many companies attempt to combat this problem by cracking down on Shadow IT – the employee use of unsanctioned apps and devices.

But even when using sanctioned apps, employees can still engage in behaviors that expose their company to data risks. This problem is called Shadow Data. As more companies take a liberal approach to cloud app provisioning, they need to make sure that all apps – including vetted ones – are carefully secured, optimized and monitored. Al Sargent, senior director at OneLogin, offers the following seven tips enterprise leaders can follow to maintain data oversight and reduce the risks posed by Shadow Data.


Encrypt privileged data at rest

Companies need robust encryption measures in place to protect lost or stolen data from unauthorized access and dissemination. In the case of the OCC breach, the fact that the more than 10,000 records were encrypted helped mitigate the damage.  


shadow data

Ensure enterprise apps are compliant with security standards

Most organizations aren’t doing enough to ensure their approved apps meet standard security benchmarks. As an industry report about Shadow Data revealed, 95 percent of company cloud apps aren’t meeting the compliance standards set by SOC 2 – a common benchmark to gauge cloud app security. Businesses should have a set policy in place to make sure all vetted apps meet standard compliance thresholds. 

shadow data

Implement multi-factor authentication

The same industry report that revealed compliance shortcomings also found that 71 percent of enterprise apps don’t have multi-factor authentication (MFA). The absence of MFA from any corporate-sanctioned app makes it inherently vulnerable to unauthorized access.


cloud apps

Maintain a unified catalog of corporate cloud apps

One of the key reasons IT departments face risks with Shadow Data is because they lose track of all the apps they’ve approved. Without proper oversight, suspicious behavior – such as anomalous downloads – can slip through the cracks. By creating and maintaining a centralized catalog of corporate-vetted apps – one equipped with user management and access controls – IT leaders can maintain the organizational hierarchy that’s vital to cloud app security.


shadow data

Limit intentional and accidental sharing

Whether it’s accidental or malicious, file sharing can quickly compromise the security of business data contained within an approved app. Company leaders can prevent this problem by carefully configuring the sharing permissions for each app they approve – and ensuring that broad sharing is kept to a minimum.


shadow data

Oversee expedient deprovisioning

Employers can’t afford to be slow in offboarding employees. All it takes is one irritated former employee with an external hard drive to reveal why that’s a bad idea. By moving from ineffective manual offboarding to automatic deprovisioning, IT leaders can significantly reduce the risk of company data exposure.


shadow data
REUTERS/Toru Hanai

Protect employee mobile devices

If your business is among the many that allows employees to work via their mobile devices, you need to make sure these devices meet your company’s security standards. The best way to ensure this level of protection is to implement mobile-specific identity and access management (IAM) tools.

RELATED: Shadow IT 101: Beyond convenience vs. security

Copyright © 2017 IDG Communications, Inc.

Related Slideshows