Can Big Enterprises Prevent Shadow Data Leakage?
The move to the Cloud by many businesses has forced IT Services to take a good look at how they provide and manage the security of data and Intellectual Property stored offsite. Most technology experts in the IT Service departments of large organisations are acutely aware of the security risks associated with Shadow IT.
What is Shadow IT?
Put at it’s simplest, Shadow IT is the deployment of systems and applications without the IT department’s sanction or knowledge.
Often the cost of a shadow cloud based or SAAS application can fit within a departmental budget, so they implement the applications they need that IT cannot or does not currently supply.
Why is it a danger?
An IT Department has the overall responsibility for the IT infrastructure in an enterprise. They are responsible for equipment and data security with defined standards for equipment and software to ensure compatibility and security.
A department installing its own hardware and software will breach those standards and create opportunities for malware and data theft. A particular danger with Shadow IT is the use of personal online storage like DropBox and OneDrive. Users in a Shadow IT environment, and indeed outside it, can upload and download sensitive data and share it, again creating opportunities for malware attack and data theft.
Shadow IT also increases the risk of data fragmentation and duplication. It promotes the likelihood of conflicting versions of the same data.
Finally, if a Shadow IT application is supplied and maintained by a third party, access to sensitive data could be compromised.
Why Does it Happen?
There are several reasons. Three major reasons are:
Central IT might not be aware of a departmental requirement and its urgency, or not have the budget to meet it. The department goes ahead by itself.
A muilti-site enterprise can have sites in different places, and even in different countries. A local site might need a specific application, but Central IT cannot provide it when it is needed either because it doesn’t know about the requirement, or hasn’t the budget for it. The local site goes ahead and implements it anyway using its own resources
IT has the ultimate responsibility for data security and making sure it complies with local regulations. Shadow IT Applies local security policies. Document over-sharing, historical access by contractors and ex-employees, can mean that information is shared with inappropriate people because the central security protocols are not applied to Shadow IT systems and data. . It can be a problem ensuring that data storage and use complies with IT policy and with the data residency and sovereignty rules of the country.
How to Prevent Shadow IT
Detecting and protecting shadow data has been called Data Leak Prevention (DLP). Here are some steps to implement a DLP strategy:
Empower IT. IT must take the lead on equipment connectivity, data encryption and backup policy. In these days of BYOD and remote access to systems and data, it is unreasonable to force standards on the equipment attached to the network. However, IT can check attached devices and refuse connectivity to local and remote data sources to devices that do not meet acceptable standards of malware protection or try to break security protocols.
IT needs to create guidelines for local and dispersed management on the proper practices for management of data on personal and non-authorised devices and services. These guidelines need to be backed up by senior management to be effective.
Establish a Cloud-Based single platform for data. A single platform will make is much easier to manage secure access to data and control backup and recovery processes. Data can be archived, and made always-online using a browser or mobile app. Data duplication and redundancy can be better managed.
Manage authentication beyond the perimeter. Users can access systems and data from virtually anywhere. They need to have their security profile reflect the actions they are permitted to carry out.
Create a self-service mentality. It needs to move from a command-and-control mentality to that of a self-service provider of goods and services. A provisioning portal that allows users to select what they need will go a long way to reducing the needs for Shadow IT.
Shadow IT can be overcome, but it needs a sea-change in IT Management mentality to manage it.