* [Blog](https://www.paloaltonetworks.com.au/blog)
* [Cloud Security](https://www.paloaltonetworks.com.au/blog/cloud-security/)
* [Data Detection and Response](https://www.paloaltonetworks.com.au/blog/cloud-security/category/data-detection-and-response/)
* Shadow Data Is Inevitable...

# Shadow Data Is Inevitable, But Security Risks Aren't

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fcloud-security%2Fshadow-data-risk-mitigation%2F)  
[](https://twitter.com/share?text=Shadow+Data+Is+Inevitable%2C+But+Security+Risks+Aren%E2%80%99t&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fcloud-security%2Fshadow-data-risk-mitigation%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fcloud-security%2Fshadow-data-risk-mitigation%2F&title=Shadow+Data+Is+Inevitable%2C+But+Security+Risks+Aren%E2%80%99t&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/cloud-security/shadow-data-risk-mitigation/&ts=markdown)  
\[\](mailto:?subject=Shadow Data Is Inevitable, But Security Risks Aren’t)  
Link copied  
By [Benny Rofman](https://www.paloaltonetworks.com/blog/author/benny-rofman/?ts=markdown "Posts by Benny Rofman")  
Dec 12, 2023  
6 minutes  
[Data Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/data-detection-and-response/?ts=markdown)  
[Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown)  
[Data Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/data-security-posture-management/?ts=markdown)

Shadow data is inevitable, particularly with the shift to cloud and data democratization. The ease of creating shadow data assets and the potential for faster insights incentivize employees. While generally not concerning, issues arise when [sensitive data](https://www.paloaltonetworks.com/cyberpedia/sensitive-data) becomes involved. To harden your cloud data security posture and prevent, for example, storing confidential financial information in an unmonitored database, you need to get ahead of potential oversights. The challenge in proactive data management lies in striking a balance between security, agility, and data democratization.

## Shadow Data and the Cloud: A Match Made in Heaven

Organizations love the public cloud because it makes everything easy to deploy. Rather than petitioning a centralized IT team to allocate resources for a new data initiative, smaller dev or analytics teams can spin up new cloud resources and start filling them with data.

Data democratization and business agility implicitly encourage [shadow data](https://www.paloaltonetworks.com/cyberpedia/shadow-data). These principles essentially boil down to smaller teams accessing data independently --- bypassing traditional gatekeepers in IT, DevOps or DBA departments. Marketing analysts might move customer data to Google BigQuery to analyze product usage patterns while support teams store a copy of the same data in Snowflake as part of a ticket NLP project. These tools can be set up in a few clicks and require little knowledge beyond SQL.

But when infrastructure is easier to deploy, it's harder to monitor. And while infrastructure security has come a long way, it struggles to catch up with the rate in which shadow data is created in the cloud --- which can easily lead to a leak of sensitive or regulated information.

‍Shadow data, as an '[unknown unknown](https://www.pmi.org/learning/library/characterizing-unknown-unknowns-6077)', poses unique risks. Beyond not knowing where to find it, security teams don't know they should look for it. And by definition, sensitive data being stored in a shadow datastore isn't subject to the organization's standard security policies and isn't being monitored.

## Common Shadow Data Scenarios

Shadow data can be generated as part of testing, backup, cloud migration or in regular business operations. In many cases, this can actually help teams accomplish more, faster --- and we wouldn't necessarily want to discourage this. But if sensitive data is being forgotten or abandoned, it poses an exciting opportunity for cyberattackers looking to steal data or commit ransomware attacks.

Let's talk about where to look for shadow data, based on real-life scenarios we've encountered in our work with customers.

### Object Storage (AWS S3, Google Cloud Storage, Azure Blob) --- the Biggest Culprit

Unstructured, inexpensive and typically accessible, object storage tends to be the biggest component of the organizational data estate. Even though it's the obvious suspect for hidden shadow data, building effective detection mechanisms is challenging --- and the shadow data often goes unnoticed.

Consider a data scientist using Databricks to run a specific, one-off transformation to answer a business question. They then store the results in S3 for potential future analysis. If done using anonymized, non-PII data, there's no issue. It poses a security and compliance problem, though, if they create a copy of customer credit card information.

How about a company that dumps its Redis instance, which contains PII, into an unencrypted S3 bucket? The security team is unaware of the problem --- it's just one more S3 bucket with an inconspicuous name. But a malicious actor with access to the cloud environment has no problem accessing the data.

### Unmanaged Datastores: A Complete Black Box

In a world of on-demand compute, it's impossible for security teams to monitor every new VM. Should someone use these machines to run databases, you now have data assets with contents invisible to most security solutions.

Imagine a developer trying to solve a data quality issue. They spin up a new Postgres instance and fill it with production data to run a test. Maybe they use a snapshot, maybe they use an automatically updated replica of a database containing sensitive information. On completion of the project, they should delete the database, but --- common oversight --- they leave the database running.

A company has employee turnover resulting in an unmanaged MariaDB instance in their cloud environment. The database contains hundreds of gigabytes of data copied from production a year earlier, including thousands of electronic health records. While the database is no longer running, the data remains --- dormant and ripe for attack. The [CSPM](https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-security-posture-management) platform alerts the organization to the database's existence, but the team, unaware of the scale of sensitive data it contains, doesn't consider it a priority.

### Duplicates on Managed Datastores

Partitions, snapshots, staging tables and ELT jobs will often lead to duplicate and triplicate copies of data created in cloud data assets like BigQuery and Snowflake. While these tools have some built-in monitoring, the sheer number of services and copies can make monitoring close to impossible.

## The Need for Data-Centric Security

While the above examples lean toward egregious, forgotten database dumps and orphaned snapshots in cloud environments do happen --- all too frequently.

When data plays a major part in business processes, you'll have more people doing more things with more data. As the organization grows, keeping track of this data becomes immensely challenging without the right solution.

If you can't eliminate shadow data, what can you do about it? How can you ensure that it's not creating a security liability?

Policy and posture are vital, but they're a first step and not the final. [Data security posture management (DSPM)](https://www.paloaltonetworks.com/cyberpedia/what-is-dspm) classifies data contained within the database or file storage, whether managed or unmanaged. By scanning the actual records, DSPM can detect and prioritize shadow data anywhere. Highlighting and classifying sensitive records allows security teams to focus on data assets that pose the largest risk, either for security or compliance reasons.

[Data detection and response (DDR)](https://www.paloaltonetworks.com/cyberpedia/data-detection-response-ddr) completes the picture by providing real-time monitoring of data assets, allowing security teams to quickly intervene when unwanted actions are underway. Organizations are equipped to mitigate long-forgotten dataset suddenly copied to S3 or a snapshot suspiciously taken of a production database.

By combining posture management, static risk detection, and dynamic monitoring, companies can gain visibility and control while supporting data driven operations at scale.

## Is Your Shadow Data a Problem?

To assess your shadow data situation, ask yourself these questions:

1. Do you have an automated discovery tool that can notify you of new sensitive data assets in your environments and the safeguards around them?
2. Can you protect your cloud data without hindering development or infrastructure performance?
3. Would you be alerted in real time on suspicious actions involving your sensitive data?

## Learn More

Discover shadow data assets without impacting your production environment with [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud/cloud-datasecurity), which integrates cloud DLP with DSPM and DDR for end-to-end data protection.

Learn how to lock down your shadow data with our definitive guide, [Securing the Data Landscape with DSPM and DDR](https://www.paloaltonetworks.com/resources/guides/dspm-ddr-big-guide).

*** ** * ** ***

## Related Blogs

### [Data Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/data-detection-and-response/?ts=markdown), [Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown), [Data Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/data-security-posture-management/?ts=markdown)

[#### How to Build an Enterprise Data Security Team](https://www.paloaltonetworks.com.au/blog/cloud-security/how-to-build-enterprise-data-security-team/)

### [Data Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/data-detection-and-response/?ts=markdown), [Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown), [Data Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/data-security-posture-management/?ts=markdown)

[#### Redshift Security: Attack Surface Explained](https://www.paloaltonetworks.com.au/blog/cloud-security/redshift-security-attack-surface-explained/)

### [Data Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/data-detection-and-response/?ts=markdown), [Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown), [Data Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/data-security-posture-management/?ts=markdown)

[#### Redshift Security: Access and Data Flows Explained](https://www.paloaltonetworks.com.au/blog/cloud-security/redshift-inside-out-part-1/)

### [Data Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/data-detection-and-response/?ts=markdown), [Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown), [Data Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/data-security-posture-management/?ts=markdown), [DLP](https://www.paloaltonetworks.com/blog/cloud-security/category/dlp/?ts=markdown)

[#### Data Security Platforms: 9 Key Capabilities and Evaluation Criteria](https://www.paloaltonetworks.com.au/blog/cloud-security/data-security-platform-capabilities-criteria/)

### [Data Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/data-detection-and-response/?ts=markdown), [Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown), [Data Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/data-security-posture-management/?ts=markdown)

[#### Cloud Data Security \& Protection: Everything You Need to Know](https://www.paloaltonetworks.com.au/blog/cloud-security/cloud-data-security-protection-everything-you-need-to-know/)

### [Data Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/data-detection-and-response/?ts=markdown), [Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown), [Data Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/data-security-posture-management/?ts=markdown)

[#### Prisma Cloud Data Security Vs. Other CSPM Vendors](https://www.paloaltonetworks.com.au/blog/cloud-security/dspm-vs-cspm/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language