NoPicklez

I do a lot of work with what you’d call ShadowIT, or the use of unsanctioned applications. I use cloud broker tools which use firewall logs to identify where these websites are being used.

The use of these file conversion tools is very common and is often used on sensitive information. Heck I’ve seen health companies use these tools to upload god knows what.

Usually there is little to no data sovereignty rules that apply, in that by using the service for free that can own the file you upload and use it to glean information from.

Firstly, employees need to be aware that they are not allowed to use this software and you need to therefore provide a solution. You should then use broker tools to actually block these conversion sites, in the same way that you might block the use of Dropbox and other cloud solutions if these are unsanctioned.

Yes you’re absolutely right to question these services and organisations are having to deal with risk associated with using them. Which is only really an issue if it’s sensitive personally identifiable information.

KronisLV
> Firstly, employees need to be aware that they are not allowed to use this software and you need to therefore provide a solution.

As far as I understand, the usage of such tools is caused by the need to accomplish some goal that they don't know how to otherwise do. Therefore, wouldn't it be a good idea to self-host such a tool, even if it's not a part of any pre-existing platform that's in use for other business processes?

For example, for various data format related concerns, I've seen CyberChef be pretty good: https://github.com/gchq/CyberChef

As for some binary file format conversations, HRConvert2 seems viable: https://github.com/zelon88/HRConvert2

If self-hosting things is too much of a bother/risk, then I guess all that's left is local tools, such as Handbrake on Windows for video: https://handbrake.fr/ and maybe something like XnView for images: https://www.xnview.com/en/ and so on...

But then there's the risks of self-hosted or local software containing something malicious and needing to be audited etc. I recall that in my previous org, I helped develop a Wiki page listing many of the tools available within the company internally, so that anyone who needs to store files could immediately look at self-hosted Nextcloud (for example), as opposed to going for Dropbox or whatever. Of course, instructions alone probably aren't enough, restrictions are also necessary, but discoverability is always good!