The widespread availability and usage of cloud applications and services within the enterprise is leading to "shadow...
data" leaks, according to a new study by cloud security startup Elastica.
The cloud application security monitoring and auditing vendor, based in San Jose, Calif., reviewed more than 100 million files from approximately 100 different businesses. The research data, which was generated by Elastica's CloudSOC platform for managing cloud applications, showed that the average employee stored 2,037 files in the cloud.
More importantly, Elastica's study showed that 185 files on average are shadow data -- data that is uploaded to cloud services such as Dropbox or Google Drive -- which has been broadly shared without approval via cloud services with either the entire enterprise or people outside of the company. Worse, 20% of those broadly shared files contain compliance data, with 56% of that compliance data being personally identifiable information such as social security numbers, 29% being personal health information, and 15% being payment card information.
Rehan JalilCEO, Elastica
Elastica CEO Rehan Jalil said the research showed just how quickly cloud services and apps, whether they were company approved or shadow cloud, are being adopted within organizations. "Most enterprise data will be sitting on third-party applications or infrastructure in the cloud in the near future," Jalil said. "Specifically, file-sharing cloud applications are extremely useful, and they're being adopted at a very fast clip."
In addition, Elastic's research revealed that on average, just 5% of an enterprise's employees were responsible for 85% of the total risk exposures from shadow cloud usage and shadow data. The vast majority of those exposures, according to Elastica, were accidental.
For example, Jalil said, if an employee puts a corporate file with sensitive data on a Dropbox account and then sends a link to share that file with another person outside the enterprise, they're exposing that file. "Employees don't see that as an exposure, but it is," said Jalil.
Even though large enterprises have dedicated IT departments, whereas smaller businesses do not, the shadow cloud problem only grows worse as employee head count increases. "People don't understand the severity of the problem," Jalil said. "And the bigger the company, the bigger the chaos."
Shadow cloud was also a dominant theme at last month's Cloud Security Alliance Congress and the International Association of Privacy Professionals' (IAPP) Privacy Academy event in San Jose. Trevor Hughes, CEO of the IAPP, said in an interview with SearchCloudSecurity this week that the pervasive use of cloud both inside and outside the enterprise is putting sensitive data at risk.
"New technology has always been a challenge for data privacy," Hughes said, "but what's challenging today is that there are so many cloud apps and services out there, and the lines between personal and professional usage are blurring."
The answer to curbing shadow data leaks, Jalil said, is not to block shadow cloud apps and services but to reform employee behavior with education and awareness training.
"Enterprises need to monitor employee usage and behavior and give them proper feedback about what they're doing with these cloud apps and services," he said. "It takes time to reform behavior but we hope with better monitoring and education, by this time next year we'll be looking at the survey numbers go down."
Security expert Ed Moyle offers best practices for responding to a cloud provider data breach.