Sergey Nivens - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Enterprises creating 'shadow data' through cloud storage services

A new study from cloud access security broker Elastica shows a growing amount of shadow data is leaking out of enterprises via cloud services.

A new study claims that a quarter of all enterprise files stored in the cloud are being exposed and that these exposures could potentially cost companies an average of $14 million a year.

Elastica, a cloud access security broker (CASB) based in San Jose, Calif., released its "Q2 2015 Shadow Data Report" Monday, which claims 25% of its customers' files stored in the cloud are "broadly shared" -- often accidentally -- to the entire organization (74%), external parties (17%) or the public Internet (9%). The report revealed 12.5% of the broadly shared files or "shadow data" contain sensitive details such as social security numbers or healthcare information, and estimated breaches from these exposures could cost enterprises an average of $13.85 million.

Elastica's study, which compiled customer data from its CloudSOC platform, examined files in only cloud apps and services from cloud providers such as Dropbox and Google Drive, which were authorized by IT departments. But Eric Andrews, vice president of marketing at Elastica, said enterprise employees are still creating shadow data even when they aren't using shadow cloud services.

"When using cloud services," he said, "the permissions being set are usually done by the users themselves [instead of IT departments]."

The statistics in the Q2 study indicated a concerning trend, according to Elastica CEO Rehan Jalil. According to the report, the amount of broadly shared data in cloud storage services rose from 9% in the fourth quarter of 2014 to 25% in the second quarter 2015. The number of compliance policy violations also rose from 1.8% in Q4 last year to 3.2% in Q2 this year.

Jalil said that even when IT departments approve cloud services, enterprise data is still being put at risk by reckless user behavior and a lack of security policies to govern that behavior.

"What do they do when they grant access to these apps? How do they know what users are doing with the data?" Jalil said. "The whole ecosystem is shifting away from on-premise to the cloud, and security has to evolve."

The study also highlighted the growing value of personal health information (PHI). According to the report, 31% of all sensitive data broadly shared included PHI. In addition, healthcare topped the list of verticals with the most policy violations. Andrews said cybercriminals and hackers are willing to pay 10 times more for PHI than credit card numbers because such info can be more easily used to beat security questions and break into accounts to obtain more data.

"You can change your credit cards numbers," Andrews said, "but you can't change your health information."

Next Steps

Find out why the recent IRS data breach shows the importance of PII security

Dig Deeper on Public Cloud Computing Security

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your organization have security policies for public cloud storage services?
We use dropbox corporately, and have a business account. This allows us to remove or add permissions on demand. Priorietary company information (sales, leads, etc) goes in a slightly more locked down location, yes. We're small enough that we can track every use of cloud storage; we try to keep it to dropbox.
This actually helps us as it makes sure that our deliverables are backed up automatically; also, with dropbox for business, we get version control.
With services like DropBox not connected to LDAP, available through the web outside the LAN, and lots of mixing of personal and work accounts, it is no surprise that some permission and access should persist after someone leaves a company - and especially when they transfer within that company.

That said, I'm not sure I'm comfortable with the term 'shadow IT'; IT is disappearing into the woodwork, becoming part of what people do for a living.

So yes, there are security risks when a salesperson prints an entire list of customers to PDF and puts it in dropbox, especially if that person takes the file or another employee who is leaving takes the file, especially after they leave. But that problem isn't dropbox, it is the creating of the customer list -- right?