Sergey Nivens - Fotolia

Enterprises creating 'shadow data' through cloud storage services

A new study from cloud access security broker Elastica shows a growing amount of shadow data is leaking out of enterprises via cloud services.

A new study claims that a quarter of all enterprise files stored in the cloud are being exposed and that these exposures could potentially cost companies an average of $14 million a year.

Elastica, a cloud access security broker (CASB) based in San Jose, Calif., released its "Q2 2015 Shadow Data Report" Monday, which claims 25% of its customers' files stored in the cloud are "broadly shared" -- often accidentally -- to the entire organization (74%), external parties (17%) or the public Internet (9%). The report revealed 12.5% of the broadly shared files or "shadow data" contain sensitive details such as social security numbers or healthcare information, and estimated breaches from these exposures could cost enterprises an average of $13.85 million.

Elastica's study, which compiled customer data from its CloudSOC platform, examined files in only cloud apps and services from cloud providers such as Dropbox and Google Drive, which were authorized by IT departments. But Eric Andrews, vice president of marketing at Elastica, said enterprise employees are still creating shadow data even when they aren't using shadow cloud services.

"When using cloud services," he said, "the permissions being set are usually done by the users themselves [instead of IT departments]."

The statistics in the Q2 study indicated a concerning trend, according to Elastica CEO Rehan Jalil. According to the report, the amount of broadly shared data in cloud storage services rose from 9% in the fourth quarter of 2014 to 25% in the second quarter 2015. The number of compliance policy violations also rose from 1.8% in Q4 last year to 3.2% in Q2 this year.

Jalil said that even when IT departments approve cloud services, enterprise data is still being put at risk by reckless user behavior and a lack of security policies to govern that behavior.

"What do they do when they grant access to these apps? How do they know what users are doing with the data?" Jalil said. "The whole ecosystem is shifting away from on-premise to the cloud, and security has to evolve."

The study also highlighted the growing value of personal health information (PHI). According to the report, 31% of all sensitive data broadly shared included PHI. In addition, healthcare topped the list of verticals with the most policy violations. Andrews said cybercriminals and hackers are willing to pay 10 times more for PHI than credit card numbers because such info can be more easily used to beat security questions and break into accounts to obtain more data.

"You can change your credit cards numbers," Andrews said, "but you can't change your health information."

Next Steps

Find out why the recent IRS data breach shows the importance of PII security

Dig Deeper on Public Cloud Computing Security