3desc - Fotolia

DLP policy violations highlight cloud storage security concerns

A new report from Netskope finds copious DLP violations in enterprises' cloud apps due to insufficient cloud storage security.

Enterprises are uploading more data to cloud storage services, but those services are the source of a staggering number of data loss prevention policy violations, according to a new study.

Cloud policy vendor Netskope released a quarterly cloud report on the state of data in the cloud, "Sensitive Data in the Cloud: Summer 2015," which revealed that although the number of cloud applications used at companies has gone down -- from 730 to 715 since the spring -- the number of DLP policy violations has gone up. The report, which surveyed "millions of users in hundreds of accounts" from March to May, showed that 17.9% of files in cloud apps sanctioned by the enterprise violated a data policy, while 22.2 % of these violations were files shared publicly. Cloud storage apps represented a 90% chunk of these violations.

"There's more and more sensitive data that is moving to the cloud and enterprises fall into two camps," Krishna Narayanaswamy, chief scientist at Netskope, said. "There's some who are aware of it and are putting solutions in place to protect the data, and then there's this other camp of users who are not aware of this."

According to the Los Altos, California-based Netskope, 91.9% of cloud apps are not enterprise-ready. But it is as much the responsibility of the user as it is the cloud app provider to avoid exposing sensitive information, according to Narayanaswamy. More enterprises need to invest in resources that help them set policies to check the behavior of their employees, he said, and data loss prevention products can help.

"A policy could be: do not allow download of PCI data to mobile devices," Narayanaswamy said. "Another policy for data address is: if you find sensitive data being shared with people outside the organization -- let's keep the sharing inside the organization."

According to the study, payment card information (PCI) constituted 24.3% of violations this quarter; personal identifiable information (PII), which constituted 26.8% of violations; protected health information (PHI); and "confidential" information, which made up 16.7% of violations.

"Previously, all this data was going into databases that were owned by the enterprise, so the exposure was not as critical as it is now with these applications being in the cloud and not being monitored," Narayanaswamy said. "It's so easy to put the data in the cloud and share for collaboration, but users inside enterprises are not educated enough to know what is right and what is wrong."

While it is important to coach users on respecting the DLP policy, there are ways also for IT departments to reinforce safe information sharing conduct with cloud apps and services, Narayanaswamy said. Some enterprises are apparently already taking action, he said; the dip in the number of cloud apps used, according to the report, is likely due to there being less shadow cloud apps in enterprises.

 "It's not a dramatic drop," Narayanaswamy explained. "[But] enterprises are getting more visibility into what kinds of applications are being used and are able to provider coaching to users."

As more enterprises focus on maintaining security policies, the numbers may continue to go down. Also helping the downward trend is the fact that many cloud app providers are consolidating their releases into single platforms, Narayanaswamy said. But shadow cloud is not the only problem, and policy maintenance is still an issue.

The growing number of cloud credentials-related breaches that occurred over the past few years hasn't helped either. "If you put the two together -- credential breaches happening together with sensitive data in the cloud -- that means breached credentials can be used to access sensitive data as well," Narayanaswamy said. "So it's kind of a Molotov cocktail there that's brewing."

Next Steps

Find out why cloud app credentials have become a security weak spot in the enterprise

Dig Deeper on Public Cloud Computing Security