McAfee (formerly Skyhigh Networks) CEO, Rajiv Gupta was recently visiting a CISO of a large bank. Engrossed in a conversation about the risk and benefits of different types of cloud apps, the CISO was taking notes on his Evernote app when suddenly he stopped Rajiv. In a moment of surreal epiphany, the CISO noted “I’m taking notes on Evernote—which is not an approved service within my own organization!”
This story, as recounted in a recent Fortune article, is unfolding at enterprises all over the world. Driven by the advantages offered to businesses in terms of productivity, efficiency and cost savings, today’s enterprises use the cloud, sometimes without conscious awareness, to meet a multitude of needs. This has created an ever more complicated security dilemma for information security professionals charged with protecting their company’s sensitive data.
We recently analyzed our customer usage data from over 21 million users to identify the scale of sensitive data that’s stored in the cloud. Some of the findings include:
- The average organization uses 1083 cloud apps
- This includes 171 collaboration apps, 57 file-sharing apps, and 43 content sharing apps
- The average employee at these organizations uses 28 distinct cloud apps
Based on data from over 21 million users, we examine anomalous activity within sanctioned cloud services—including the scale of sensitive data in the cloud, how data stored in the cloud is shared with third parties outside the organization, and the incidence of insider threats.
As part of their normal workflow, employees store sensitive corporate data in these apps, usually unaware of the security or compliance risk this may create for their organization. At the same time, many companies have not extended their DLP policy enforcement to the cloud. Further compounding the challenge is the fact that 16.2% of all the files uploaded to file-sharing services contain highly sensitive, and often times, regulated data:
- Personally identifiable information or PII (e.g. Social Security numbers, phone numbers, home addresses, etc.)
- Protected health information or PHI (e.g. patient diagnoses, medical treatments, etc.)
- Payment data (e.g. credit card numbers, debit card numbers, bank accounts, etc.)
- Confidential data (e.g. financial records, business plans, top secret documents, source code, trading algorithms, etc.)
Uploading sensitive data isn’t limited to a small minority of employees either. 27.8% of users have uploaded sensitive data to the cloud. The most common type of sensitive data found in the cloud is confidential data comprising 47.0% of sensitive data in the cloud. Personally identifiable information comes in 2nd comprising 28.1% of sensitive data in the cloud, followed by payment data (13.6%), and protected health data (11.3%). Considering that majority of these file-sharing services are not enterprise-ready, the average organization may have a significant amount of sensitive data at risk.
Microsoft Office files dominate when it comes to the type of files containing sensitive data uploaded to the cloud. Microsoft Excel files comprise 30.7% of all documents containing sensitive data in the cloud. Adobe PDF files comprise 21.9% followed by Microsoft Word with 14.9%, Microsoft PowerPoint with 10.1%, and Microsoft Outlook (e.g. MSG and PST files) with 1.3% of all sensitive data.
High-risk file-sharing services not only pose risks due to potential for hacks and breaches, but even enterprise-ready services can present risk if their built-in sharing capabilities are misused. Since file-sharing services store 39.0% of all corporate data uploaded to the cloud, we analyzed sharing permissions in file sharing services and discovered that 64.3% of documents in file sharing services are not shared with anyone, and are only accessible to the individual who uploaded the file (or administrators with admin privileges within these applications).
The remaining 35.7% documents are shared either internally, with outside collaborators, or both. The average organization shares documents with 826 external domains. Of those, 6.1% are shared with personal email addresses such as Gmail, Yahoo Mail!, and Hotmail, and 2.6% are publicly accessible on the Internet, which may be particularly concerning to IT Security.
Across all documents shared externally, 9.2% contain sensitive information. While this is lower than the average of 16.2% across all files, it’s nonetheless troubling considering the volume of content shared with personal emails.
All this data highlights the need for IT and security teams to educate their employees and coworkers about company policies for storing and sharing data in cloud services, and enforce those policies without inhibiting employee’s productivity.
About the Author
Categories: Cloud Security