Sensitive data in the cloud is more widespread than you may think. Analyzing cloud usage for 15 million users, McAfee (formerly Skyhigh Networks) found that 22% of documents uploaded to file sharing services contained sensitive data such as personally identifiable information (PII), protected health information (PHI), or payment information. Far from being an isolated problem, 37% of file sharing users have uploaded sensitive data at some point. For public sector organizations, the stakes are higher due to unique regulatory requirements, but all organizations struggle with visibility into the thousands of cloud services available and wide variance in security controls amongst them.
A recent study found that two-thirds of US Federal government agencies failed to meet a June 2014 deadline to follow FedRAMP cloud security guidelines. FedRAMP is just one way of assessing the security of cloud providers. McAfee assesses cloud providers across over 50 attributes of enterprise readiness including those found in the Cloud Security Alliance Cloud Controls Matrix. Of the 10,000+ cloud services in use today, just 9.4% meet the strict security and data privacy standards required to achieve the highest rating of “enterprise-ready” by McAfee’s CloudTrust Program.
However, in the last 12 months an increasing number of cloud services offer more robust security features and certifications. 1,459 services (17%) provide multi-factor authentication, as opposed to 705 last year; 533 (5%) are ISO 27001 certified, as opposed to 188 last year; and 1082 (11%) encrypt data at rest, as opposed to 470 last year. The last statistic shows just how much room there is for improvement. Security analysts say that information encryption is one of the best measures to protect organizations from a wide range of data leakage issues:
- If an attacker compromises the data, they will not be able to read it without the encryption keys
- Encryption removes the breach notification requirements for regulations like HIPAA
- Encrypting data can help satisfy cross-border data privacy requirements when data is stored in the cloud
- When organizations maintain control of their encryption keys, encryption prevents the cloud provider from viewing the information
Despite the benefits of encryption, some of the biggest names in cloud computing do not encrypt data stored at rest in their cloud services today.
Based on data from McAfee’s Service Intelligence Team, the top cloud services used in government that don’t encrypt data at rest includes three email providers: Gmail, Hotmail, and AOL Mail. Some of the services found in the top 10 like Paypal can be used to store payment card numbers and bank account information. Another service that doesn’t encrypt data stored at rest is eBay, which suffered one of the biggest data breaches of 2014 when 145 million account credentials were stolen.
While all of the above services would be considered “personal” vs. “enterprise/government”, there have been highly publicized examples of shadow IT use in even the highest levels of government. This list of wildly popular services that don’t encrypt data serves as a timely reminder of the potential risks of going around IT when employed by a government organization or agency.
For a complete look at trends shaping government cloud usage including the top services in use in government overall, fastest growing apps, and the gap between cloud services organizations intend to block and actual block rates, download the Cloud Adoption & Risk in Government Report.