October 24, 2014 By Jaikumar Vijayan 2 min read

Cloud-based collaboration platforms have made it remarkably easy for people to sync and share files with others inside and outside the enterprise, but risky usage practices could undermine many of the benefits and lead to costly data exposures for unwary companies.

Cloud security vendor Elastica recently analyzed 100 million files being shared and stored by its customers in public cloud file-sharing applications and discovered that about 20 percent of the files contained protected or regulated data.

Of the files with sensitive data, nearly 60 percent contained personally identifiable information. Some 30 percent contained protected health data, while the rest held payment card information.

Elastica discovered that in many cases, employees are using cloud applications to share sensitive files far more broadly than they should. The company ran scans of high-risk files and discovered that 68 percent of the files that contained sensitive data were shared with the whole company, even if only a small subset of users actually needed to view the file.

Worse, 20 percent of the files were shared with external users, while 13 percent of them were shared publicly.

The numbers point to the disturbing proliferation of “shadow data” within enterprises that have integrated cloud collaboration platforms into their infrastructure, according to Rehan Jalil, president and chief executive officer of Elastica.

Most of the data-sharing in the cloud is happening outside the information technology (IT) department’s control, so they often have little idea of what exactly is being exposed in the cloud, Jalil said.

With a cloud-based collaboration tool, a user can share a document with someone else simply by providing a link to that document. In most cases, all the recipient has to do to view a shared document is click on the link pointing to it.

There is often no authentication required to access a shared document, even when the access is taking place from outside the enterprise or by someone not authorized to view the document, Jalil noted.

Traditional data-leak prevention tools that prevent files containing specific keywords from leaving the enterprise network are not of much use with cloud file-sharing applications because usually only a link is actually being shared, according to Jalil.

So IT managers face a challenge of keeping track of the data-sharing that is going on in the cloud even with approved applications, he said.

“People talk about shadow IT and about not knowing what employees are doing [with technology],” Jalil said. “Shadow data exposes companies to a whole different kind of risk.”

The large volume of sensitive data being shared in the shadows places companies at risk for major data breaches and potential compliance violations, he added.

The Elastica cloud security study highlights some of the problems that companies can face from the rapid proliferation of cloud-based sync and share applications. Over the past two years, numerous vendors, including Dropbox, Box, IBM and EMC, have rushed to market with cloud enterprise file-sharing platforms designed to enable easier collaboration in the cloud.

These products, with their consumer-oriented interfaces and easy-to-use functions, have made it much easier for users to sync files and data across multiple devices and to access and share file with few restrictions. However, like many other technologies that have migrated to the enterprise from the consumer market, most of the adoption of cloud-based file-sharing applications has occurred outside of IT’s direct control, resulting in some of the problems highlighted in the Elastica report.

More from

Apple Intelligence raises stakes in privacy and security

3 min read - Apple’s latest innovation, Apple Intelligence, is redefining what’s possible in consumer technology. Integrated into iOS 18.1, iPadOS 18.1 and macOS Sequoia 15.1, this milestone puts advanced artificial intelligence (AI) tools directly in the hands of millions. Beyond being a breakthrough for personal convenience, it represents an enormous economic opportunity. But the bold step into accessible AI comes with critical questions about security, privacy and the risks of real-time decision-making in users’ most private digital spaces. AI in every pocket Having…

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today