October 24, 2014 By Jaikumar Vijayan 2 min read

Cloud-based collaboration platforms have made it remarkably easy for people to sync and share files with others inside and outside the enterprise, but risky usage practices could undermine many of the benefits and lead to costly data exposures for unwary companies.

Cloud security vendor Elastica recently analyzed 100 million files being shared and stored by its customers in public cloud file-sharing applications and discovered that about 20 percent of the files contained protected or regulated data.

Of the files with sensitive data, nearly 60 percent contained personally identifiable information. Some 30 percent contained protected health data, while the rest held payment card information.

Elastica discovered that in many cases, employees are using cloud applications to share sensitive files far more broadly than they should. The company ran scans of high-risk files and discovered that 68 percent of the files that contained sensitive data were shared with the whole company, even if only a small subset of users actually needed to view the file.

Worse, 20 percent of the files were shared with external users, while 13 percent of them were shared publicly.

The numbers point to the disturbing proliferation of “shadow data” within enterprises that have integrated cloud collaboration platforms into their infrastructure, according to Rehan Jalil, president and chief executive officer of Elastica.

Most of the data-sharing in the cloud is happening outside the information technology (IT) department’s control, so they often have little idea of what exactly is being exposed in the cloud, Jalil said.

With a cloud-based collaboration tool, a user can share a document with someone else simply by providing a link to that document. In most cases, all the recipient has to do to view a shared document is click on the link pointing to it.

There is often no authentication required to access a shared document, even when the access is taking place from outside the enterprise or by someone not authorized to view the document, Jalil noted.

Traditional data-leak prevention tools that prevent files containing specific keywords from leaving the enterprise network are not of much use with cloud file-sharing applications because usually only a link is actually being shared, according to Jalil.

So IT managers face a challenge of keeping track of the data-sharing that is going on in the cloud even with approved applications, he said.

“People talk about shadow IT and about not knowing what employees are doing [with technology],” Jalil said. “Shadow data exposes companies to a whole different kind of risk.”

The large volume of sensitive data being shared in the shadows places companies at risk for major data breaches and potential compliance violations, he added.

The Elastica cloud security study highlights some of the problems that companies can face from the rapid proliferation of cloud-based sync and share applications. Over the past two years, numerous vendors, including Dropbox, Box, IBM and EMC, have rushed to market with cloud enterprise file-sharing platforms designed to enable easier collaboration in the cloud.

These products, with their consumer-oriented interfaces and easy-to-use functions, have made it much easier for users to sync files and data across multiple devices and to access and share file with few restrictions. However, like many other technologies that have migrated to the enterprise from the consumer market, most of the adoption of cloud-based file-sharing applications has occurred outside of IT’s direct control, resulting in some of the problems highlighted in the Elastica report.

More from

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Can memory-safe programming languages kill 70% of security bugs?

3 min read - The Office of the National Cyber Director (ONCD) recently released a new report, “Back to the Building Blocks: A Path Toward Secure and Measurable Software." The report is one of the first major announcements from new ONCD director Harry Coker and makes a strong case for adopting memory-safe programming languages. This new focus stems from the goal of rebalancing the responsibility of cybersecurity and realigning incentives in favor of long-term cybersecurity investments. Memory-safe programming languages were also included as a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today