Cloud-based collaboration platforms have made it remarkably easy for people to sync and share files with others inside and outside the enterprise, but risky usage practices could undermine many of the benefits and lead to costly data exposures for unwary companies.
Cloud security vendor Elastica recently analyzed 100 million files being shared and stored by its customers in public cloud file-sharing applications and discovered that about 20 percent of the files contained protected or regulated data.
Of the files with sensitive data, nearly 60 percent contained personally identifiable information. Some 30 percent contained protected health data, while the rest held payment card information.
Elastica discovered that in many cases, employees are using cloud applications to share sensitive files far more broadly than they should. The company ran scans of high-risk files and discovered that 68 percent of the files that contained sensitive data were shared with the whole company, even if only a small subset of users actually needed to view the file.
Worse, 20 percent of the files were shared with external users, while 13 percent of them were shared publicly.
The numbers point to the disturbing proliferation of “shadow data” within enterprises that have integrated cloud collaboration platforms into their infrastructure, according to Rehan Jalil, president and chief executive officer of Elastica.
Most of the data-sharing in the cloud is happening outside the information technology (IT) department’s control, so they often have little idea of what exactly is being exposed in the cloud, Jalil said.
With a cloud-based collaboration tool, a user can share a document with someone else simply by providing a link to that document. In most cases, all the recipient has to do to view a shared document is click on the link pointing to it.
There is often no authentication required to access a shared document, even when the access is taking place from outside the enterprise or by someone not authorized to view the document, Jalil noted.
Traditional data-leak prevention tools that prevent files containing specific keywords from leaving the enterprise network are not of much use with cloud file-sharing applications because usually only a link is actually being shared, according to Jalil.
So IT managers face a challenge of keeping track of the data-sharing that is going on in the cloud even with approved applications, he said.
“People talk about shadow IT and about not knowing what employees are doing [with technology],” Jalil said. “Shadow data exposes companies to a whole different kind of risk.”
The large volume of sensitive data being shared in the shadows places companies at risk for major data breaches and potential compliance violations, he added.
The Elastica cloud security study highlights some of the problems that companies can face from the rapid proliferation of cloud-based sync and share applications. Over the past two years, numerous vendors, including Dropbox, Box, IBM and EMC, have rushed to market with cloud enterprise file-sharing platforms designed to enable easier collaboration in the cloud.
These products, with their consumer-oriented interfaces and easy-to-use functions, have made it much easier for users to sync files and data across multiple devices and to access and share file with few restrictions. However, like many other technologies that have migrated to the enterprise from the consumer market, most of the adoption of cloud-based file-sharing applications has occurred outside of IT’s direct control, resulting in some of the problems highlighted in the Elastica report.