In the not-too-distant past, service providers had a tough time convincing enterprise IT departments that cloud platforms were secure enough for corporate data. Fortunately perspectives on cloud have matured, and more and more organizations are migrating their sanctioned file sharing applications to the cloud. Fast forward to 2020, when Gartner predicts 95% of cloud security failures will be the customers’ fault. Skyhigh Network’s latest Cloud Adoption & Risk Report shows the stakes are high for preventing “cloud user error.”
Enterprise-ready services have extensive security capabilities against external attacks, but customers have the ultimate responsibility for ensuring sensitive data is not improperly disclosed. Just as attackers can circumvent perimeter defenses such as powerful firewalls in favor of stolen credentials or alternate vectors of attack, secure cloud services can incent attackers to target the vulnerabilities inherent in day-to-day use of applications. In addition to compromised accounts, in which attackers gain access to a cloud service via stolen user credentials, enterprises need to worry about malicious insiders, compliance violations, and even accidental mismanagement of access controls.
The report, which analyzes actual usage data from over 23 million enterprise employees, uncovered an epidemic of file over-sharing. Whether IT is aware or not, cloud-based file-sharing services serve as repositories of sensitive data for the average organization. According to the report, 15.8 percent of documents in file-sharing services contain sensitive data. The employees responsible for sensitive data are not a small group: 28.1% of all employees have uploaded a file containing sensitive data to the cloud.
Most concerning is the lack of controls on who can access files once uploaded to the cloud. 12.9 percent of files are accessible by any employee within the organization, which poses a significant liability given the size of the organizations analyzed. Employees shared 28.2 percent of files with external business partners. Given the critical role business partners have played in several highly publicized breaches, companies should closely monitor data shared outside the organization, even with trusted partners. Although they make up only 6 percent of collaborations, personal email addresses raise concerns over the recipient’s identity and necessitate granular access policies; companies may not want to grant the ability to download files to personal email domains, for example. Finally, 5.4 percent of files are available to anyone with the sharing link. These documents are just one forwarded email away from ending up in the hands of a competitor or other unwanted recipient.
Breakdown of Sharing Actions
What are the different profiles of sensitive data stored in the cloud? Confidential data, or proprietary information related to a company’s business, is the biggest offender making up 7.6 percent of sensitive data. Personal data is second at 4.3 percent of said files. Third is payment data at 2.3 percent, and last is health data at 1.6 percent. The majority of these files, 58.4 percent, are discovered in Microsoft Office files.
Files Containing Keyword in the File Name
Furthermore, a surprising number of workers violate best practices for securely storing important information in the cloud. Using keywords such as ‘passwords’, ‘budget’, and ‘salary’ when naming files makes it easy for attackers to locate sensitive information, and IT security professionals typically advise against this practice. Convenience all too often trumps security, unfortunately. Past breaches have revealed instances in which credentials for multiple accounts were kept in folders named “Passwords”. The report found that the average company had 21,825 documents stored across file sharing services containing one or more of these red flags in the file name. Out of these files, 7,886 files contained ‘budget’, 6,097 ‘salary’, and 2,217 ‘confidential’.
Lastly, data revealed a few “worst employees of the month. One prolific user was responsible for uploading 284 unencrypted documents containing credit card numbers to a file sharing service. Another user uploaded 46 documents labeled “private” and 60 documents labeled “restricted”. In all seriousness, while it’s easy to point the finger and call these users bad employees, it’s likely they were simply trying to do their jobs using the best tools available to them. The onus lies with IT to make the secure path the easy path.
With more companies migrating sensitive data to the cloud, attackers will increase their efforts to exploit vulnerabilities in enterprise use of cloud services. Tellingly, attacks against cloud services increased 45% over the past year. Locating sensitive data in file-sharing services is step one for companies aimed at preventing the next generation of cloud-based threats.
Sam Bleiberg, Corporate Communications Manager, Skyhigh Networks
[Cloud Security Alliance Blog]