Cloudy with a chance of data loss

Our friends over at Blue Coat Systems recently released the H2 2015 Shadow Data Report highlighting research conducted by the company’s Elastica Cloud Threat Labs team. Using data from 63 million enterprise documents stored within leading cloud applications, including Microsoft Office 365, Google Drive, Salesforce, Box and others, the Elastica team found that 1 out of 10 documents shared broadly contain data that is sensitive and/or subject to compliance regulations, such as software application source code (48 percent), Personally Identifiable Information (PII) (33 percent), Protected Health Information (PHI) (14 percent), and Payment Card Industry (PCI) data (5 percent).

According to the report, analysis revealed that there were “three primary threats facing organizations using sanctioned and unsanctioned cloud apps: 1) data exfiltration (Theft), 2) data destruction, and 3) account takeover.

The prevalence of data exfiltration threats in the study, 77 percent, should not come as a surprise. As these cloud hosted applications are almost exclusively delivered using a hosted Software as a Service (SaaS) model, the majority of organizations have little to no control over the sensitive data being stored in a particular vendor’s cloud infrastructure. Once the data is sent to the SaaS vendor’s infrastructure, the company that “owns” the data must have faith that the provider will ensure its safety and security.

Most organizations have invested a considerable amount of time and effort into their security and compliance programs. This includes training initiatives, network and endpoint security controls, and, in some cases, dedicated full time employees. Unfortunately, many of these controls are not available in SaaS environments. Those that are available often cost a premium on top of the base SaaS price tag – adding unexpected expenses to your deployment that might eliminate any cost savings recognized by moving the data out in the first place.

Many users of multi-tenant cloud services fail to consider the destruction of data. SaaS vendors often assure users that data is destroyed upon user request (i.e. deleting a file, closing the account, etc.) and that organizations should not be concerned about their data being “found” at a later date by another user. But with the exception of publicly available documentation and marketing materials stating that the data will be deleted, what assurances do organizations have that this process aligns with their own data disposal processes and procedures? The answer, unfortunately, is that the SaaS provider might not even know the answer as they may be relying on virtualization technology or an Infrastructure as a Service (IaaS) provider that offers no guarantees they can pass on to their customers. Simply speaking, the data destruction promises might be entirely beyond the SaaS provider’s control.

SaaS application customers are rarely made aware of account takeover attempts until it’s too late. SaaS applications are often self-contained platforms with limited integration with on-premises monitoring and management tools. Even if the SaaS vendor employs encryption , once an account is compromised and access is granted to the attacker, encryption provides little defense if the data is automatically decrypted when accessed by an authorized user.

Though the idea of utilizing a SaaS platform may seem enticing from a cost, workflow, and availability perspective, the security granularity required for highly sensitive and regulated data may not be something that organizations are willing to sacrifice. Please don’t misinterpret the above analysis:  we’re not anti-cloud. We do, however, encourage you to poke and prod at providers to prove their SaaS applications and cloud hosting environments are adequately managed, protected, and monitored before you entrust them with your company’s sensitive data.

Our advice: don’t trade the security, privacy, and compliance of your data just to save a few dollars. The savings now could result in the loss of millions of dollars later.

Get insight on ways to better protect your sensitive and confidential data—watch the video.

1 Like
Andrew Hay

Andrew Hay

With over 15 years of data security experience in various roles inside organizations as well as advising them, Andrew serves as the chief information security officer at DataGravity. He is responsible for the development and delivery of the company’s comprehensive data security strategy. Prior to DataGravity, Andrew was the director of research at OpenDNS (acquired by Cisco) and the director of applied security research and chief evangelist at CloudPassage.