What makes the Skyhigh Networks report different from many vendors is that it is based on over 23 million users worldwide whose data was anonymised. They work across all the key vertical industries from healthcare, legal, utilities, retail, education, transportation and more besides. This means that the data is a good enough snapshot to get a view of what is happening on the ground.
Dealing with sensitive data in the cloud
One of the big issues in their latest quarterly report has been sensitive data in the cloud. They focused not on sensitive data stored in private or managed clouds but on the data uploaded to public clouds. At the same time the looked in detail at the number of cloud services in use and applied the Skyhigh Networks CloudTrust standard to those services. As we reported yesterday the thing that should frighten CISO’s and in fact the entire C-Suite is that many of those services are extremely insecure.
In a phone call with Nigel Hawthorn, EMEA Marketing Director, Skyhigh Networks he remarked:
“Part of the problem is that users do not consider sharing data to the cloud as if it is special or different. They tend to treat it as if it were an internal system such as a private or managed cloud. They don’t recognise any difference between the data on their own device, in SharePoint, Private cloud or Public cloud. They think they can keep the same content in them and security is someone else’s problem.”
This is a fairly damning statement from Hawthorn and if it weren’t based on the observations of so many users, it would be easy to dismiss it as almost an anti-cloud sentiment. The trouble is that it is not about anti-cloud just a statement of fact as to the poor training of users and the inability of companies to put in place proper systems to control data.
“Part of the challenge for companies” says Bola Rotibi, Research Director, Creative Intellect Consulting, “is that they have no data classification system in place. They tried this back in the 1980’s when they had a tiny fraction of the data they hold today and it was deemed to complicated. What they need to do is to take a step back and rethink the need for data classification and use a simplified schema similar to that used by the UK Government today.”
Rotibi has a point here. The UK Government has gone for a simple three level classification that would be relatively easy for companies to implement and maintain. It would allow them to quickly pick up misidentified data and deal with transient data such as financial data that moves from secret to public in a short space of time.
In our conversation, Hawthorn set out two steps that companies could take to improve the protection of sensitive data. These avoid the traditional block everything approach that IT tends towards and should make it possible for IT to accommodate user demand:
- “Accept that cloud services provide users with a service they want to use. Companies need to look around themselves and chose the service that they need. They should be looking at Security, Terms & Conditions, Quality of Service and Service Level Agreement. They cannot stop users accessing cloud services so pick one or more that are trustworthy and provide those to the users.
- Put controls on that service. Data Loss Prevention, logging and encryption to control what can be shared outside the organisation. Users don’t realise that they can forget what they have shared. It is too easy to create a large shared area and then accidentally have a partner share a confidential document into that shared space. Often those invited have no idea what the controls are or exactly who has access to the collaboration environment.”
One of the challenges that all companies face is educating users about what constitutes sensitive data. In the report, Skyhigh Networks identifies a range of sensitive data stored in public cloud file sharing services which adds up to a frightening 15.8% of all data stored.:
- 7.6% contain confidential data (financial records, business plans, source code, trading algorithms,
- 4.6% contain PII data ( Social Security numbers, tax ID numbers, phone numbers, addresses, etc.)
- 2.2% contain payment data (credit card numbers, debit card numbers, bank account numbers, etc.)
- 1.8% contain protected health information (patient diagnoses, medical treatments, medical record IDs, etc.)
Irrespective of whether you work in a regulated industry, there are so many laws being broken here that it is amazing that we don’t regularly see a range of court cases around this. Perhaps that is what is required in order to get the message home?
(More …Skyhigh Networks ask “What’s in a name?”)