Cloud Access Security Broker Skyhigh Networks has announced support for data classification on the Box platform. The announcement came in a press release and a blog from Amit Agrawal, Product Manager, Skyhigh Networks. It was timed to coincide with the Box announcement that the Box Governance product would get a security classification upgrade.
According to Agrawal: “Skyhigh has collaborated with Box on the security classification capability to enable companies to effectively govern their cloud data. Using Skyhigh, companies can automate the assignment of classification labels, while minimizing IT resource overheads and meeting scalability requirements.”
Too many cloud services, too much sensitive data
The inclusion of Skyhigh Networks at the launch of the Box initiative is clever. Skyhigh regularly reports on the number of cloud services used by organisations and the sensitive data it finds. It recently looked at the data companies store on Box. It says that the results showed: “18 percent of files in Box contain sensitive data such as credit card numbers, social security numbers and health data.”
This number is up over 2% on the Skyhigh Networks Cloud Adoption & Risk Report from Q4/2015. In that report it said: “15.8% of all documents uploaded to cloud-based file sharing services contain sensitive information.” What should worry companies is that this is not data being exfiltrated by hackers or malicious insiders. It is the users sharing the data.
Exacerbating the situation is the number of cloud-based file sharing services used inside organisations. In the last two years, Skyhigh Networks has listed 18 different cloud-based services in its top 10 file sharing services. It also names 13 different collaboration services in its top 10 list. Many of these services fail the “enterprise secure” test that Skyhigh uses. This means that they fail a series of tests in terms of data, network and service security.
What is Skyhigh adding to the Box announcement?
It is all about the automation of data classification. Documents are examined by Skyhigh Networks they are uploaded to Box. It will look for key words and data indicators to decide what to do with that data. If it detects information that contains health information or payroll data it will automatically classify it as sensitive. That classification will be based on security policies set by customers.
Skyhigh will also tie this back to the audit capabilities it offers customers. It means that IT security teams can look at a file-sharing or collaboration site and identify documents with sensitive data. They can then apply new data classification tags to the data and restrict access. The Skyhigh press release says: “An on-demand audit of data in Box uncovers a document containing passwords is shared externally. The document is automatically classified and, per policy, the collaboration is removed.”
Conclusion
Support from Skyhigh Networks for the Box initiative is good news for customers. While they can currently audit data using Skyhigh, the ability to now audit and classify data is a big step forward. This will interest IT as it is an automated solution. Companies often fail to add additional security layers when they involve cost and time. This is why the ability to have this run in the background and monitor all data movements is important. That automation will also significantly reduce the risk of data leakage which will also appeal to the CISO and compliance teams.