100 million cloud file analysis reveals shadow data threat
Elastica conducted a security analysis of more than 100 million files being shared and stored in leading public-cloud applications. Research revealed that 20 percent of broadly shared files contain compliance-related data, 5 percent of enterprise users are responsible for driving 85 percent of the exposure risk, and employees each store an average of 2,037 corporate files in the cloud.
Further analysis revealed that files being stored and shared among insiders and outsiders hold sensitive personal health information (PHI) regulated by HIPAA, personally identifiable information (PHI) such as social security numbers, and customer payment card information regulated by the Payment Card Industry Data Security Standard (PCI DSS).
The research uncovered that sensitive data shared broadly within and outside organizations without IT security teams’ knowledge, known as “shadow data,” is an emerging threat within enterprises that are integrating cloud applications into their infrastructures.
The extreme volume of sensitive and regulated data being shared in the shadows is placing global organizations at risk of costly compliance violations and major data breaches that could impact millions of consumer identities and accounts as well as corporate IP.
Elastica discovered that enterprise employees are each storing an average of 2,037 files and that these files are being shared directly with other internal users, across companies with select users and with the public at large. Data is being placed at risk primarily via files being shared broadly across entire organizations, externally and publicly. Scans on these high-risk files revealed:
- 68 percent are shared with the whole company, across functional groups
- 19 percent are shared with external users
- 13 percent are shared publicly.
In particular, regulated data is in jeopardy, including personally identifiable information (PII), PHI and consumer payment card information. Of all the files that are broadly shared, the analysis found 20 percent contain compliance related data, with the following breakdown:
- 56 percent contained PII, including social security numbers
- 29 percent contained PHI
- 15 percent contained payment card information.
Research also indicates that the vast majority of risk is associated with a relatively small number of users. Just 5 percent of the users sharing high-risk content are driving 85 percent of the resulting risk exposure. This finding highlights the value of identifying the highest-risk users in an organization. In doing so, IT security teams can hone in on the biggest impact in resolving compliance risks.