Cloud services have become a crucial and integrated part of modern IT systems and their security has been continually debated since their emergence. Big cloud service providers such as Amazon and Salesforce have argued that their systems benefit from the kind of heavy-duty state-of-the-art security features smaller businesses are unlikely to ever invest in, making their data less vulnerable in the cloud than on their own servers. However, using cloud services opens data up to easier access and potential breaches. It is, in fact, one of its biggest selling points: data access from anywhere anytime. And while it’s in tune with today’s increasingly mobile, globalized world, it also means that companies have to deal with more vulnerabilities, not necessarily from the cloud services themselves that, as stated above, have taken security concerns very seriously, but from one of the most frequent contributors to data breaches: a company’s own employees.
Negligence and malcontent among employees breed many of today’s business-related breaches and data loss. The flexibility of the cloud offers them the opportunity to bypass restrictive IT settings applied to company networks and computers and work with sensitive data in unapproved insecure environments in and outside the office. In this blog post, we decided to focus on the most frequent mistakes users make, intentionally or unintentionally, when interacting with sensitive data in the cloud and what you can do to avoid them:
1. Sensitive data and BYOD
With many companies implementing Bring Your Own Device (BYOD) models to cut down on hardware costs and allow employees the use of the technology they are most comfortable with, it is inevitable that these personal devices – whether phones, tablets or laptops – will have access to companies’ sensitive data both in and out of the cloud and be able to store and download it.
It’s difficult to apply restrictive security policies on such devices because they do not belong to the company. This means employees will use them in their leisure time as well, install any software and browse any website without companies being able to stop them. This increases the risk of phishing attacks, malware infestation, and password hacks.
This particular type of vulnerability can be addressed by securing BYOD with Data Loss Prevention solutions that target only particular sets of predefined sensitive data and do not affect a user’s personal files. Sensitive data can thus be scanned for and encrypted or deleted remotely when found or blocked from being transferred without encroaching on an employee’s ownership rights. Additionally, Mobile Device Management solutions allow IT Administrators to apply restrictions like disabling iCloud or enforcing strong passwords, pushing apps and other settings, making BYOD less threatening.
2. Sensitive data shared with unauthorized third parties
Employees will often share large files through cloud services by simply generating a shareable link that they will send outside the organization to vendors, partners or clients without being able to track who views or forwards it. Shared files can thus become available to anyone in possession of the link and can even be posted publicly.
To restrict access to shared documents, it is important to encourage the practice of sharing links with a particular individual as identified by their email rather than using a shareable link. Information Rights Management (IRM) tools can also be used to prevent sensitive information from being printed, forwarded, saved, edited, or copied by unauthorized people.
3. Transfer of sensitive data from the cloud to high-risk third-party alternatives
Easy access to data in the cloud means that employees can download data from the company’s cloud services and then reupload it onto unauthorized third-party applications and services such as file sharing websites, chats, email services, forums etc.
This particular mistake can be avoided either through application control, limiting the sort of applications and websites your employees can access while at work or by using Data Loss Prevention tools that scan files based on custom content, file type, regular expressions, and other criteria and block any files that meet the criteria from being uploaded or transferred.
4. Remote worker security
As more companies have started adopting flexible work schedules and remote work days, it has generated a new security problem: the use of unauthorized personal devices in the discharging of duties. Many employees admit that they prefer to work on their personal devices when at home. Unlike BYOD, these devices never come into contact with a company’s IT department so they cannot be secured through DLP clients and run on remote network connections that may or may not be secure.
To avoid potential data loss from such situations the use of cloud access security brokers (CASBs) is recommended. They can not only block/allow access to a cloud service, but also enforce policies that allow employees remote access from unmanaged devices on remote networks to view or edit data in the cloud, but block downloads to those devices.
5. Uploading high-value data to the cloud
There have been a number of cases when, while uploading sensitive data to the cloud, employees have failed to make it private, thus making public a company’s most highly valued data, from health records to personally identifiable information (PII). And while cloud services rushed to put better fail-safes for content privacy in place, they do not guarantee employees might not intentionally or unintentionally make a similar mistake in the future.
Every company has a set of high-value data that it would prefer to stay within the confines of its own network to prevent it from leaking or being stolen or whose security it is obliged to guarantee in compliance with regulations such as HIPAA, GDPR, GLBA, PCI, and others. Data Loss Prevention solutions such as Endpoint Protector can scan for predefined content based on name, file type, keywords, etc or compliance profiles, block its transfer and log and report the transfer of other important documents.
Conclusion
Ultimately, the integration of cloud services works on a shared responsibility model in which both the cloud provider and company policies work together to ensure the security of data in the cloud. However, with the information security sector expanding to include data in the cloud, companies can choose to implement Data Loss Prevention and other security solutions to strengthen these policies and prevent employee negligence or malicious intent from causing unwanted breaches.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.