Rising Public Cloud Adoption Is Accelerating Shadow Data Risks
Using a risk-based approach to deal with policy violations and continuous compliance monitoring will help avoid data exposures and fines.
Public cloud spending and adoption is growing fast. Analysts predict that organizations will spend $591.8 billion on cloud infrastructure and services in 2023, up 20.7% from the year before. In fact, according to Forrester, the public cloud market is projected to reach $1 trillion by 2026, with the majority of spending directed to the big four: Alibaba, Amazon Web Services, Google Cloud, and Microsoft.
So, what's happening? Organizations accelerated their cloud migration during the pandemic and saw huge benefits as cloud services enabled faster innovation, provided elasticity to respond to fluctuating demand, and scaled with growth. Now, there's no turning back, even as the C-suite cuts spending in other areas. Organizations' appetite is particularly large for infrastructure-as-a-service (IaaS), projected to reach $150 billion; and platform-as-a-service (PaaS), anticipated to reach $136 billion in 2023.
Yet all this heady growth, which is thrilling to business strategists and technologists alike, has a dark side. Organizations risk significantly increasing public cloud data risks if they don't take necessary steps to improve its security.
Shadow Data Is Growing Due to Lax Security Controls
Multiple factors are contributing to the problem of "shadow data" or unknown, unmanaged public cloud data. Business users are provisioning their own applications, and developers are continually spinning up their own instances to develop and test applications. Many of these services store and use sensitive data that IT and security teams don't know about. Cloud buckets may also store multiple versions of data in the same bucket, a process called versioning, which increases risks if policies aren't configured properly.
As the pace of innovation increases, unmanaged data stores are often forgotten about and abandoned. In addition, sensitive data that is properly secured could be moved or copied to an unsecured environment or rendered vulnerable if third parties or extraneous users are granted excessive access privileges.
To understand just how much sensitive data is out there, Laminar Labs scanned publicly facing cloud storage buckets. We were able to detect personally identifiable information (PII) in 21% of the buckets. The information we uncovered included physical and email addresses, phone numbers, drivers' license numbers, names, loan details, credit scores, and more. As just one example, we discovered a file with contact information, Ethereum and Bitcoin address information, and block card email addresses — all information that could easily be exploited by a hacker.
The majority of this shadow data was misplaced — often placed in a public bucket that became accidentally exposed. In other cases, AWS S3 buckets were misconfigured as public instead of private. Either way, myriad organizations are exposing sensitive data that is completely open to be exfiltrated.
Three Steps to Better Public Cloud Data Security
Most security professionals (82%) are aware of — and concerned about — their growing public cloud data security problem. Here's how these experts can move swiftly to mitigate threats:
Discover and classify all cloud data: A next-generation public cloud data security platform enables teams to auto-discover all their cloud data, not just known or tagged assets. It detects all cloud data holdings in managed and unmanaged assets, virtual instances, shadow data stores, data caches and pipelines, and big data. With this information, the platform builds a comprehensive, consistent data catalog across organizations' multicloud environments. The catalog precisely identifies and classifies all sensitive data, such as PII, personal health information (PHI), and payment card industry (PCI) transaction data.
Secure and control cloud data: With holistic insights into their sensitive cloud data, security teams can apply and enforce the right security policies and validate data settings against their organization's predetermined guardrails. A public cloud data security platform will reveal outstanding policy violations that can be prioritized in a risk-based manner, based on data sensitivity level, security posture, volume, and exposure.
Remediate risks and monitor activity without interrupting data flow: Teams can then begin remediating sensitive data without compromising business activity. A public cloud data security platform will prompt teams to apply best practices, such as enabling encryption and limiting third-party access, and practice better data hygiene, by removing unused sensitive data from the environment. This process is called data security posture management and provides recommendations that are tailored to each cloud environment, making them more relevant and effective. In addition, security teams can use the platform to enable continuous data monitoring. By doing so, they can rapidly identify policy violations and ensure public cloud data adheres to the organization's stated security posture and regulations, regardless of where it is stored, used, or moved in the cloud.
Reduce Public Cloud Data Security Risks Today
Public cloud data security is too important to be left to chance. In a report we released last year, "State of Public Cloud Data Security, "50% of respondents said their cloud environments had been breached in 2020 and 2021. And of this group, 58% had experienced cloud data leaks or exfiltration.
The best way to protect this valuable data is with a public cloud data security platform that is cloud-native, agentless, asynchronous, and able to scale with data growth. With this resource, IT and security teams can tame the complexity of managing and securing data across multiple vendors and hundreds of services. They can also regain control over sensitive cloud data: applying proper governance, using a risk-based approach to address the areas of greatest concern, and maintaining continuous compliance to avoid data exposures and fines.
About the Author
You May Also Like
Cybersecurity Day: How to Automate Security Analytics with AI and ML
Dec 17, 2024The Dirt on ROT Data
Dec 18, 2024