Under a Cloud of Suspicion

Cloud Storage Security Issues

Download as PDF

Cloud storage has been around for a number of years now, and its use among businesses is on the increase. But how does using the cloud for your storage needs affect the security of your data? What are the current perceptions of cloud storage security among organisations? And how are those perceptions driving security decisions with regards to data?

To answer these questions, IS Decisions commissioned research with 300 heads of security within small- to medium-sized businesses in the UK, US and France. The insights from the research have subsequently led to this report. And the key message? There’s still work to do to ensure the safety of data living in the cloud.

How the cloud industry addressed its early teething problems

There’s no doubt that the cloud has changed the way SMBs do business. But traditionally, businesses viewed cloud storage with scepticism, and with good reason.

• Data sovereignty, for example, used to be a major issue, with organisations rightly questioning whether their data stored on a server outside of their home country would be subject to a different set of laws.
• Data security was obviously another sticking point, and many organisations were of the opinion that storing their data on their own premises was more secure than trusting a third party with it.
• Compliance was yet another issue in that it was difficult to trust a third party to make you compliant when it’s you that takes the rap for any non-compliance.
• Migration. Even if these three other aspects of the cloud weren’t a problem, the headache of moving to the cloud might have been enough to put many off entirely.

The cloud industry worked hard for years to counteract these fears. Some of the biggest cloud companies in the world started to build data centres within the countries they were looking to target, therefore addressing the issue of sovereignty. They also invested (and are still investing) millions in data security and compliance — so much to the point that arguably now your data is safer in the cloud than it is on your premises (in the same way that your money is safer in a bank than in cash under your mattress), while making it easier to demonstrate compliance. And where migration is concerned, specialist organisations have honed the art of moving data from one home to another, making the process as painless as possible.

But have those original fears well and truly disappeared?
How have perceptions over sovereignty, security, compliance and migration changed?

To find out, IS Decisions commissioned research with those managing the IT within small- to mid-sized businesses (SMBs) in the UK, US and France using Dropbox for Business, Google Drive, Box and Microsoft OneDrive.

SMBs are truly enjoying the benefits of the cloud

Largely the investment and marketing worked. Cloud adoption is rapidly increasing among SMBs and those that are using the cloud are fully appreciating its benefits:

But the old perceptions still exist today for SMBs

While the benefits are clear, our research finds that the old fears are still very much present.

Where data sovereignty is concerned 51% are still worried about the country (or countries) within which their data physically resides. The figure for US respondents (53%) was higher than those for the UK (46%) and France (43%), perhaps because of high-profile discussions and complexity around state jurisdiction. That said, organisations in the UK and France need to comply with GDPR, which states that organisations must delete customer data on request of the customer — and so organisations in Europe are clearly worried about data living in other countries, which may prove difficult to delete if customers ask for it.

When it comes to security, despite the huge investments made by the hyperscalers, 61% of SMBs still believe their organisation’s data is unsafe in the cloud. Moreover, exactly half believe in principle that cloud storage is inherently less safe than on-premises storage, and more worryingly still, 45% are saying that moving their data to the cloud has actually damaged their security.

Things don’t improve when it comes to compliance, with 50% believing that using cloud storage has made compliance with regulation harder, not easier.

Although the hyperscalers have worked to ensure compliance with major regulations like HIPAA, FISMA, ISO 27001 and many others, the issues exist because there’s still a chance that data that resides on that infrastructure is susceptible to being intercepted or modified by those that are unauthorised to do so. A number of questions still exist — who is going to look after my data? Who is going to be able to see it? Is it going to be the people that manage the infrastructure for us? Is it going to be internal and external people? Is our data in a public cloud going to be segregated from data belonging to other organisations?

Finally, three in five organisations (60%) have had painful issues migrating their data to the cloud, in the same way that many people find moving house a painful issue. Data needs to undergo a level of cleansing and de-duping, in the same way that when moving house, you want to ensure that you’re taking the possessions you really need, throwing out anything unnecessary, while giving each possession an appropriate place to live in your new home.

Why these security perceptions exist

Once you start to unpick these perceptions of cloud storage, the reasons why they still exist become clear.

First, detecting unauthorised access is harder

My on-site manager managed to get hacked by someone claiming to be his wife.

The misuse of employee credentials and improper access controls makes detecting unauthorised access one of the biggest cloud security concerns today (even if the cloud provider has basic tools that tell you which person has accessed which files). 31% of SMBs say that since moving to the cloud for storage, it’s been harder to detect unauthorised access, with one respondent in the UK even saying: “My on-site manager managed to get hacked by someone claiming to be his wife.”

Traditionally, when organisations store their data on on-premises file servers, the data is ‘relatively’ secure from unauthorised use. Native security permits only approved access to data for specific users or groups of users within the organisation. The need to be physically in the office to access the files creates a natural boundary against unauthorised access from outside the organisation. Even for employees and third-party partners using virtual private networks (VPNs), which allow access outside of this boundary, data remains relatively secure because IT teams can restrict access to a few specific devices only.

But with cloud-based storage, the ease of sharing data among teams and simple integrations their storage can have with other cloud applications significantly increases the prospect of unauthorised access. From a productivity point of view, that makes complete sense, but from a security standpoint, it’s a headache for IT teams.

And without the right access controls in place, if an employee’s login credentials were to fall into the wrong hands, a perpetrator could, in theory, gain access to sensitive files and folders from anywhere in the world using any device.

Secondly, stopping outgoing employee theft is harder

Again, with on-premises storage and just a desktop computer, there’s that much more risk of getting noticed (through prying eyes) if someone tries to steal sensitive information. But with employees using laptops, smartphones and tablets (sometimes their own devices) to access information in the cloud, which they can do so from anywhere, it’s almost too easy to steal information before they leave. In fact, even when employees do officially leave, there’s still a problem — previous IS Decisions research found that a third of ex-employees still have access to company data after they’ve left.

Thirdly, and most importantly, organisations are still suffering breaches!

Moreover, for 22% of organisations, an external hacker has managed to gain access to their systems using an employee’s login credentials. The consequences of breaches have been incredibly damaging — with 15% saying they have suffered significant reputational damage because of unauthorised access to sensitive corporate data stored on cloud networks.

What organisations are doing about it

Using the cloud is now almost a mandatory part of the business, so organisations must find ways to overcome these security worries.

The security implications of using the cloud certainly aren’t enough to put businesses off using it. Using the cloud now is almost a mandatory part of business, and those that don’t take advantage of its benefits are ultimately shooting themselves in the productivity foot.

But what the security implications do mean is that organisations are looking for roundabout ways to balance security and productivity — mainly in two ways.

21% have gone as far as to say they keep their most sensitive data stored on on-premises infrastructure because they don’t trust its security in the cloud.

When asked what constitutes sensitive data, most organisations considered their own data to be more important than that of their clients — which is a worry considering supply chain attacks are on the up.

74% stated their corporate credit card data was sensitive and 71% said their employees’ personal information was sensitive — whereas just 62% said client contact details were sensitive, and worryingly, only 53% said their clients’ data was sensitive!

Most organisations (80%) just rely on the native security of the cloud provider.

• Of those, just under half monitor access manually every day (42%), which is an incredibly time-consuming and complex thing to do, and of course, subject to human error.
• Just over a third monitor access on an ad hoc basis (38%), which is less time-consuming but more prone to missing an attack or finding out about it too late.
• And, worryingly, 9% don’t monitor access at all, which makes identifying the source of a breach incredibly difficult when it inevitably happens.

It’s hard to place blame at the door of the SMBs that don’t monitor file access every day. SMBs tend to lack the resources, expertise, information and time to do it properly.

Given the reasons above, it’s no wonder that nearly half of SMBs (49%) believe the native security of their current cloud storage provider is not strong enough to protect their data.

There clearly needs to be a stronger and more efficient way to ensure that data in the cloud remains safe. Moving to the cloud does not diminish an organisation’s need to secure access to and usage of file data because, after all, security audits, compliance mandates and government regulations all still require organisations to keep their data safe.

How FileAudit can help cloud storage security

67% say that receiving alerts for unauthorised or suspicious access to sensitive data stored in the cloud would be extremely useful.

This is where FileAudit comes in.

FileAudit proactively tracks, audits and reports on all access to files and folders — and alerts IT teams to suspicious file activity the moment it occurs. Traditionally, FileAudit monitored files and folders on Windows Active Directory-based servers, but now, IS Decisions has extended FileAudit’s monitoring capabilities to Dropbox for Business, Google Drive, Box and Microsoft OneDrive.

Now, if you’re managing your organisation’s storage with a mixture of on-premises and cloud storage, FileAudit gives you a consistent view of the security of your data across all your storage servers —from one tool and one consolidated dashboard.

FileAudit also enables you to make monitoring file access easy through delegation, which helps both productivity and security. IT teams are sometimes out of touch with which users need what access, and whether use of files is appropriate. By delegating the responsibility of administering file access to those that are more actively involved in the organisation, those responsible can make better decisions about what ‘normal’ access looks like, while also making it easier to spot anomalies more quickly — which keeps files safe while lightening the burden on the IT team.

Research methodology

IS Decisions commissioned the research cited in this report in 2019 with 300 people in charge of security within small- to mid-sized organisations in the UK, US and France. Respondents’ organisations had to be users of Dropbox for Business, Google Drive, Box or Microsoft OneDrive to take part in the research.