IS Decisions logo

IS Decisions Blog

Cloud storage security issues report: Under a cloud of suspicion

How SMBs perceive the security of cloud storage and what they're doing to protect their data in the cloud.

Published April 11, 2019
Cloud storage security issues report: Under a cloud of suspicion

Cloud storage has been around for a number of years now, and its use among businesses is on the increase. But how does using the cloud for your storage needs affect the security of your data? What are the current perceptions of cloud storage security among organizations? And how are those perceptions driving security decisions with regard to data?

To answer these questions, IS Decisions commissioned research with 300 heads of security within small- to medium-sized businesses in the UK, US and France. The insights from the research led to this report. And the key message? There’s still work to do to ensure the safety of data living in the cloud.

How the cloud industry addressed its early teething problems

There’s no doubt that the cloud has changed the way SMBs do business. But traditionally, businesses viewed cloud storage with scepticism, and with good reason.

  • Data sovereignty, for example, used to be a major issue, with organizations rightly questioning whether their data stored on a server outside of their home country would be subject to a different set of laws.

  • Data security was another sticking point, and many organizations thought that storing their data on their premises was more secure than trusting a third party with it.

  • Compliance was yet another issue in that it was difficult to trust a third party to make you compliant when it’s you that takes the rap for any non-compliance.

  • Migration. Even if these three other aspects of the cloud weren’t a problem, the headache of moving to the cloud might have been enough to put many off entirely.

    The cloud industry worked hard for years to counteract these fears. Some of the biggest cloud companies in the world started to build data centers within the countries they were looking to target, therefore addressing the issue of sovereignty. They also invested (and are still investing) millions in data security and compliance — so much to the point that arguably now your data is safer in the cloud than it is on your premises (in the same way that your money is safer in a bank than in cash under your mattress), while making it easier to demonstrate compliance. And where migration is concerned, specialist organizations have honed the art of moving data from one home to another, making the process as painless as possible.

But have those original fears well and truly disappeared?


How have perceptions over sovereignty, security, compliance and migration changed?

To find out, IS Decisions commissioned research with those managing the IT within small- to mid-sized businesses (SMBs) in the UK, US, and France using Dropbox for Business, Google Drive, Box, and Microsoft OneDrive.

SMBs are truly enjoying the benefits of the cloud

Largely the investment and marketing worked. Cloud adoption is rapidly increasing among SMBs and those that are using the cloud are fully appreciating its benefits:

90%

85%

81%

See improved productivity after moving to a cloud service provider

Say employees like being able to access files from anywhere thanks to cloud storage

Save money after moving data to a cloud storage provider

But the old perceptions still exist today for SMBs

While the benefits are clear, our research finds that the old fears are still very much present.

Where data sovereignty is concerned 51% are still worried about the country (or countries) within which their data physically resides. The figure for US respondents (53%) was higher than those for the UK (46%) and France (43%), perhaps because of high-profile discussions and complexity around state jurisdiction. That said, organizations in the UK and France need to comply with GDPR, which states that organizations must delete customer data on request of the customer — and so organizations in Europe are worried about data living in other countries, which may prove difficult to delete if customers ask for it.

When it comes to security, despite the huge investments made by the hyperscalers, 61% of SMBs still believe their organization’s data is unsafe in the cloud. Moreover, exactly half believe in principle that cloud storage is inherently less safe than on-premises storage, and more worryingly still, 45% are saying that moving their data to the cloud has damaged their security.

There's also the added difficulty of managing the security of both on-premise and cloud storage together in a hybrid environment.

Those with hybrid storage (on-premises and cloud) infrastructure are especially struggling with security. The reason they’re struggling is that they don’t have consistent security across IT infrastructures, and keeping track of the security across on-premises and cloud storage environments without a single consolidated view is challenging.

Things don’t improve when it comes to compliance, with 50% believing that using cloud storage has made compliance with regulation harder, not easier.

Although the hyperscalers have worked to ensure compliance with major regulations like HIPAA, FISMA, ISO 27001 and many others, the issues exist because there’s still a chance that data that resides on that infrastructure is susceptible to being intercepted or modified by those that are unauthorized to do so.

There are still lots of questions, such as:

  • Who is going to look after my data?

  • Who is going to be able to see it? I

  • s it going to be the people that manage the infrastructure for us?

  • Is it going to be internal and external people?

  • Is our data in a public cloud going to be segregated from data belonging to other organizations?

Finally, three in five organizations (60%) have had painful issues migrating their data to the cloud, in the same way that many people find moving house a painful issue. Data needs to undergo a level of cleansing and de-duping, in the same way that when moving house, you want to ensure that you’re taking the possessions you need, throwing out anything unnecessary, while giving each possession an appropriate place to live in your new home.

Why these security perceptions exist

Once you start to unpick these perceptions of cloud storage, the reasons why they still exist become clear.

First, detecting unauthorized access is harder

The misuse of employee credentials and improper access controls makes detecting unauthorized access one of the biggest cloud security concerns today (even if the cloud provider has basic tools that tell you which person has accessed which files). 31% of SMBs say that since moving to the cloud for storage, it’s been harder to detect unauthorized access, with one respondent in the UK even saying: “My on-site manager managed to get hacked by someone claiming to be his wife.”

Traditionally, when organizations store their data on on-premises file servers, the data is ‘relatively’ secure from unauthorized use. Native security permits only approved access to data for specific users or groups of users within the organization. The need to be physically in the office to access the files creates a natural boundary against unauthorized access from outside the organization. Even for employees and third-party partners using virtual private networks (VPNs), which allow access outside of this boundary, data remains relatively secure because IT teams can restrict access to a few specific devices only.

But with cloud-based storage, the ease of sharing data among teams and simple integrations their storage can have with other cloud applications significantly increases the prospect of unauthorized access. From a productivity point of view, that makes complete sense, but from a security standpoint, it’s a headache for IT teams.

Without the right access controls in place, if an employee’s login credentials were to fall into the wrong hands, a perpetrator could, in theory, gain access to sensitive files and folders from anywhere in the world using any device.

Secondly, stopping outgoing employee theft is harder

Again, with on-premises storage and just a desktop computer, there’s that much more risk of getting noticed (through prying eyes) if someone tries to steal sensitive information. But with employees using laptops, smartphones and tablets (sometimes their own devices) to access information in the cloud, which they can do so from anywhere, it’s almost too easy to steal information before they leave. Even when employees do officially leave, there’s still a problem — previous IS Decisions research found that a third of ex-employees still have access to company data after they’ve left.


Thirdly, and most importantly, organizations are still suffering breaches!

Moreover, for 22% of organizations, an external hacker has managed to gain access to their systems using an employee’s login credentials. The consequences of breaches have been incredibly damaging — with 15% saying they have suffered significant reputational damage because of unauthorized access to sensitive corporate data stored on cloud networks.

What organizations are doing about it

Using the cloud is now almost a mandatory part of the business, so organizations must find ways to overcome these security worries.

The security implications of using the cloud certainly aren’t enough to put businesses off using it. Using the cloud now is almost a mandatory part of business, and those that don’t take advantage of its benefits are ultimately shooting themselves in the productivity foot.

But what the security implications do mean is that organizations are looking for roundabout ways to balance security and productivity — mainly in two ways.

First, they’re storing their most sensitive data off the cloud

Sensitive data cloud

21% have gone as far as to say they keep their most sensitive data stored on on-premises infrastructure because they don’t trust its security in the cloud.

When asked what constitutes sensitive data, most organizations considered their own data to be more important than that of their clients — which is a worry considering supply chain attacks are on the up.

74% stated their corporate credit card data was sensitive and 71% said their employees’ personal information was sensitive — whereas just 62% said client contact details were sensitive, and worryingly, only 53% said their clients’ data was sensitive!

The second way organizations are attempting to balance security and productivity is by trying to monitor file access (but not very well).

Monitor file access

Most organizations (80%) just rely on the native security of the cloud provider.

  • Of those, just under half monitor access manually every day (42%), which is an incredibly time-consuming and complex thing to do, and of course, subject to human error.

  • Just over a third monitor access on an ad hoc basis (38%), which is less time-consuming but more prone to missing an attack or finding out about it too late.

  • And, worryingly, 9% don’t monitor access at all, which makes identifying the source of a breach incredibly difficult when it inevitably happens.

It’s hard to place blame at the door of the SMBs that don’t monitor file access every day. SMBs tend to lack the resources, expertise, information and time to do it properly.

Given the reasons above, it’s no wonder that nearly half of SMBs (49%) believe the native security of their current cloud storage provider is not strong enough to protect their data.

There clearly needs to be a stronger and more efficient way to ensure that data in the cloud remains safe. Moving to the cloud does not diminish an organization’s need to secure access to and usage of file data because, after all, security audits, compliance mandates, and government regulations all still require organizations to keep their data safe.

How FileAudit can help cloud storage security

67% say that receiving alerts for unauthorized or suspicious access to sensitive data stored in the cloud would be extremely useful.

This is where FileAudit comes in.

FileAudit proactively tracks, audits and reports on all access to files and folders — and alerts IT teams to suspicious file activity the moment it occurs. Traditionally, FileAudit monitored files and folders on Windows Active Directory-based servers, but now, IS Decisions has extended FileAudit’s monitoring capabilities to Dropbox for Business, Google Drive, Box and Microsoft OneDrive.

Now, if you’re managing your organization’s storage with a mixture of on-premises and cloud storage, FileAudit gives you a consistent view of the security of your data across all your storage servers —from one tool and one consolidated dashboard.

FileAudit also enables you to make monitoring file access easy through delegation, which helps both productivity and security. IT teams are sometimes out of touch with which users need what access, and whether use of files is appropriate. By delegating the responsibility of administering file access to those that are more actively involved in the organization, those responsible can make better decisions about what normal access looks like, while also making it easier to spot anomalies more quickly — which keeps files safe while lightening the burden on the IT team.

Research methodology

IS Decisions commissioned the research cited in this report in 2019 with 300 people in charge of security within small- to mid-sized organizations in the UK, US, and France. Respondents’ organizations had to be users of Dropbox for Business, Google Drive, Box or Microsoft OneDrive to take part in the research.

Try FileAudit for free

3000+ organizations like yours use FileAudit to protect data, prevent ransomware and meet compliance requirements.

Download a free trial