We just this week issued the Cloud and Big Data edition of the 2015 Vormetric Insider Threat Report. In this edition we concentrated on the results relating directly to cloud and big data environments, and there were some real eye openers once we got a good look at the data.
First and foremost, we were very surprised at the rate at which organizations are choosing to use sensitive data in the cloud. We already knew that 80% of enteprises had embraced at least some cloud usage, but for the U.S. especially, 60% reported storing sensitive data in the cloud (3 out of 4 that are using the environment). This is a clear indication that usage has gone well past trials, development and test environments, and applications that are not "mission critical". Clearly with this amount of sensitive data usage, cloud environments are now often full production implementations.
But there is more to it than that - The trend to use SaaS applications has also greatly broadened the amount of sensitive data in the cloud. With organization increasingly adopting on-line HR, ERP, accounting, email, project management, and productivity tools, more and more day to day operations have moved to the cloud as well. Across the board, concerns where high about data protection for these applications. What was at the top of the list? File sharing and storage services like Box.net and AWS S3.
We were prepared to find that organizations were worried about sensitive data stored within SaaS applications. But the level of concern, and the percentage of organizations using sensitive data within SaaS applications was a surprise. Organizations are using SaaS applications with sensitive data at a high rate (57% globally and 62% U.S. organizations) even through their concerns are even higher almost across the board … but most especially for online storage, backup and accounting applications.
Another surprise - The differences in levels of concern by U.S. respondents and those outside of the U.S. One standout - levels of concern for lack of control over the location of data.
Data residency and privacy laws are quite strict in Germany and to a lesser extent in the rest of Europe (including the U. K.). Recent developments with the U.S. Government’s access and attempted access to international technology providers in these areas has also raised flags. Given these factors, we’d expected that organizations from these areas would be very concerned about the lack of control over where data is located, and the lack of data privacy policies and SLAs. But this wasn’t the case.
U.S. organizations were more concerned in every area than international respondents – typically by between 20 and 30%.
Last but not least is the finding that Cloud environments are now seen as the largest perceived risk to data (40%) above databases (38%) and file servers (29%). When we asked "Which of the following locations are at the greatest risk for loss of sensitive data in your organization?", the results showed that Cloud is now perceived as the highest risk environment that enterprises use for sensitive data. The numbers are even higher in some segments – For the U.S. overall 46%, for Germany 49%.
It’s interesting to note that mobile … where the volumes of data that can be exposed is relatively small was the second highest perceived area of risk. With many enterprises struggling to adapt to a flood of mobile devices the lack of their own security control strategy for these may be playing in here. The volumes of sensitive data certainly aren’t there.