Investigation Uncovers Vulnerabilities in Over 30% of Cloud Resources
Investigation Uncovers Vulnerabilities in Over 30% of Cloud Resources

Image: Bram Van Oost (unsplash)

A recent study indicates that sensitive data is housed within over 30% of cloud resources.

Dig Security has published the results of its inaugural State of Cloud Data Security 2023 Report. This comprehensive study examined in excess of 13 billion files in public cloud spaces, shedding light on the vulnerabilities of sensitive data within contemporary enterprises.

The team at Dig discovered that upwards of 30% of cloud resources store sensitive details. Among this data, the most prevalent sensitive information that organizations store pertains to personal identification (PII). Out of a subset of 1 billion records scrutinized, they identified in excess of 10 million social security identifiers (ranking sixth in terms of sensitive data types), and close to 3 million credit card details, which ranked seventh.

As cloud technologies become increasingly popular, the dispersal of data intensifies. This often results in increased risks, potentially leading to security and compliance infringements. Regularly, this data is duplicated, modified, shared, and then neglected. Yet, by pinpointing the location of sensitive information, enterprises can better manage potential risks and fortify their data security. The study by Dig confirmed that the most frequently stored sensitive data is PII, which encompasses both employee and client information.

Other noteworthy points from the report include:

  • 91% of database solutions housing sensitive information weren’t encrypted when idle; 20% didn’t enable logging, and 1.6% were accessible to anyone.
  • Over 60% of storage solutions weren’t encrypted at rest, while nearly 70% weren’t logged.
  • 95% of key users with granted permissions obtained them due to excessive privilege.
  • More than a third of key users have some level of access to sensitive resources. Approximately 10% possess administrative capabilities, while close to 20% have user access to critical resources.
  • Nearly 10% of key users have user rights, and about 5% have administrative rights to PCI information.
  • Close to 1% of vital resources are shared with external vendors, while over 2% of critical data resources are jeopardized due to direct access via an external account.

On average, sensitive data is accessed by 14 distinct key users. Additionally, 6% of firms have sensitive information that has been moved to publicly accessible resources. The frequent transfer of data between various global locations amplifies these concerns. It’s not uncommon for critical data to be accessed from various global regions. Over half of the sensitive data is accessed from multiple global areas, and 26% of it is accessed by five or more global locations. As data transfers increase, the associated risks amplify, with 77% of critical data resources having more than a single cross-service transfer.

Data is directed to data lakes, including Hadoop and Snowflake, at a rate of 40%. Hadoop is responsible for absorbing 37%, inadvertently duplicating vital information into unmonitored spaces. Duplication between storage resources accounts for 30% of activities related to sensitive data. More than half of the sensitive data is accessed by between 5 and 10 applications, while nearly a fifth of it is accessed by between 10 and 20 applications.