Attack Surface Grows As Data Moves to the Cloud, Report Finds

(whiteMocca/Shutterstock)

Companies may be unwittingly increasing the odds that their data is compromised by storing vast amounts of it in cloud repositories that are poorly governed and don’t adhere to modern data deletion standards, according to a new report issued this month by Blancco Technology Group, a provider of data erasure tools.

At first glance, stockpiling big data in cheap cloud storage may seem like a good technique. After all, if data is the new oil, than having lots of it will increase the odds that a company can make some sort of use of it later on, whether through advanced SQL analytics or machine learning.

However, this data-hoarding mentality also brings with it certain risks. In particular, it increases the “data attack surface” in the cloud, according to Blancco’s new “Data at a Distance” report issued earlier this month.

More than half of the 1,800 data retention and data disposal decision makers surveyed for Blancco’s report in November and December 2022 say their companies already store all of their data in the cloud, and the remainder “are in the process of moving.”

While companies in finance and healthcare are highly regulated already, a lack of mature data governance policies and procedures among nearly half of the surveyed companies is hampering their capability to adequately protect data, the report finds.

Best practices for data governance demands that companies do three things, Blancco says, including:

• Classify their data to know what it is and who should have access to it at what times;
• Erase data and minimize data to help reduce vulnerabilities;
• And make data inaccessible when it reaches end of life (EOL).

Deleting data sounds pretty straightforward, but it’s a procedure that’s prone to error, Blancco says. Best practices for certified data erasure demands audit trails for the deletion of data at its EOL. However, more than half of companies are still using basic data deletion techniques that lack audit trails.

There is evidence that the cloud is exacerbating these issues. According to the Data at a

Source: Blancco “Data at a Distance” report

Distance report, 60% of respondents said that their cloud provider handles EOL data for them, while 35% say they don’t trust their cloud provider to handle EOL data appropriately. Not surprisingly, 65% of companies say they can manage EOL data end-of-life better for data stored on-prem than in the cloud.

The report finds that 28% of companies use the “blunt” approach of expiring data after a set timeframe. This is a simple but ineffective approach that “does not consider what the data is, what it’s worth, or the risk of it getting into the wrong hands,” the report states.

“In some cases, this could mean that sensitive information, including personally identifiable is masked, allowing desensitized information to live on for further use,” the report continues. “However, this is a blunt approach to the information lifecycle that is not best practice, especially for industries subject to multiple data protection regulations.”

“This may be why many enterprise organizations still keep at least some operations ‘close to the chest’–stored, processed, and managed on their own mainframes as they navigate new regulations and growing data threats,” the Blancco report says.

Complying with data regulations is another difficulty that is exacerbated by the large number of laws that a given company must adhere to. The GDPR and CPRA are the most well-known data regulations, but there are many others that may apply, including:

• Japan’s APPI law;
  

  Source: Blancco “Data at a Distance” report

• Canada’s PIPEDA;
• PDSG in Germany;
• CNIL in France;
• the Children’s Online Privacy Protection Act (COPPA);
• the U.S. FTC Act Safeguards Rule;
• the New York Department of Financial Services Cyber Rules;
• PCI-DSS;
• and HIPAA.

“Healthcare and financial services providers handle some of the most confidential and sensitive information possible,” Jon Mellon, president of global sales, marketing, and field operations at Blancco, stated in a press release. “While they have made the move to cloud for better connectivity, digital transformation and ease of managing data, many of them are still falling short when it comes to knowing how to reduce risk and maintain compliance when that data is no longer serving a business function.”

You can download the Data at a Distance report here.

Related Items:

How to Comply with Data Minimization Best Practices

How Enterprises Can Defray the Hidden Cost of the Cloud

Anger Builds Over Big Tech’s Big Data Abuses