Anatomy of data exposures in the Cloud

Dec. 23, 2021
Implementing proper data discovery and protection methods can help organizations proactively mitigate the impact of a data breach

We are living in the age of data. Data informs decisions and is an integral component of business. However, despite the rising importance of data, we are not seeing a proportional increase in data security. That should concern all of us because our own personal (and sensitive) data makes its way into these large corporate data repositories.

Businesses process data with varying degrees of complexity, in one way or another, and a host of data security mandates have been implemented to improve the overall security of sensitive and valuable information. The Verizon Business 2021 Data Breach Investigations Report revealed that the number of data breaches within organizations has increased by a third as employees work remotely during the COVID-19 pandemic.

And especially as more businesses resume “normal” operations, data security should not take the back seat.

Are Breaches Always the Result of Complicated and Sophisticated Cyberattacks?

One question that frequently arises is the origin of security incidents. The biggest problem facing data-rich institutions is the security of publicly available datasets or exposed databases that can encourage unauthorized access to sensitive data through internet browsers and little-known security holes. In the age of cloud computing, vast swathes of datasets can be found online, and every ransomware attack has originated from something that was exposed, no matter how small and insignificant that information appears to be. Indeed, unsecured buckets of data in the cloud have been the contributing factor to many high-profile data security incidents.

Once cybercriminals have isolated weakness in your armor, it’s only a matter of time until this becomes a serious incident. It only takes a single human error to undo the work of security software, IT security teams, and even comprehensive security awareness training. It becomes impossible to determine how or when your data was initially breached. In the best-case scenario, a white-hat user will responsibly disclose this error, whereas in the worst-case scenario, you can suffer a company-wide ransomware incident, locking employees out of devices and networks and bringing business operations to a sudden halt.

When hosting data online, you should remember that even if you try to put the proper security mechanisms in place, a large portion of the information is not protected by default security controls. In some cases, developers may leave sensitive information in a public GitHub repository.  With lax security controls on internet-hosted databases, this means that if not audited, sensitive data may be indexed by Google’s public search engine.

One of the key realizations of modern IT is that the impetus behind data processing systems is thousands of lines of code and software which may or may not be hardened against bugs, security holes, and other potentially debilitating traits. These software solutions are compiling complex tasks mostly in an automated fashion, and so many CISOs will point their finger either at the code (or an intern) following a data breach, but this is rarely the case. This code is one of the most sophisticated aspects of your infrastructure, but the risk within code is minimal when compared to plain and simple human error.

How Can Enterprises Use Tools to Manage Their Own Risk?

All of this raises the critical question: what can we do to protect data?

Unfortunately, losing track of data, and more importantly, highly sensitive data, is a reality for businesses. Even as more information resides in the cloud, auditing this data can be a logistical nightmare for unprepared organizations. Regardless of the IT processes that you have in place, the exposure of sensitive personally identifiable information (PII) or business secrets has become a likely possibility for every organization—it’s not if but when. The first step to ensure that your data remains secure is to understand where your data is and what iterations of that data you have. Ask yourself: does your enterprise have a clear definition of what “sensitive” really is? If the answer is yes, then you are in a good place to start implementing company-wide data security policies that actually protect the data itself, rather than just erecting walls around storage in the cloud. We call this approach data-centric security.

If the answer is no, then you’ve got a lot of work to do before you get to the question of optimal data protection. You can’t protect what you don’t know exists. Look no further than the ever-expanding IoT network when considering the constantly growing attack surface of modern organizations. Think of the images on your phone, tablets, or computers. These devices are a wealth of information, and the digital age has allowed unlimited reproduction to occur. Are you certain that you can trace your data or who has come into contact with it? Understanding data lineage is essential for a data protection policy.

Prevent Phishing, Protect Data

In our experience, phishing campaigns and even basic-level social engineering techniques can fool even more experienced employees and seasoned technical personnel. As more data resides within virtual cloud assets, it can only take one compromised admin password to allow a nefarious actor access to the most guarded data. Social engineering tactics play on people’s fears or haste, tricking them into making split-second decisions that will open them up to a range of threats such as malware or identity fraud.

To prevent social engineering tactics from harvesting your valuable data, you must foster a strong culture of data security. The simplest way to initiate this culture is to create an open and active environment that values precision over rapid turn-around and that understands how data privacy deeply affects each one of us. Organizational leaders should take an active part in cultivating this type of environment.

However, before you can build more awareness of data privacy and keeping sensitive information secure, you must first understand (and help your co-workers and employees understand, too) what sensitive information actually is. Passwords, social security numbers, or payment details are all obvious examples, but now, even a work email seen by the wrong person could constitute a breach of sensitive information. In most cases, an email is the entry point for social engineers. When you scale this up with emails targeting thousands of individuals en masse, it becomes a real concern that could allow scammers to expose an entire data infrastructure. No passwords were used, no complicated “hacking” was involved; instead, the keys to the kingdom were handed over because employees thought they were communicating with someone they trust.

By implementing proper data discovery and protection methods, businesses that collect, handle, and process data in the cloud can successfully mitigate the impact of a data breach before it even occurs. This process provides business value as a common-sense approach, saving time and resources in the crucial battle against cybercriminals.

About the author: Trevor J. Morgan is responsible for product management at comforte AG, where he is dedicated to developing and bringing to market enterprise data protection solutions. He has spent the majority of his career in technology organizations bringing to market software, hardware and services for enterprise and government customers. Trevor has held senior-level, lead positions in sales engineering, product management, software architecture and product marketing in companies like Cisco, Capital One and Ciena. He holds a Ph.D. from Texas Tech University and a bachelor’s and master’s from Baylor University.