Dig Security, the leading provider of cloud data security solutions, has recently released its inaugural “State of Cloud Data Security 2023 Report.” The report, which analyzed over 13 billion files stored in public cloud environments, sheds light on the vulnerabilities that sensitive data faces in today’s modern enterprise.
According to Dan Benjamin, CEO and Co-founder of Dig Security, many organizations have been handling sensitive customer and corporate data with a lack of caution. The aim of the report is to raise awareness about how users interact with sensitive data in their working environments and highlight the corresponding risks. Benjamin emphasized the importance of building a comprehensive data security stack, including a Data Security Posture Management (DSPM) solution with real-time Data Detection and Response (DDR) capabilities to safeguard data wherever it resides.
One of the most significant findings from Dig’s research is that more than 30% of cloud data assets contain sensitive information. Personal identifiable information (PII) emerges as the most common type of sensitive data saved by organizations. The analysis of a sample dataset of 1 billion records uncovered over 10 million social security numbers, making it the sixth most prevalent type of sensitive information. Additionally, nearly 3 million credit card numbers, the seventh most common type, were also discovered.
The “State of Cloud Data Security 2023 Report” focuses on three key areas that impact the risk posture of cloud data: common types of sensitive data and their locations, who can access sensitive information and contribute to its exposure, and the flow of sensitive data.
Cloud adoption has resulted in extensive data sprawl, leading to an increased risk of security breaches and non-compliance as data is continuously shared, copied, transformed, and forgotten. However, the report points out that understanding the location of sensitive data is crucial for managing risk and ensuring its security. Dig’s research found that the most prevalent type of sensitive data saved by organizations is PII, containing employee and customer data.
Furthermore, the report reveals several alarming statistics regarding data encryption and logging practices. For instance, 91% of database services with sensitive data were not encrypted at rest, and 20% had logging disabled. This lapse in security is a significant concern as it leaves valuable data vulnerable to unauthorized access and breaches. Similarly, over 60% of storage services lacked encryption at rest, and almost 70% were not logged.
Another important aspect examined in the report is the accessibility of sensitive data. Granting excessive privileges and permissions can lead to the exposure of sensitive information. The sharing of such data between cloud accounts, storage assets, and managed databases also poses risks. The report highlights the neglect of enforcing the separation of duties between administrative and consumer permissions in the cloud, further exacerbating these vulnerabilities. Data access controls and adoption of best practices, such as granting explicit permissions to each asset instead of roles, are recommended to strengthen security.
Dig’s research reveals troubling data regarding permissions and access control. An astonishing 95% of principals with permissions are granted excessive privileges, leading to the increased exposure of sensitive data assets. Additionally, over 35% of principals have some degree of privilege to access sensitive data, and close to 10% have administrative access. The report emphasizes the importance of limiting sensitive data shared between accounts to bolster control and reduce the risk of data exposure.
The report also addresses the flow of sensitive data and the risks associated with it. On average, sensitive data is accessed by 14 different principals, and 6% of companies have sensitive data that has been transferred to publicly accessible assets. Furthermore, data flows across multiple geographic locations, further compounding the risks. Alarmingly, over 56% of sensitive data assets are accessed from multiple geographic locations, with 26% accessed from five or more geolocations. The report emphasizes that as data flows, the risks increase, with 77% of sensitive data assets exhibiting multiple cross-service flows.
Dig’s research uncovers that 40% of data flows into data lakes, such as Hadoop and Snowflake. Hadoop alone accounts for 37% of data ingestion, which duplicates sensitive data into an unmanaged environment, significantly escalating the risk of data exposure. Additionally, replication between storage assets accounts for 30% of activities involving sensitive data. Over 50% of sensitive data assets are accessed by 5-to-10 applications, and nearly 20% of assets are accessed by 10-to-20 applications.
To mitigate the exposure of sensitive data, Dig Security recommends minimizing excessive permissions and continuously monitoring access to ensure data is adequately protected. Logging should be enabled for data assets, and data flows that increase exposure risk should be examined before reducing them to the minimum required level. Organizations must also ensure that data flows comply with internal governance and external compliance mandates. Regulations like GDPR explicitly restrict the movement of sensitive information outside of its geolocation. The duplication of data across different regions poses a significant risk, doubling the chances of exposure and potentially leading to compliance breaches.
The “State of Cloud Data Security 2023 Report” serves as an essential resource highlighting the absence of critical security controls for sensitive data and advocating for additional security measures to safeguard data in cloud assets. The complete report can be accessed through the Dig Security website.
Dig Security’s data protection platform, the industry’s first and only solution to combine DSPM, data loss prevention (DLP), and data detection and response (DDR) capabilities into a single platform, offers organizations immediate insights. The agentless cloud-native solution offers quick deployment, zero maintenance, and comprehensive automated responses at scale, empowering enterprise cloud and security teams.
For more information about Dig Security and its cloud data security solutions, please visit their official website.
About Dig Security:
Dig Security specializes in helping organizations discover, classify, protect, and govern their cloud data. As organizations transition to complex environments with numerous database types across various clouds, monitoring and detecting data exfiltration and policy violations have become challenging tasks, often with fragmented solutions. Dig’s unique approach, driven by its cloud-native and agentless platform, reinvents cloud data loss prevention (DLP) and incorporates Data Detection & Response (DDR) capabilities. This innovative approach enables organizations to effectively manage the challenges posed by cloud data sprawl. Dig Security was founded by three cybersecurity veterans from Microsoft and Google and has garnered support from industry leaders such as Team8, SignalFire, Felicis, CrowdStrike, Okta Ventures, CyberArk Ventures, Merlin Ventures, and Samsung Ventures. To learn more about Dig Security, please visit their official website.