Sensitive data is exposed in over 30 percent of cloud assets
New analysis of more than 13 billion files stored in public cloud environments reveals that more than 30 percent of cloud data assets contain sensitive information.
The study by Dig Security shows personal identifiable information (PII) is the most common sensitive data type that organizations save. In a sample data set of a billion records, more than 10 million social security numbers were found -- the sixth most common type of sensitive information -- followed by almost three million credit card numbers, the seventh most common type.
"Many organizations handle sensitive customer and corporate data too casually. Our goal in developing the State of Cloud Data Security 2023 Report is to drive awareness over how users engage with sensitive data in today’s working environments, and expose corresponding risks," says Dan Benjamin, CEO and co-founder of Dig Security. "To protect data wherever it lives, modern enterprises must build a comprehensive data security stack, including a Data Security Posture Management (DSPM) solution with real-time Data Detection and Response (DDR) capabilities."
Perhaps more worrying than the data being stored is that 91 percent of database services with sensitive data were not encrypted at rest, 20 percent had logging disabled, and 1.6 percent were open to the public. More than 60 percent of storage services were not encrypted at rest, and almost 70 percent were not logged.
In addition users frequently have admin and consumer privileges unnecessarily. More than 35 percent of principals have some privilege to sensitive data assets. Almost 10 percent have admin access, and almost 20 percent have consumer access to a sensitive asset.
Sensitive data, on average, is accessed by 14 different principals, and six percent of companies have sensitive data that has been transferred to publicly open assets. Compounding the issue is the frequent flow of data across geolocations. Over 56 percent of sensitive data assets are accessed from multiple geographic locations, and 26 percent are accessed from five or more.
The full report is available from the Dig Security site.