Dig’s Cloud Security Report Finds Sensitive Data Exposures

Dig Security, released findings from its State of Cloud Data Security 2023 Report that shows how and why 13 billion files stored in public cloud environments are at risk in the modern enterprise.

“Many organizations handle sensitive customer and corporate data too casually. Our goal in developing the State of Cloud Data Security 2023 Repor is to drive awareness over how users engage with sensitive data in today’s working environments and expose corresponding risks,” said Dan Benjamin, CEO and co-founder of Dig Security. “To protect data wherever it lives, modern enterprises must build a comprehensive data security stack, including a Data Security Posture Management (DSPM) solution with real-time Data Detection and Response (DDR) capabilities.”

Dig’s researchers found that more than 30 percent of cloud data assets contain sensitive information. Personal identifiable information (PII) is the most common sensitive data type that organizations save.

In a sample data set of 1 billion records, more than 10 million Social Security numbers were found (the sixth most common type of sensitive information), followed by almost 3 million credit card numbers, the seventh most common type.

The Dig Security State of Cloud Data Security 2023 Report focuses on three key areas that impact cloud data risk posture:

  • Common types of sensitive data and where it is located
  • Who can access sensitive information that leads to its exposure
  • Where sensitive data flows

Cloud adoption drives widespread data sprawl, which introduces risk that leads to security and compliance breaches as data are constantly shared, copied, transformed, and forgotten. But if you know where your sensitive data are located, it is easier to manage risk and secure your data.

Dig’s research found the most common sensitive data type organizations save is PII containing employee and customer data.

Additional findings include:

  • 91 percent of database services with sensitive data were not encrypted at rest, 20 percent had logging disabled, and 1.6 percent were open to the public
  • More than 60 percent of storage services were not encrypted at rest, and almost 70 percent were not logged

Enabling too much access or over-permission leads to sensitive data exposure. Risks are associated with sharing sensitive information between cloud accounts, storage assets and managed databases. The separation of duties between admin and consumer permissions is often neglected and not enforced in the cloud, further amplifying these risks.

Principals frequently have admin and consumer privileges unnecessarily, which violates the separation of duties principle. Best practices include granting explicit permissions to each asset instead of roles, and limiting sensitive data shared between accounts, which weakens control and increases the risk of data exposure.

Additional findings include:

  • 95 percent of principals with permissions are granted them through excessive privilege
  • More than 35 percent of principals have some privilege to sensitive data assets. Almost 10 percent have admin access, and almost 20 percent have consumer access to a sensitive asset
  • Almost 10 percent of principals have consumer permission, and around 5 percent have admin access to PCI data
  • Almost one percent of sensitive assets are shared with third-party vendors, and more than two percent of sensitive data assets are at risk due to direct access from a remote account

Minimizing excessive permissions and continuously monitoring access to sensitive data will help reduce data exposure. To do this, organizations should turn on logging for data assets and examine data flows that increase exposure risk before reducing the flows to the minimum required to ensure the destination is secured.

You must ensure data flows do not violate internal governance and external compliance mandates. Some regulations like GDPR also restrict sensitive information from leaving its geolocation. Duplication of data across different regions doubles the risks of exposure and could lead to a compliance breach if carried out across different geolocations. The State of Cloud Data Security 2023 Report highlights the absence of critical security controls for sensitive data and the need for additional security layers to ensure data is protected in cloud assets.

For more information on Dig Security, visit https://www.dig.security/.