Researchers investigating information stored in various public cloud environments found personally identifiable information in more than 30% of the over 13 billion files and 8 petabytes analyzed for their study.
In its The State of Cloud Data Security in 2023, released Wednesday, Dig Security’s researchers discovered that the most common type of sensitive data was personally identifiable information (PII). In a sample of over 1 billion records, 21% contained email addresses, 7% contained phone numbers and 6% had home addresses.
Additionally, about 10 million Social Security numbers were found in the same sample, making it the sixth-most common PII, while credit card numbers were the seventh-most common at 3 million.
The report also found that 91% of database services with sensitive data were not encrypted at rest, 20% had logging disabled, and 1.6% were open to the public, while more than 60% of storage services were not encrypted at rest, and almost 70% were not logged.
A vast majority of principals with permissions, 95%, are granted them through excessive privilege, and more than 35% of principals have some privilege to sensitive data assets.
Sensitive data was also found flowing to unmanaged environments such as data lakes like Hadeep and Snowflake 40% of the time, putting the data at significant risk, researchers said.
Replication between storage assets is responsible for 30% of the activity involving sensitive data.
More than 50% of sensitive data assets are accessed by five to 10 applications, and almost 20% of sensitive data assets are accessed by 10-to-20 applications, according to the report.
Dig Security’s goal in developing the report was to drive awareness in how users engage with sensitive data in today’s working environments and expose corresponding risk, said Dan Benjamin, the company’s CEO and co-founder, in a statement.
“Many organizations handle sensitive customer and corporate data too casually,” Benjamin said.
Shawn Surber, senior director of technical account management at Tanium, said the move to cloud has created a significant problem in nearly every industry as administrators become responsible for new services, compute instances, and every possible “as a service” that you can imagine that each come with a different management tool.
“As a result of all these new management tools, there are an inevitable number of additional risks and vulnerabilities introduced,” said Surber. “This creates an environment where already over-stressed admins are trying to do their best, but lack the knowledge, training, and resources to implement all these new capabilities perfectly.”
“... This is a direct consequence of the siloed nature of organizations where there’s little sharing of data, processes, or tools between teams,” he continued. “A convergence of teams, tools and processes is needed in order to resolve huge gaps like these in data and system protection.”