Dig Security released findings from its first-ever State of Cloud Data Security 2023 Report. The analysis of more than 13 billion files stored in public cloud environments reveals how - and why - sensitive data is at risk in the modern enterprise. 

"Many organizations handle sensitive customer and corporate data too casually. Our goal in developing the State of Cloud Data Security 2023 Report is to drive awareness over how users engage with sensitive data in today's working environments, and expose corresponding risks," said Dan Benjamin, CEO and Co-founder, Dig Security. "To protect data wherever it lives, modern enterprises must build a comprehensive data security stack, including a Data Security Posture Management (DSPM) solution with real-time Data Detection and Response (DDR) capabilities."

Dig's researchers found that more than 30% of cloud data assets contain sensitive information. Personal identifiable information (PII) is the most common sensitive data type that organizations save. In a sample data set of 1 billion records, more than 10 million social security numbers were found (the sixth most common type of sensitive information), followed by almost 3 million credit card numbers, the seventh most common type.

The Dig Security State of Cloud Data Security 2023 Report focuses on three key areas that impact cloud data risk posture:

• Common types of sensitive data and where it is located
• Who can access sensitive information that leads to its exposure
• Where sensitive data flows 
  

Where is Your Sensitive Data?

Cloud adoption is driving widespread data sprawl, which introduces risk that leads to security and compliance breaches as data is constantly shared, copied, transformed, and forgotten. But if you know where your sensitive data is located, it is easier to manage risk and secure your data. Dig's research found the most common sensitive data type organizations save is PII containing employee and customer data.

Additional findings include:

• 91% of database services with sensitive data were not encrypted at rest, 20% had logging disabled, and 1.6% were open to the public
• More than 60% of storage services were not encrypted at rest, and almost 70% were not logged
  

Who Has Access to Sensitive Data?

Enabling too much access or overpermissioning leads to sensitive data exposure. Risks are also associated with sharing sensitive information between cloud accounts, storage assets, and managed databases. The separation of duties between admin and consumer permissions is often neglected and not enforced in the cloud, further amplifying these risks. Principals frequently have admin and consumer privileges unnecessarily, which violates the separation of duties principle. Best practices include granting explicit permissions to each asset instead of roles, and limiting sensitive data shared between accounts, which weakens control and increases the risk of data exposure. 

Additional findings include:

• 95% of principals with permissions are granted them through excessive privilege
• More than 35% of principals have some privilege to sensitive data assets. Almost 10% have admin access, and almost 20% have consumer access to a sensitive asset
• Almost 10% of principals have consumer permission, and around 5% have admin access to PCI data
• Almost 1% of sensitive assets are shared with third-party vendors, and more than 2% of sensitive data assets are at risk due to direct access from a remote account
  

Where Does Sensitive Data Flow?

Sensitive data, on average, is accessed by 14 different principals, and 6% of companies have sensitive data that has been transferred to publicly open assets. Compounding the issue is the frequent flow of data across geolocations. Sensitive information accessed from different geolocations is common. Over 56% of sensitive data assets are accessed from multiple geographic locations, and 26% are accessed by five or more geolocations. As data flows, the risk grows - 77% of sensitive data assets have more than one cross-service flow.

Additional findings include:

• 40% of data flows to data lakes (Hadoop and Snowflake). Hadoop ingests 37%, which duplicates sensitive data into an unmanaged environment putting it at significant risk
• Replication between storage assets is responsible for 30% of the activity involving sensitive data
• More than 50% of sensitive data assets are accessed by 5-to-10 applications, and almost 20% of sensitive data assets are accessed by 10-to-20 applications
  

Minimizing excessive permissions and continuously monitoring access to sensitive data will help reduce data exposure. To do this, organizations should turn on logging for data assets and examine data flows that increase exposure risk before reducing the flows to the minimum required to ensure the destination is secured. You must ensure data flows do not violate internal governance and external compliance mandates. Some regulations like GDPR also restrict sensitive information from leaving its geolocation. Duplication of data across different regions doubles the risks of exposure and could lead to a compliance breach if carried out across different geolocations. The State of Cloud Data Security 2023 Report highlights the absence of critical security controls for sensitive data and the need for additional security layers to ensure data is protected in cloud assets.  

The Dig Data Security Platform is the industry's first and only solution to combine DSPM, data loss prevention (DLP), and data detection and response (DDR) capabilities into a single platform. Dig enables enterprise cloud and security teams to produce immediate insights using its agentless cloud native solution that delivers a short setup time, zero maintenance, and comprehensive, automated response at scale.

For more information on Dig Security, visit https://www.dig.security/.