A new report from data security startup Dig Security Solutions Inc. today highlighted the growing issue of potential risks associated with managing and storing sensitive data in cloud environments.

The “State of Cloud Data Security 2023” report, based on an analysis of 13 billion files stored in public cloud environments, deep dives into three critical aspects impacting a company’s cloud data risk posture — the types of sensitive data and its location, who has access to this information and the paths along which this data travels.

According to Dig Security’s researchers, one of the primary data security risks in 2023 is that cloud adoption results in data sprawl that complicates risk management and can lead to security and compliance breaches. The report found that more than 30% of cloud data assets contain sensitive information, with the most common type of exposed data being personally identifiable information.

A full 91% of database services with sensitive data were not encrypted at rest, 20% had logging disabled and 1.6% were open to the public. More than 60% of storage services were not encrypted at rest and almost 70% were not logged.

Who has access to sensitive data and access control concerns were also highlighted in the report. Maintaining stringent control is noted as a significant challenge with cloud storage assets, managed databases and inter-account sharing, creating complex access dynamics. The separation of duties principle — splitting admin and consumer permissions — is said to be often overlooked in the cloud. The report found that nearly 95% of individuals with permissions are granted them excessively and around 35% have some privilege to sensitive data assets.

Where does sensitive data flow is also highlighted in the report, with the report detailing that on average, each piece of sensitive data is accessed by 14 different entities. In addition, 6% of companies were found to have sensitive data that has been transferred to publicly open assets.

The report also draws attention to the substantial flow of data across geographic locations, a situation that in 2023 has all sorts of issues in terms of regulatory compliance. Some 56% of sensitive data assets are accessed from multiple geographic locations, which Dig Security’s researchers note is a red flag for potential compliance breaches under regulations such as the European Union’s General Data Protection Regulation which imposes geolocation-based restrictions.

Dig’s report concludes with sound advice on mitigating and avoiding cloud data pitfalls. Organizations are advised to activate logging for data assets and scrutinize data flows that elevate exposure risks. The report also calls for action to ensure data flows align with internal governance and adhere to external compliance mandates.

“To protect data wherever it lives, modern enterprises must build a comprehensive data security stack, including a Data Security Posture Management solution with real-time Data Detection and Response capabilities,” Dan Benjamin, co-founder and chief executive of Dig Security, said ahead of the release of the report. 

Dig Security is a venture capital-backed company, having last raised $34 million in funding in September. The company’s investors include SignalFire LP, Felicis LLC, Okta Ventures LLC and Team8 LP.

Image: Bing Image Creator