Why Do Cloud Data Leaks Happen?

In the first article of this series, we looked at what a cloud data loss is and what sets it apart from other types of attacks. We gave a brief overview of the reasons behind these data losses. In this article, we'll explore further the why and how of these data losses.

To understand why data is lost, you have to understand how data is generated, handled, modified, and used. There is a broadly shared understanding that companies collect and analyze this data for various reasons, whether to increase sales by better understanding their customers, improve their processes, enhance their product, and so on. As a result, it becomes necessary to correlate and manipulate the data to draw out the information being sought. These modifications can be very complex. That's why several copies of the same data exist. The production environment where new data is stored and where analysts can run queries, the backup copies, the development environment, the test environment, an analyst who copied the data onto their personal computer to be able to work from home, and so on. Storage today costs 6 times less than it did in 2010. Making copies of data is inexpensive and very convenient. However, by increasing the number of places where the data exists, the risk also increases, since all of these locations must be properly protected.

Data passes through a multitude of controls and security checkpoints. This is what's known as the chain of trust. Whether it's DLP software, encrypted storage units, firewalls, computers, USB drives, and very often a cloud. A chain is only as strong as its weakest link.

This approach is very widespread across most companies. It's not only telecommunications companies or national defense suppliers, but all companies. The digital shift is a fundamental change that affects every business in how they interact with their customers and how they operate. Some companies have the expertise to manage their data and extract the metrics that matter to them; others choose to work with companies that specialize in the field. A new data economy exists with these specialized companies that have the skills and tools needed to manage this information.

The ease of copying this data multiplied by the value of the metrics extracted from it pushes companies to use it more. As a result, major investments are made in cloud infrastructure to perform better in terms of speed and volume. However, not as much attention and investment has gone into analyzing the potential business risks, and even less into mitigating the risks posed by this easily accessible, copyable, and distributable data.

The appeal of the cloud:

The advantages of cloud infrastructure are well known. In less than 10 minutes, you have at your disposal the equivalent of hundreds of thousands of dollars' worth of servers without having to worry about configuration. They don't require equipment capitalization, they're elastic — meaning they grow and shrink with your needs — and they're easy to automate. That automation can sometimes leave operational blind spots. These blind spots, though small, can leave personal data publicly exposed, regardless of the platform. Whether it's Google Cloud Platform, Amazon Web Services, Microsoft Azure, IBM BlueMix — in fact, any infrastructure exposed to the internet is liable to be the target of human error or an accident and thus expose your data. It's important to note that the platforms mentioned above have their settings private by default. Data leaks aren't specific to any one platform but rather to processes and a lack of security controls in general.

Personal data management:

Some countries have begun putting in place procedures for managing personally identifiable information (PII), such as the GDPR in Europe and HIPAA in the United States. Other organizations have already had a similar policy in place for several years, such as PCI DSS. In Canada and Quebec, some bills are in progress, but nothing concrete has yet been put in place. It's important to understand that these policies are generally frameworks rather than specific instructions on securing data.