Are your employees putting sensitive data at risk by using consumer-grade cloud storage accounts? According to a report from G2 83% of IT professionals reported that employees stored company data on unsanctioned cloud services
Your cloud data loss prevention plan needs critical security controls in place to prevent these platforms from leading to the theft of company information, intellectual property, personally identifiable information, and other critical business data.
In this article you will learn the security risks of shadow IT cloud platforms (“bring your own cloud”), cloud DLP best practices, and how to block employees from accessing Dropbox, Google Drive, and other consumer-grade cloud storage platforms.
Table of ContentsThe security software company McAfee regularly releases a Cloud Adoption and Risk Report that highlights key trends in cloud application usage, cloud security, and cloud data loss prevention.
Their reports have identified shocking figures that indicate the need for a cloud data loss prevention
Despite these significant cloud data loss risks, a disturbing 98% of cloud services used in organizations are not known to IT. Without full knowledge of the cloud services being used in the company, there is no reliable way for security personnel to mitigate the risks of these platforms.
Naturally, the rapid shift to work-from-home arrangements during the pandemic has skyrocketed the adoption of cloud services. McAfee reports a 50% spike in enterprise cloud service use, with manufacturing and financial services increasing their use the most.
See the full reports: 2017 | 2019 | 2020
UPDATE: Since McAfee Enterprise’s cloud products transitioned to Skyhigh Security, the URLs of the reports ceased to work. These links have been updated to archived versions of the reports on third-party websites.
Convenience and a lack of officially supported alternatives are by far the most common reasons for employee use of personal cloud applications in the workplace.
File sharing services facilitate collaboration among employees. They are also more convenient than sharing files over portable storage devices as the files can be updated in real-time and synced to multiple devices.
Even if the organization provides some form of file sharing (such as an on-premises file server), it may not be convenient for the employees to use. If the organization does not provide an alternative that is secure and easy to use, their employees will seek out personal cloud storage solutions that meet their needs.
So, what’s the bottom line?
If the organization’s infrastructure does not support the needs of employees, they will invent their own ways. The methods they settle on certainly aren’t guaranteed to be secure enough for business data.
For example, with the sudden shift to remote work, many employees needed to connect to the corporate network over a VPN. If an unprecedented spike in bandwidth caused connectivity issues the employees would be tempted to resort to a consumer-grade cloud storage platform to work more efficiently.
According to Spiceworks research the most popular cloud storage services that employees used without IT approval are…
Other popular shadow IT cloud storage solutions include Microsoft OneDrive (25%). Box (7%), Amazon Drive (5%), and Citrix ShareFile (1%).
According to Spiceworks research, the most popular cloud storage services in 2018 were OneDrive, Google Drive, and Dropbox.
Other notable competitors include Apple iCloud (13%), Box (6%), Citrix ShareFile (6%), and Amazon Drive (3%).
According to research by Statista, in 2020 the most popular cloud storage providers in the US B2C market were Google Drive (40%), Apple iCloud (33%), and Microsoft OneDrive (20%).
Other services used by consumers included Dropbox, Amazon Drive Cloud, Box, Mega, Baidu Yun/Wangpan, Ali Yun, Nextcloud, and Kingsoft KuaiPan.
One of the most prevalent cloud data loss prevention strategies is to mitigate the damage caused by the use of stolen account credentials. These incidents allow unauthorized third parties to gain access to corporate data stored in cloud services.
While these risks aren’t unique to consumer-grade cloud storage accounts, the lack of visibility and control that personal accounts have when compared to an enterprise-grade solution cannot be ignored.
Allowing employees to use their personal cloud storage accounts for work purposes (“Bring Your Own Cloud” or “BYOC”) is a security nightmare.
As part of your cloud data loss prevention plan, you need to mitigate employee use of personal cloud applications in the workplace. The use of consumer-grade cloud applications in the workplace without sufficient corporate oversight is a security risk that simply cannot be left unaddressed.
A 2018 Spiceworks survey of IT professionals confirms that the majority of organizations follow the cloud data loss prevention best practice of restricting what cloud storage sites their employees can access, along with other cloud security measures.
Cloud storage platforms allow employees to control and store data with ease. Alongside these new capabilities comes increased risk to sensitive enterprise data.
While technical controls for restricting employee access to cloud storage sites are a critical component of a cloud data loss prevention plan, they need to be combined with administrative controls too.
Organizations need to play a proactive role in handling employee education surrounding data protection in the cloud. Policies and end-user training are essential tools for establishing expectations surrounding data security, shadow IT, and cloud storage use.
Employees need education on…
How companies can communicate the data security risks of file sharing to their employees…
To truly stop employees from using non-sanctioned file sharing services you must provide them with an official alternative that is convenient and easy to use.
While preventing access to insecure cloud storage services and blocking USB storage devices is critical for data loss prevention, it is just as important that employees are provided a secure alternative for sharing files. Otherwise, they will be tempted to bypass security controls to prevent disruptions in their workflow
Alternatives to consumer-grade cloud storage
Once an organization has determined which cloud storage provider will be officially adopted, the best practice is to block employees from accessing any other cloud storage providers unless there is a legitimate business reason to do so.
The CurrentWare Suite includes two key tools for restricting access to unsanctioned cloud storage services—BrowseControl web filtering software and AccessPatrol data loss prevention software.
BrowseControl includes web filtering and app restiction features, while AccessPatrol’s device permissions feature allows you to prevent uploads and downloads to cloud storage apps and websites in just a few clicks.
The CurrentWare Suite contains several tools to block employees from accessing unwanted cloud storage sites.
To truly prevent employees from using their personal cloud storage accounts, you need to block both the website and the associated applications for each provider.
Using BrowseControl you can prevent users from running certain programs by adding them to the Blocked Applications list.
The best practice for ensuring that employees are not using unsanctioned applications
Windows executables have an attribute called the “Original Filename”. This is used to describe the original file name assigned to an executable file when it was created.
BrowseControl uses the Original Filename to identify the executable file for the application. As the Original Filename remains intact even when the name of the executable is changed, using this attribute prevents the end-user from bypassing the app blocker by renaming the executable.
How to locate the Original Filename of an application
Note: Application shortcuts will not show the Original Filename. You need to go to the location where the application is installed to see the Original Filename attribute.
Examples of Original filenames for cloud storage applications
Learn More: How to Block Windows Applications With BrowseControl
Mobile Device Management (MDM) or Mobile Application Management (MAM) is the best solution for preventing employees from using unsanctioned cloud storage apps on mobile devices. These tools allow organizations to block apps from being downloaded or installed on managed devices.
These solutions also allow granular control over access to sanctioned cloud storage applications with real-time monitoring and restrictions over access to cloud apps based on the user, their location, and the device they are using.
In BYOD environments an MDM allows the organization to secure corporate data within a container that is separate from the employee’s personal resources. This allows the company to remotely wipe all corporate data from the device without affecting the employee’s personal files.
The CurrentWare Suite includes transparent packet filtering technology, alllowing you to track what files are being transfered to cloud storage services, network share drives, removable media, and more.
Proactively blocking employees from accessing cloud storage sites is the best way to restrict their use. That said, there’s always the possibility that new cloud storage providers are not yet blocked by your web filter.
Using employee internet monitoring software such as BrowseReporter allows you to see the specific websites that are being visited by employees. Their internet activity reports can be reviewed for the presence of unauthorized cloud storage sites and other unwanted SaaS platforms.
The bandwidth consumption of individual employees and computers can also be monitored. Anomalous spikes in bandwidth could be an indication of large file transfers to a third party.
Once unwanted websites are discovered you can then add them to your web filter and issue any corrective action that is required to enforce the company’s security policies.
While the best practice is to not provide employees with the ability to install software on company computers, there may be scenarios where privilege escalation went unnoticed or otherwise trusted employees have installed unwanted software.
Just as with the web filtering scenario, monitoring employee application usage allows you to detect software that has not been added to the blocked application list.
BrowseReporter’s application usage monitoring report conveniently shows you the Original Filename of the applications that are being used. Once the unwanted applications are identified you can then add those Original Filenames to BrowseControl’s application blocker to prevent employees from launching them in the future.
If you would like to see how often employees are using a specific application, you can enter the name of the application in BrowseReporter’s Specific Application Usage report. The report will display the dates for each day the application was used and indicate how long the application was actively used.
Using enterprise-grade cloud storage services is essential for cloud DLP.
With these solutions data can be readily classified according to its risk level, allowing access to be limited accordingly. Rather than providing employees with open access to all data that is stored on an account, administrators can assign different access permissions for each department or individual based on their legitimate business needs.
These access controls help reduce the potential for insider threats to accidentally or maliciously modify, download, or delete critical business data. Enterprise platforms will also include other critical security controls that consumer-grade platforms do not have such as features for data recovery and file access auditing.
Non-IT employees must not be administrators of cloud applications. Doing so prevents the organization from governing access to unstructured data, keeping track of where data is stored, and restricting who has access to it.
This is especially true for consumer-grade cloud storage as these solutions will not have the auditing capabilities required to investigate the cause of a data breach. Employees that are permitted to use personal accounts on company devices will also have a greater expectation of privacy, potentially limiting what their employer is allowed to monitor.
While third-party cloud storage providers have a vested interest in keeping the data of their customers safe, there is still a fundamental risk when trusting sensitive data with an external party.
Even if the cloud service provider is reliable and secure, a data breach is as simple as compromised account credentials with improper access controls in place.
For this reason, companies that use third-party cloud storage providers must encrypt sensitive data before it is uploaded to the cloud service provider.
Keeping sensitive data encrypted is a critical security control for preventing third parties from making use of company data. Even if the files themselves are exfiltrated from the cloud storage account the threat actor will be unable to decipher the contents without the accompanying decryption key.
Data states where encryption is needed
Providing training and enforcement for password hygiene is a critical step towards preventing unauthorized access to cloud services.
An enterprise-grade password manager or SSO solution can help mitigate poor password hygiene. These solutions are particularly valuable if an employee is furloughed or dismissed as their access to the solutions can be readily revoked before they have an opportunity to exfiltrate data.
Officially sanctioned cloud storage and file sharing solutions are not immune to misuse. To better protect these solutions the best practice is to use conditional access policies. These policies will restrict what employees can access based on their permissions and the risk level of the access request.
With conditional access policies, you can automatically apply different degrees of access controls as needed to keep your organization secure, while reducing the degree of authentication required for access requests that are lower risk.
What Conditional Access Policies consider
The data security risks of file sharing and cloud storage need to be addressed as part of your cloud DLP strategy. By restricting the use of personal cloud storage accounts, providing employees with secure alternatives, and training them on their cloud data security responsibilities you can protect sensitive data from being leaked or misused.
CurrentWare’s employee computer monitoring and restriction software provide critical security controls for preventing employees from accessing unwanted websites and applications.
Secure your business against personal cloud storage use today with a FREE trial of CurrentWare’s DLP solutions
Cookie | Duration | Description |
---|---|---|
__cfruid | session | Cloudflare sets this cookie to identify trusted web traffic. |
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category . |
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
JSESSIONID | session | The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application. |
LS_CSRF_TOKEN | session | Cloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed. |
OptanonConsent | 1 year | OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
_zcsr_tmp | session | Zoho sets this cookie for the login function on the website. |
Cookie | Duration | Description |
---|---|---|
_calendly_session | 21 days | Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar. |
_gaexp | 2 months 11 days 7 hours 3 minutes | Google Analytics installs this cookie to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in. |
Cookie | Duration | Description |
---|---|---|
_ga | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
_ga_GY6RPLBZG0 | 2 years | This cookie is installed by Google Analytics. |
_gcl_au | 3 months | Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services. |
_gid | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
CONSENT | 2 years | YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data. |
Cookie | Duration | Description |
---|---|---|
_opt_expid | past | Set by Google Analytics, this cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that is being redirected. |
IDE | 1 year 24 days | Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile. |
NID | 6 months | NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads. |
test_cookie | 15 minutes | The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies. |
VISITOR_INFO1_LIVE | 5 months 27 days | A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface. |
YSC | session | YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages. |
yt-remote-connected-devices | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt-remote-device-id | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt.innertube::nextId | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
yt.innertube::requests | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
Cookie | Duration | Description |
---|---|---|
_dc_gtm_UA-6494714-6 | 1 minute | No description |
_gaexp_rc | past | No description available. |
34f6831605 | session | No description |
383aeadb58 | session | No description available. |
663a60c55d | session | No description available. |
6e4b8efee4 | session | No description available. |
c72887300d | session | No description available. |
cookielawinfo-checkbox-tracking | 1 year | No description |
crmcsr | session | No description available. |
currentware-_zldp | 2 years | No description |
currentware-_zldt | 1 day | No description |
et_pb_ab_view_page_26104 | session | No description |
gaclientid | 1 month | No description |
gclid | 1 month | No description |
handl_ip | 1 month | No description available. |
handl_landing_page | 1 month | No description available. |
handl_original_ref | 1 month | No description available. |
handl_ref | 1 month | No description available. |
handl_ref_domain | 1 month | No description |
handl_url | 1 month | No description available. |
handl_url_base | 1 month | No description |
handlID | 1 month | No description |
HandLtestDomainName | session | No description |
HandLtestDomainNameServer | 1 day | No description |
isiframeenabled | 1 day | No description available. |
m | 2 years | No description available. |
nitroCachedPage | session | No description |
organic_source | 1 month | No description |
organic_source_str | 1 month | No description |
traffic_source | 1 month | No description available. |
uesign | 1 month | No description |
user_agent | 1 month | No description available. |
ZCAMPAIGN_CSRF_TOKEN | session | No description available. |
zld685336000000002056state | 5 minutes | No description |