Cloud DLP – How to Protect Data Against Employee Cloud Storage Use

Data loss prevention cloud storage DLP security tips

Are your employees putting sensitive data at risk by using consumer-grade cloud storage accounts? Your cloud data loss prevention plan needs critical security controls in place to prevent these platforms from leading to the theft of company information, intellectual property, personally identifiable information, and other critical business data.

In this article you will learn the security risks of shadow IT cloud platforms (“bring your own cloud”), cloud DLP best practices, and how to block employees from accessing Dropbox, Google Drive, and other consumer-grade cloud storage platforms.

Table of Contents

Why is Cloud Data Loss Prevention Necessary?

The security software company McAfee regularly releases a Cloud Adoption and Risk Report that highlights key trends in cloud application usage, cloud security, and cloud data loss prevention. 

Their reports have identified shocking figures that indicate the need for a cloud data loss prevention

  • 97% of organizations use cloud services (public, private, or a combination of both)
  • 83% of organizations worldwide store sensitive data in the cloud
  • 80% of all organizations experience at least 1 compromised account threat per month. 
  • 94.3% of organizations experience at least one insider threat incident per month
  • Sharing sensitive data with an open, publicly accessible link increased by 23% between 2017-2019
  • Across over 25,000 cloud services in use in 2018, only 8% meet the strict data security and privacy requirements of enterprises 

Despite these significant cloud data loss risks, a disturbing 98% of cloud services used in organizations are not known to IT.  Without full knowledge of the cloud services being used in the company, there is no reliable way for security personnel to mitigate the risks of these platforms. 

Naturally, the rapid shift to work-from-home arrangements during the pandemic has skyrocketed the adoption of cloud services. McAfee reports a 50% spike in enterprise cloud service use, with manufacturing and financial services increasing their use the most.

See the full reports: 2017 | 2019 | 2020

Why Do Employees Use Personal Cloud Storage Accounts for Work?

Convenience and a lack of officially supported alternatives are by far the most common reasons for employee use of personal cloud applications in the workplace.

File sharing services facilitate collaboration among employees. They are also more convenient than sharing files over portable storage devices as the files can be updated in real-time and synced to multiple devices.

Even if the organization provides some form of file sharing (such as an on-premises file server), it may not be convenient for the employees to use. If the organization does not provide an alternative that is secure and easy to use, their employees will seek out personal cloud storage solutions that meet their needs.

So, what’s the bottom line?

If the organization’s infrastructure does not support the needs of employees, they will invent their own ways. The methods they settle on certainly aren’t guaranteed to be secure enough for business data.

For example, with the sudden shift to remote work, many employees needed to connect to the corporate network over a VPN. If an unprecedented spike in bandwidth caused connectivity issues the employees would be tempted to resort to a consumer-grade cloud storage platform to work more efficiently.

The Most Popular Shadow IT Cloud Storage Solutions

Spiceworks cloud data loss prevention statistics graph - top cloud services used without IT approval

According to Spiceworks research the most popular cloud storage services that employees used without IT approval are…

  • Dropbox – 54% of employees use Dropbox without IT approval
  • Google Drive – 43% of employees use Google Drive without IT approval
  • Apple iCloud Drive – 27% of employees use Apple iCloud Drive without IT approval

Other popular shadow IT cloud storage solutions include Microsoft OneDrive (25%). Box (7%), Amazon Drive (5%), and Citrix ShareFile (1%).

The Most Popular Cloud Storage Services for Enterprise

Spiceworks cloud data loss prevention statistics graph - cloud storage services deployed by companies

According to Spiceworks research, the most popular cloud storage services in 2018 were OneDrive, Google Drive, and Dropbox.

  • OneDrive: 51% of businesses use OneDrive, and an additional 10 percent planned to deploy it by 2020.
  • Google Drive: 34% of businesses use Google Drive, and an additional 2 percent planned to deploy it by 2020.
  • Dropbox: 34% of businesses use Dropbox, and an additional 3 percent planned to deploy it by 2020.

Other notable competitors include Apple iCloud (13%), Box (6%), Citrix ShareFile (6%), and Amazon Drive (3%).

The Most Popular Cloud Storage Services for Consumers

Cloud storage server

According to research by Statista, in 2020 the most popular cloud storage providers in the US B2C market were Google Drive (40%), Apple iCloud (33%), and Microsoft OneDrive (20%). 

Other services used by consumers included Dropbox, Amazon Drive Cloud, Box, Mega, Baidu Yun/Wangpan, Ali Yun, Nextcloud, and Kingsoft KuaiPan.

Your Cloud DLP Plan Needs to Prevent Personal Cloud Storage Use

One of the most prevalent cloud data loss prevention strategies is to mitigate the damage caused by the use of stolen account credentials. These incidents allow unauthorized third parties to gain access to corporate data stored in cloud services. 

While these risks aren’t unique to consumer-grade cloud storage accounts, the lack of visibility and control that personal accounts have when compared to an enterprise-grade solution cannot be ignored. 

Allowing employees to use their personal cloud storage accounts for work purposes (“Bring Your Own Cloud” or “BYOC”) is a security nightmare.

  • Authentication: The security of personal cloud storage accounts is at the mercy of the employee’s password hygiene. If they have a habit of reusing credentials and not enabling multi-factor authentication their account can be readily compromised by a third-party data breach. 
  • Data Controls: Giving employees full control over accounts with corporate data decentralizes cloud data security. IT admins have no way of preventing employees from using publicly accessible links for sensitive files, sharing data with unauthorized third parties, or otherwise exfiltrating data. 
  • IP Theft: Employee offboarding is high-risk under ideal circumstances, let alone when corporate assets are out of control of the IT department. Allowing employees to freely mix personal and business data further complicates ownership over intellectual property as the data is now readily accessible from their personal accounts.
  • Remote Access: If employees are allowed to store corporate data on their personal accounts, they can readily access that data on-demand without a suitable audit trail. Even if their access to corporate systems is revoked they’ll retain the ability to login into their personal account.
  • Consumer vs Enterprise: Consumer-grade cloud storage accounts have far fewer security controls in place to protect the data that is stored and shared on the platform. Key features such as expiration dates, client-side encryption, download limits, data security and privacy compliance requirements, and password-protected sharing are rarely included in the free offerings of cloud storage providers.

As part of your cloud data loss prevention plan, you need to mitigate employee use of personal cloud applications in the workplace. The use of consumer-grade cloud applications in the workplace without sufficient corporate oversight is a security risk that simply cannot be left unaddressed.

What Are the Most Common Cloud Data Loss Prevention Methods?

A 2018 Spiceworks survey of IT professionals confirms that the majority of organizations follow the cloud data loss prevention best practice of restricting what cloud storage sites their employees can access, along with other cloud security measures.

  • 57% of organizations only allow employees to use approved cloud storage services
  • 55% of organizations enforce user access controls
  • 48% train employees on how to use cloud storage services properly.
  • 28% enforce multi-factor authentication when using these services
  • 28% have a cloud data security policy in place
  • 26% encrypt data in transit via their cloud storage service; 22% encrypt data at rest

How to Prevent Employees From Using Personal Cloud Storage Accounts

Establish Company Policies & Cloud DLP Training

A businessman hands a piece of paper and a pen to their employee to sign

Cloud storage platforms allow employees to control and store data with ease. Alongside these new capabilities comes increased risk to sensitive enterprise data. 

While technical controls for restricting employee access to cloud storage sites are a critical component of a cloud data loss prevention plan, they need to be combined with administrative controls too.

Organizations need to play a proactive role in handling employee education surrounding data protection in the cloud. Policies and end-user training are essential tools for establishing expectations surrounding data security, shadow IT, and cloud storage use. 

Employees need education on…

  • The best practices they need to follow to protect sensitive files, such as the unique storage requirements for each classification of data.
  • The dangers of consumer-grade file sharing and the best alternatives to them
  • The organization’s security requirements and reporting process for security incidents
  • New cloud security threats that affect their day-to-day operations
  • What officially-supported file sharing options are available to them

How companies can communicate the data security risks of file sharing to their employees…

  • Assign someone to be directly responsible for educating employees about their security responsibilities.
  • If cloud security expertise is not available internally, contract a cybersecurity awareness training consultant.
  • Provide cloud security awareness training for employees. The training must include some form of quizzing to identify areas where employees may require additional training.
  • Regularly reinforce the key points provided by the training to ensure that employees remain aware of the risks and their responsibilities.
  • Provide employees with retraining every 4-6 months to keep their knowledge fresh and up-to-date
  • Maintain an open communication policy that allows employees to ask questions when they are uncertain of the best course of action.

Free Sample Template:
Employee Internet Usage Policy

Download this FREE acceptable use policy, customize it,
and distribute it to your employees to set a precedent for the acceptable use of the internet in the workplace.

Provide Viable Alternatives

An employee browsing the Internet on a laptop computer with different websites that are being tracked by the Internet monitoring software.

To truly stop employees from using non-sanctioned file sharing services you must provide them with an official alternative that is convenient and easy to use. 

While preventing access to insecure cloud storage services and blocking USB storage devices is critical for data loss prevention, it is just as important that employees are provided a secure alternative for sharing files. Otherwise, they will be tempted to bypass security controls to prevent disruptions in their workflow

Alternatives to consumer-grade cloud storage

  • An on-premises file server, SharePoint site, Enterprise Content Management (ECM) platform, or similar solution that is accessible to all employees that need to collaborate
  • A reliable and convenient VPN connection that employees can use to access the corporate network when they work off-site
  • Enterprise-grade cloud storage solutions such as Box, Dropbox Business, or Google Workspace
  • Self-hosted storage and file sharing services such as FileCloud, OwnCloud, or NextCloud
  • For collaboration with third parties, have a trusted IT admin dump files into a secure network storage location rather than allowing employees to share and access cloud storage links.

Block Access to Unsanctioned Cloud Storage Providers

Once an organization has determined which cloud storage provider will be officially adopted, the best practice is to block employees from accessing any other cloud storage providers unless there is a legitimate business reason to do so.

Rather than resorting to manually blocking IP addresses using a traditional firewall, companies can use web filtering and internet monitoring software to prevent employees from using unauthorized cloud storage services.

How to Block Cloud Storage Websites

Screenshot of the URL filter from BrowseControl, CurrentWare's web filtering software

BrowseControl web filtering software allows organizations to block employees from accessing unwanted cloud storage sites.

  • Category Filtering: This is by far the easiest and most effective way to block employees from accessing cloud storage sites. Simply add the File Hosting category to your blocked categories list, then add the domain of the sanctioned provider to the Allow List.
  • URL Filtering: If you’d only like to block a select few cloud storage providers you can add their domains to the URL block list (e.g. Dropbox.com, Drive.Google.com, etc). This method is more time-consuming as you’ll need to manually add each URL you would like to block to the Block List.
  • Custom Permissions: BrowseControl allows you to block cloud storage sites for some employees while allowing it for others. You can also temporarily allow access to a website with just a few clicks. This is the ideal solution for allowing trusted employees to use otherwise restricted websites on an as-needed basis.

How to Block Cloud Storage Applications

To truly prevent employees from using their personal cloud storage accounts, you need to block both the website and the associated applications for each provider.

Using BrowseControl you can prevent users from running certain programs by adding them to the Blocked Applications list.

  1. Launch BrowseControl’s App Blocker
  2. Use the Original Filename* of the cloud storage app to add it to the Application List
  3. Add the applications you would like to block to the Blocked Application List

The best practice for ensuring that employees are not using unsanctioned applications

  • Do not provide end-users with administrative privileges
  • Monitor application usage to detect any unauthorized programs
  • Block employees from launching unauthorized applications
*What is an “Original Filename”?

Windows executables have an attribute called the “Original Filename”. This is used to describe the original file name assigned to an executable file when it was created. 

BrowseControl uses the Original Filename to identify the executable file for the application. As the Original Filename remains intact even when the name of the executable is changed, using this attribute prevents the end-user from bypassing the app blocker by renaming the executable.

How to locate the Original Filename of an application

  1. Right-click on the .exe file in Windows Explorer and select Properties.
  2. Select the Details tab. The original filename is listed as one of the properties; the value listed in the adjacent cell is the original filename of the application.

Note: Application shortcuts will not show the Original Filename. You need to go to the location where the application is installed to see the Original Filename attribute.

Examples of Original filenames for cloud storage applications

  • DropBox: DropboxUpdate.exe, Dropbox.exe, DropboxOEM.exe, DbxSvc.exe
  • Google Drive: GoogleDriveSync.exe, GoogleDriveFS.exe, 
  • OneDrive: OneDrive.exe, OneDriveStandaloneUpdater.exe, OneDriveSetup.exe, SkyDrive.exe

Learn More: How to Block Windows Applications With BrowseControl

Create Cloud App Security Policies on Mobile Devices

Mobile Device Management (MDM) or Mobile Application Management (MAM) is the best solution for preventing employees from using unsanctioned cloud storage apps on mobile devices. These tools allow organizations to block apps from being downloaded or installed on managed devices.

These solutions also allow granular control over access to sanctioned cloud storage applications with real-time monitoring and restrictions over access to cloud apps based on the user, their location, and the device they are using.

In BYOD environments an MDM allows the organization to secure corporate data within a container that is separate from the employee’s personal resources. This allows the company to remotely wipe all corporate data from the device without affecting the employee’s personal files.

How to Detect Unauthorized Cloud Storage Use

Track the Websites Visited by Employees

BrowseReporter Sites Visited report sports and entertainment websites listed.

Proactively blocking employees from accessing cloud storage sites is the best way to restrict their use. That said, there’s always the possibility that new cloud storage providers are not yet blocked by your web filter.

Using employee internet monitoring software such as BrowseReporter allows you to see the specific websites that are being visited by employees. Their internet activity reports can be reviewed for the presence of unauthorized cloud storage sites and other unwanted SaaS platforms. 

The bandwidth consumption of individual employees and computers can also be monitored. Anomalous spikes in bandwidth could be an indication of large file transfers to a third party.

Once unwanted websites are discovered you can then add them to your web filter and issue any corrective action that is required to enforce the company’s security policies.

Monitor Application Usage

Application usage report from BrowseReporter, computer monitoring software

While the best practice is to not provide employees with the ability to install software on company computers, there may be scenarios where privilege escalation went unnoticed or otherwise trusted employees have installed unwanted software.

Just as with the web filtering scenario, monitoring employee application usage allows you to detect software that has not been added to the blocked application list. 

BrowseReporter’s application usage monitoring report conveniently shows you the Original Filename of the applications that are being used. Once the unwanted applications are identified you can then add those Original Filenames to BrowseControl’s application blocker to prevent employees from launching them in the future.

If you would like to see how often employees are using a specific application, you can enter the name of the application in BrowseReporter’s Specific Application Usage report. The report will display the dates for each day the application was used and indicate how long the application was actively used.

Cloud Data Loss Prevention Best Practices

Implement Access Controls on Cloud Services

Using enterprise-grade cloud storage services is essential for cloud DLP. 

With these solutions data can be readily classified according to its risk level, allowing access to be limited accordingly. Rather than providing employees with open access to all data that is stored on an account, administrators can assign different access permissions for each department or individual based on their legitimate business needs. 

These access controls help reduce the potential for insider threats to accidentally or maliciously modify, download, or delete critical business data. Enterprise platforms will also include other critical security controls that consumer-grade platforms do not have such as features for data recovery and file access auditing.

Retain Control and Visibility Over Data

Non-IT employees must not be administrators of cloud applications. Doing so prevents the organization from governing access to unstructured data, keeping track of where data is stored, and restricting who has access to it.

This is especially true for consumer-grade cloud storage as these solutions will not have the auditing capabilities required to investigate the cause of a data breach. Employees that are permitted to use personal accounts on company devices will also have a greater expectation of privacy, potentially limiting what their employer is allowed to monitor.

Encrypt Sensitive Data

While third-party cloud storage providers have a vested interest in keeping the data of their customers safe, there is still a fundamental risk when trusting sensitive data with an external party. 

Even if the cloud service provider is reliable and secure, a data breach is as simple as compromised account credentials with improper access controls in place.

For this reason, companies that use third-party cloud storage providers must encrypt sensitive data before it is uploaded to the cloud service provider.

Keeping sensitive data encrypted is a critical security control for preventing third parties from making use of company data. Even if the files themselves are exfiltrated from the cloud storage account the threat actor will be unable to decipher the contents without the accompanying decryption key.

Data states where encryption is needed

  • Encryption at Rest: Data is encrypted where it’s stored—whether that be on a company endpoint or in the cloud. 
  • Encryption in Use: Data is encrypted as it is being created, edited, or viewed.
  • Encryption in Transit: Data is encrypted as it is transferred, such as in an email or during a transfer to the cloud storage provider.

Follow Cloud Authentication Security Best Practices

Practice Good Password Hygiene

Providing training and enforcement for password hygiene is a critical step towards preventing unauthorized access to cloud services.

  • Employees must use unique passwords that are difficult to guess
  • Employees must keep passwords confidential
  • Employees must use multifactor authentication where available

An enterprise-grade password manager or SSO solution can help mitigate poor password hygiene. These solutions are particularly valuable if an employee is furloughed or dismissed as their access to the solutions can be readily revoked before they have an opportunity to exfiltrate data.

Enforce Conditional Access Policies

Officially sanctioned cloud storage and file sharing solutions are not immune to misuse. To better protect these solutions the best practice is to use conditional access policies. These policies will restrict what employees can access based on their permissions and the risk level of the access request. 

With conditional access policies, you can automatically apply different degrees of access controls as needed to keep your organization secure, while reducing the degree of authentication required for access requests that are lower risk.

What Conditional Access Policies consider

  • User/Group: What should the user normally be permitted to access?
  • Location: Is the access request coming from an anomalous IP or geolocation?
  • Device: Does the device meet minimum security requirements? Is it a high-risk device such as a mobile endpoint or a user-owned device?
  • Asset Request: Is the user attempting to access high-risk applications or sensitive data?

Conclusion

The data security risks of file sharing and cloud storage need to be addressed as part of your cloud DLP strategy. By restricting the use of personal cloud storage accounts, providing employees with secure alternatives, and training them on their cloud data security responsibilities you can protect sensitive data from being leaked or misused.

Want to Monitor & Control Employee Cloud Storage Use?

CurrentWare’s employee computer monitoring and restriction software provide critical security controls for preventing employees from accessing unwanted websites and applications.

Secure your business against personal cloud storage use today with a FREE trial of BrowseControl and BrowseReporter.

Dale Strickland
Dale Strickland
Dale Strickland is a Marketing Coordinator for CurrentWare, a global provider of endpoint security and employee monitoring software. Dale’s diverse multimedia background allows him the opportunity to produce a variety of content for CurrentWare including blogs, infographics, videos, eBooks, and social media shareables.