Cloud storage services and file sharing apps such as Dropbox, Box, Microsoft OneDrive and Google Drive are so widely adopted by employees—knowingly or unknowingly by their IT departments—that most don’t think twice about using them to share corporate information. In fact, they are so prevalent today that, according to Globalscape, 74 percent of employees simply assume such file sharing tools are approved for use by their company. And while the Shadow IT game of “hide-and-seek” continues to amuse IT teams, things are about to change in a hurry with the implementation of GDPR.
Difficulty Mitigating GDPR Compliance
Repercussions of the European Union’s General Data Protection Regulation (GDPR) are far-reaching. One of the outcomes will require businesses to take the use of cloud storage and applications much more seriously. Not only will businesses need to know which—and how—cloud storage and file sharing apps are being used by their employees, they also must ensure that either the cloud services in use are compliant and integrated into their GDPR processes (i.e., right to erasure / forgotten) or the flows of data to them are inspected and scrubbed of personal information.
Failing to address cloud storage and file sharing apps can lead to ugly fines up to €20 million or four percent of total annual revenue. And this isn’t simply for companies and individuals in the EU; GDPR applies to any company anywhere in the world that processes personal data related to EU citizens.
Shadow IT: Out of Sight, Out of Mind
Over 70 percent of executives and IT managers say they are unaware of how many unauthorized cloud or shadow cloud apps and services. Out-of-sight-out-of-mind thinking masks reality, as they simply don’t know which file sharing apps being used. Furthermore, since data is stored offsite by a cloud service provider (viz., a “GDPR processor”), they believe that they have nothing to worry about. But the opposite is the case. The business (viz., the “GDPR controller”) retains primary responsibility and must work with their employees and cloud service providers to comply with GDPR.
Shadow apps are a big problem; organizations are simply unaware of all the cloud-based apps running in their environments. The recent study finds most organizations are running up to 20 times more apps than they know about, and too many are noncompliant with GDPR specifications. This makes a lot of sense: 49 percent of cloud services are deployed by departments other than corporate IT, and an average of 47 percent of corporate data stored in cloud environments is not managed or controlled by the IT department.
Those thinking all cloud storage and file sharing apps must be compliant, need to think again! A recent study found that just two percent of enterprise apps are GDPR ready (evaluated on 15 different attributes). Cloud storage and file sharing applications become highly suspect under this scenario. For example, nearly one-quarter of files stored in the cloud are shared, and around 12 percent of those contain compliance-related data or confidential data.
Too many cloud-based apps lack appropriate levels of security and data protection, including compliance with GDPR. Sixty-three percent of user accounts reveal attempts to exfiltrate data, 37 percent are efforts to hack into cloud accounts, and 2 percent represent malicious activity due to compromised credentials. At the same time, data protection in the cloud remains porous; only one-third of cloud services protect sensitive data with encryption.
Addressing the Cloud Storage and File Sharing Ugliness
All is not bleak when it comes to cloud storage and file sharing apps co-existing in a GDPR compliant environment. By leveraging their GDPR-enabled secure web gateway (or a simple GDPR ICAP add-on to your existing gateway), businesses can:
Perform a Shadow IT Audit for Cloud Services. Quickly detect all cloud storage services and file sharing applications in use throughout the business, while creating a map of all data flows containing personal data.
Track and Trace GDPR Data Moving to the Cloud. Inspect data moving to cloud storage and file sharing applications in real-time for GDPR data. This includes often-overlooked sub-file, hidden and metadata information.
Automate GDPR Policy Enforcement. Analyze personal data to determine the appropriate GDPR policy based on data context, type, channel and sharing relationship.
Apply Adaptive Security. Institute required GDPR security measures (block, encrypt or redact) applied based on policy. Redaction removes only the GDPR personal data detected, allowing the rest of the content to go without delay, quarantines and disruptions. This, in turn, eliminates false positives.
Enable GDPR Governance. Achieve transparent visibility into GDPR reports, policy violations and breach analysis to ensure compliance.
In all, when addressed with the right security processes and technologies in advance, cloud storage and file sharing applications can be controlled and become GDPR compliant, helping you to avoid an ugly mess.
By Scott Kosciuk, Clearswift
 (Townsend, 2016)