The use of cloud services is ubiquitous—we’ve seen this rise over the past decade to the point where many of our organizations couldn’t function today without the cloud. Critical to this growth is the understanding that data, and most importantly sensitive data, now lives in the cloud and must be protected. In our last survey on cloud adoption in mid-2018, we found that 83% of organizations worldwide store sensitive data in the cloud. Even as the absolute number of files stored in the cloud has increased rapidly, the percentage of files that contain sensitive data has also grown, today standing at 21% with an increase of 17% over the past two years.
Not only do most organizations place trust in their public cloud service providers to store their sensitive data, nearly a quarter of all data in the cloud meets the need for stringent protection. We shared the specific categories in our last cloud security risk blog. Not surprisingly, the classification of “confidential data” takes the largest share of all sensitive data in the cloud at 27%. More interesting is the increase in trust—the total amount of confidential data stored in the cloud rose 28% over the past two years. During that time we’ve seen services like Box and Microsoft Office 365 rise in popularity, concurrently, carrying with them the shift of corporate data to the cloud.
Confidential data in the cloud—percentage of total data in the cloud.
Specifically, with the rise in popularity of Office 365, we see an even larger increase in sensitive data flowing through cloud-based email, primarily Exchange Online. Today, 20% of all sensitive data in the cloud runs through email services like Exchange Online in Office 365, a volume which has increased 59% in the past two years. Email remains one of the easiest vectors for data loss, and moving it to the cloud removes visibility for IT teams that could once monitor SMTP traffic on their own servers. We’ll see a few more trends related to data flowing through email in the next section—but for now the growth and inherent loss of visibility remain significant on their own.
Sensitive data in cloud-based email—percentage of total data in the cloud.
Let’s look at the rest of the sensitive data types we evaluated for additional insight:
Sensitive data types in the cloud—percentage of total data in the cloud.
The first insight we can take from the remaining data types is a sharp decline of -20% YoY in Personally Identifiable Information (PII) in the cloud, which could be a result of several trends. For one, the proportion of cloud use in corporate environments is increasingly for business, as opposed to personal use. Many cloud services, such as Dropbox, came into the enterprise as consumer services and quickly transitioned to business use cases as their utility became apparent. Another cause could be end-user diligence, keeping PII out of the cloud as a result of security awareness. We may need to give our end-users the benefit of the doubt on this one.
Next, we see gradual increases in personal healthcare information (PHI) and password protected data, at 16% and 13% respectively over the past two years. While healthcare information accounts for only 9% of all sensitive data in the cloud, it is encouraging to see trust increase for this highly regulated industry. Lastly, payment data remains stable at approximately 12% of all sensitive data in the cloud on an annual basis.
What we take away from this breakdown is the increase in trust to store broad categories of sensitive information in the cloud. As the proportion of our data shifts from servers we own to services we use, so does the potential risk. It’s critical that we understand what goes into the cloud, so we can protect it with that growing proportion of risk in mind.