Cloud storage services and file sharing apps such as Dropbox, Box, Microsoft OneDrive and Google Drive are so widely adopted by employees—knowingly or unknowingly by their IT departments—that most don’t think twice about using them to share corporate information. A study by SkyHigh Networks found that the average enterprise uses 76 distinct file sharing cloud services and 18.1% of files uploaded contain sensitive data. While this was an issue before May 25th, 2018, that date now rings terror into the hearts of CIOs and IT departments as the date GDPR became enforceable. Although some of the services will be endorsed by the organization, many won’t and while the Shadow IT game of “hide-and-seek” continues to amuse IT teams, the implementation of GDPR ups the stakes as fines of 20 million EUR or 4% of global turnover (whichever the greater) are more than significant to all businesses.
Difficulty Mitigating GDPR Compliance
Repercussions of the European Union’s General Data Protection Regulation (GDPR) are far-reaching. One of the outcomes will require businesses to take the use of cloud storage and applications much more seriously. Not only will businesses need to know which—and how—cloud storage and file sharing apps are being used by their employees, they also must ensure that either the cloud services in use are compliant and integrated into their GDPR processes (i.e., right to erasure / forgotten) or the flows of data to them are inspected and scrubbed of personal information.
Compliance isn’t simply for companies and individuals in the EU; GDPR applies to any company anywhere in the world that processes personal data related to EU citizens.
Shadow IT: Out of Sight, Out of Mind
The majority of executives and IT managers say they are unaware of how many unauthorized cloud or shadow cloud apps and services are being used, even though Gartner has estimated that by 2020 more than 30% of successful cyber-attacks will happen through Shadow IT. Out-of-sight-out-of-mind thinking masks reality, as they simply don’t know which file sharing apps being used. Furthermore, since data is stored offsite by a cloud service provider they believe that they have nothing to worry about. But the opposite is the case, the business retains primary responsibility. Interestingly the GDPR concept of shared responsibility should mean that the cloud service provider should be more concerned with the data they store, but as yet they are not. Organizations must work with their employees and cloud service providers to ensure compliance with GDPR.
How many applications do you have on your mobile phone? How many of those are endorsed by the company? How many have access to data such as contacts or saved documents? Now multiply that by the number of employees you have, and you start to see the magnitude of the issue. Even within a small company, there could be 1000s of applications which are ‘hidden’ from IT (and compliance), but which create risk.
While some cloud and app vendors, including Google, have embraced GDPR, many others have not, and in this case ignoring those who haven’t because you do not ‘know’ about them is not a defense. Ignorance is not bliss.
Addressing the Cloud Storage and File Sharing Ugliness
All is not bleak when it comes to cloud storage and file sharing apps co-existing in a GDPR compliant environment. We have a three-step approach to GDPR compliance:
- Discover: Find out just how big the issue it. For Shadow IT, this is about discovering how widespread its use is.
- Secure: Secure the information from inappropriate sharing with unauthorized users.
- Govern: Compliance is an ongoing commitment to protect critical information.
- Perform a Shadow IT audit for cloud services. Quickly detect all cloud storage services in use throughout the business.
- Create a map of all web-based data flows containing personal data. This is both into and out of the organization. Shared responsibility means you need to secure and protect sensitive information which is shared with you.
- Track and trace GDPR data moving to the cloud. Inspect data moving to cloud storage in real-time for GDPR data. This includes often-overlooked sub-file, hidden and metadata information.
- Automate GDPR policy enforcement. Analyze personal data to determine the appropriate GDPR policy based on data context, type, channel and sharing relationship.
- Apply adaptive security. Institute required GDPR security measures (block, encrypt or redact) applied based on policy. Redaction removes only the GDPR personal data detected, allowing the rest of the content to go without delay, quarantines, and disruptions. This, in turn, eliminates false positives.
- Enable GDPR governance. Achieve transparent visibility into GDPR reports, policy violations and breach analysis to ensure compliance.
The CIO and IT department need to grab control of Shadow IT, before a compliance incident occurs. Discovering which services are used is the first step towards that control. IT should be seen as an enabler to cloud services, with recommendations of which services to use and how they can be used. They also need to stop the use of those services which put businesses at risk.
In all, when addressed with the right security processes and technologies in advance, cloud storage and file sharing applications can be controlled and become GDPR compliant, helping you to avoid an ugly mess and potentially huge fines.