We hear a lot about the sunlit uplands of cloud-powered business, but what about the risks of making information available across the organization?

Matt Lock, Technical Director at Varonis

June 24, 2021

4 Min Read

We're familiar with the many benefits of the cloud. Following a successful cloud migration, organizations can liberate their data from on-premises storage systems and set it free. Teams can collaborate across time zones and build truly global workflows that were unthinkable just a few years ago.

But when it comes to actually enacting the cloud migration, a hard rain awaits the unwary, particularly when unforeseen circumstances occur, like a global pandemic that forces organizations to hurriedly push forward "two years of digital transformation in two months." We hear a lot about the sunlit uplands of cloud-powered business, but what about the dangers?

Storm on the Horizon
The coronavirus pandemic prompted unprecedented levels of cloud migration. According to Deloitte, the cloud market grew faster in 2020 than in 2019 despite the "steepest economic contraction in modern history." Demand is not likely to slow down any time soon, with IDC reporting that 90% of global enterprises now expect to rely on hybrid cloud by 2022.

The benefits of cloud migration include decreased management overheads and greater flexibility to expand or contract storage requirements with the click of a button rather than purchasing and decommissioning physical servers in a data center.

Yet there is a huge risk to making information available to a distributed workforce. It only takes one compromised endpoint to cause a shattering data breach when an organization's data is overexposed and unmonitored. Further peril awaits organizations that use collaborative tools like Slack, Teams, or SharePoint, which facilitate easy, effortless information sharing but do not adequately incentivize secure working practices. It's now unprecedentedly straightforward to share a sensitive document with a colleague or hand over a password. Sadly, convenience can be the enemy of security.

Overexposed and Underprotected
One of the most concerning stats Varonis' researchers found suggests that a junior analyst who joins a major financial institution has access to 20% of the company's data on their first day of employment — amounting to 11 million files. This is called organization-wide exposure (OWE) and is essentially the opposite of zero trust. Migration can make this problem worse.

When sensitive data is available to the entire company, data breaches, insider threats, and ransomware attacks become much more likely. If this data is distributed across a remote workforce operating away from the scrutiny of IT staff and on-premises protections, the risk is amplified to unacceptable levels.

Good Migrations
The responsibility for migrating data rests on the shoulders of IT, and it's a heavy load to bear. The data must be moved with as little downtime as possible before being placed in the right location and made available to the correct people. This process throws up obvious risks of further overexposure, which means it must be carefully planned.

It's difficult to provide an all-in-one checklist that can be used in all migrations, but there are best practices to follow.

First, exclude stale or obsolete data from the migration to reduce both risk and storage costs. Set up rules to decide whether data is stale, perhaps excluding data that hasn't been accessed for a long time.

Next, put special plans in place for sensitive data such as personally identifiable information, particularly if it is protected by privacy laws. Take a similarly cautious approach towards critical data such as contracts or intellectual property. And take care to avoid further overexposure by granting access to the wrong people. At the same time, ensure the right users are not cut off from the data they need to access to do their jobs.

It pays to build an inventory of the existing data estate, paying attention to dark data. During a migration, many organizations find SharePoint sites, Exchange mailboxes, public folders, and file shares they didn't even know existed. Some will contain toxic and overexposed regulated information, so it's critically important to build a complete and accurate inventory. Apply a classification taxonomy to data so that sensitive files can be flagged, monitored, and treated correctly.

Establishing data owners for sensitive data is also strongly advised. Once these are established, review entitlements before and after migration to weed out excess access and cut down the risk of overexposure.

Getting Organized
To minimize OWE, enact least-privilege access to ensure staff have access only to the files they need. It's crucial to gain visibility over overexposed data by auditing files to assess who has access to them and whether they need to be open to the wider organization or strictly limited to a small number of employees.

Blanket open access should be revoked and permissions replaced with single-purpose groups consisting only of employees who unequivocally need to access that data. This solution can be enacted without causing major disruptions to day-to-day work. Once an organization has visibility over its overexposed files, it can fix permissions at times when the files are not likely to be in high demand.

Ideally, the process of removing open access and replacing permissions with single-purpose groups should be automated.

When migrating into the cloud, it's important to keep your feet on the ground. Remember the storms and you'll enjoy the sunshine all the more.

About the Author(s)

Matt Lock

Technical Director at Varonis

Matt Lock has 20 years of cybersecurity experience and is an expert on data security. As technical director at Varonis, he heads up the team that undertakes risk assessments and data governance projects, helping organizations to secure and manage their unstructured data.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights