Blancco Report: Cracks and Weaknesses Found in Cloud Data Management Practices
By Roy Urrico
Finopotamus aims to highlight white papers, surveys and reports that provide a glimpse as to what is taking place and/or impacting credit unions and other organizations in the financial services industry.
Pandemic-era cloud adoption has opened cracks and weaknesses in financial services’ data management practices according to new research, Data at a Distance How Cloud Migration Affects Data Classification, Minimization & Disposal, from Finnish-based security firm Blancco Technology Group, which specializes in data erasure and mobile lifecycle solutions.
“For many, the move to the cloud was well under way before the pandemic. However, any slow and methodical change was accelerated by the need to rapidly deploy business operations, support remote workers and stakeholders, and provide critical services from virtually anywhere,” revealed the study.
The report also found extensive cloud adoption, and increasing volumes of data causing issues and growing concerns particularly for financial institutions and health organizations. “Healthcare and financial services providers handle some of the most confidential and sensitive information possible. While they have made the move to cloud for better connectivity, digital transformation and ease of managing data, many of them are still falling short when it comes to knowing how to reduce risk and maintain compliance when that data is no longer serving a business function,” said Jon Mellon, president global sales, marketing and field operations at Blancco.
Mellon added, “COVID changed working norms for all industries, and adopting the cloud helped adapt to those changes. But hackers also changed their approach. The industry reported that 45% of breaches that occurred in 2022 were cloud based. Yet our research found multiple instances of insufficient practices for managing EOL (end of life) data in the cloud.”
Hosting the Cloud
The survey, undertaken for Blancco by independent research company Coleman Parkes between November and December 2022, gathered data from 1,800 data retention and data disposal decisionmakers (evenly split between financial services and healthcare) from six countries: the United States, Canada, the United Kingdom, Germany, France, and Japan. The countries represent the North America, Europe, and Asia Pacific regions in which Blancco operates.
Fifty-one percent of survey respondents now host all of their data in the cloud. Of the rest, only 1% do not plan to move all their data to the cloud, and all (both financial services and healthcare) plan to use the cloud to some extent.
Amazon Web Services (AWS), the report found, is the most popular cloud provider, used by just over half of the financial and health organizations surveyed. However, Google Cloud and Microsoft Azure were a close second and third, with IBM, Digital Ocean, and Oracle next in line.
Some Report Takeaways
Data management best practices, suggested Blancco, center on organizations needing to know what data it collects, including the data’s value, where it is stored and when it needs permanent erasure. Yet just over half of organizations (55%) boast a mature data classification model that determines EOL — meaning that nearly half fall short when it comes to determining when to dispose of cloud-stored data.
Other report highlights:
· In addition to cloud migrations in health and finance organizations rapidly transforming their processes and services from analog to digital, 65% of respondents said that the switch increased the volume of redundant, obsolete or trivial (ROT) data they collect.
· Forty-five percent fall short when it comes to determining when to dispose of cloud-stored data.
· Six out of 10 said that their cloud provider handles EOL data for them; yet 35% reported that they do not trust their cloud provider to appropriately manage EOL data on their behalf.
· Sixty-three percent use software-based erasure with an audit trail for managing all data – both on-premises and cloud, but a “worrying 38% carry out erasure without an audit trail.”
· Ninety-one percent of those surveyed recognize data classification as an important first step for achieving data security.
· Thirty-six percent are just beginning to implement a policy for data classification and minimization, with nearly one in 10 yet to implement any such process.
In addition to regulatory noncompliance risks, according to the report organizations must assess cost and sustainability impacts of storing data, as well as security concerns — more data means a greater attack surface and more liability in case of a breach.
The report recommended regular assessment of data and setting retention periods is a critical and growing concern as regulatory requirements increase for the healthcare and financial services industries.
The study found that 57% of organizations have a data schedule where different data types are reviewed to determine whether data has reached EOL status. “A quarter use the blunt approach of a data expiring after a set timeframe, which is simple but ineffective—it does not consider what the data is, what it’s worth, or the risk of it getting into the wrong hands,” the report disclosed.
The Blancco study did determine financial services and healthcare organizations have new awareness of the challenges for managing EOL data in the cloud. In fact, 65% found it necessary to reassess how they determine the data no longer needed since making the switch from analog to digital.
But in addition to falling short when it comes to data classification and minimization, a “worrying” 59% of respondents reported using processes without verified data destruction at least some of the time with EOL data. This can leave data intact and retrievable without a proper audit trail to prove proper EOL data disposal.
The report noted best practices for on-premises data centers might not always follow the data migration to cloud. It recommended, “The cloud itself is not the problem. While it can make dealing with EOL data more challenging, having the right processes in place and ensuring enterprises take ownership for following end-of-life data management best practices is the solution — whether the data is held on-premises or in the cloud.”