This article is part of our Essential Guide: Essential guide to the EU General Data Protection Regulation (GDPR)

Most cloud applications not GDPR-ready, report reveals

Just 2% of more than 15,000 enterprise cloud application analysed are GDPR-ready, according to a cloud risk report

Some 98% of cloud-based applications do not comply with rules introduced by the European Union’s (EU’s) General Data Protection Regulation (GDPR), a report has revealed.

Nearly a quarter of all files stored in the cloud are shared, and around 12% of those contain compliance-related data or confidential data, according to the 1H 2016 Shadow Data Threat Report published by security firm Blue Coat.

The report is based on data gathered by the security firm’s Elastica Cloud Threat Labs, which analysed more than 15,000 enterprise cloud applications in use and 108 million enterprise documents stored and shared within them.

The GDPR, which comes into force on 25 May 2018, is aimed at strengthening data protection for individuals in the EU and requires compliance by any company anywhere in the world processing personal data relating to EU citzens.

Elastica has analysed business apps for GDPR readiness, covering fifteen key attributes, including access control, brute force protection, encryption of data at rest and in motion, and admin audit trails.

Across all enterprise-oriented cloud apps tracked by Elastica, just 2% are GDPR ready, but that includes popular apps such as Microsoft Office 365, Google Drive, Salesforce, Box and Dropbox.

A further 25% of business apps meet some of the GDPR requirements for usage in the EU, but have some way to go before being considered fully compliant, the report said.

Challenge of shadow data

Gaining visibility and control over cloud apps is a key first step in maintaining cloud security, but the report said “shadow data” poses a much greater challenge to IT’s ability to prevent the loss or non-compliant exposure of sensitive corporate data.

In the context of the report, “shadow data” refers to all the content that users are uploading, storing, and sharing – not only using unsanctioned cloud apps, but sanctioned ones as well.

Even if an organisation were to successfully limit employees to the use of enterprise-grade file sharing apps, such as Box or Office 365, the report said it would not mean they have fully mitigated the risks of data loss or compliance violations.

Even with sanctioned apps, the report said it is challenging for organisations to identify and track how their users are using these apps, and what sort of sensitive data they may be uploading and sharing inappropriately.

“This lack of visibility into shadow data may result in risky exposures or compliance violations,” the report said.

Read more about cloud security

The Elastica analysis of cloud applications and documents also revealed that organisations are running 20 times more cloud apps than they estimate, with most using an average of 841 across their extended networks.

It also found that 1% of enterprise cloud apps are still vulnerable to one or more major exploits, such as Freak, Logjam, Heartbleed and Poodle.

Other key security stats include that 63% of risky user activity in the cloud indicates attempts to exfiltrate data, 37% of suspicious cloud activity indicates attempts to hack into user cloud accounts, and 2% of user accounts show signs of malicious activity due to compromised credentials.

A recent report by security firm Gemalto shows that cloud data security is still a major challenge for companies, with only one-third of sensitive data in cloud applications being protected by encryption.

More than half of the 3,400 IT and IT security practitioners surveyed said their companies do not have a proactive approach to managing security and complying with privacy and data protection regulations in cloud environments.

Read more on Regulatory compliance and standard requirements