“Data at Rest” Is “Data at Risk”: How Skyfence Ensures Data Leak Prevention in Cloud Storage Apps


Data at rest is a key target for many hackers and other unauthorized users. This June, Forbes reported on the OPM data breach that hit every single federal employee and over one million former employees.

That leak revealed just how vulnerable data at rest truly is. Moreover, the Imperva Application Defense Center’s report published in August details why the new “Man in the Cloud” (MITC) attack makes unstructured data at rest within cloud services like Box and Google Drive equally vulnerable.

The Cloud Is a Different Beast

While many companies have security measures in place to protect on-premises internal repositories and data channels like email, securing the highly sensitive information stored in the cloud requires different measures.

This is because the cloud poses unique challenges. For instance, it’s difficult to gain visibility and monitor access to sensitive files stored in the cloud. Second, unstructured data in the form of documents can be easily shared with external users often as a result of excessive file-sharing permissions set by the content owner. And finally, cloud apps are globally accessible and are thus a relatively easy target for account takeover attacks.

Don’t Forget About Compliance

Add to the mix compliance requirements for data privacy and you can see why IT professionals have legitimate concerns over cloud security. HIPAA and PCI DSS are two such examples where there are specific provisions around securing personal health information and credit card information, respectively, and auditors are getting savvier about encompassing cloud in their interpretation of these regulations.

HIPAA Security Rule:

  • A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
  • A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.

PCI DSS 7.1:

  • Limit access to system components and cardholder data to only those individuals whose job requires such access.

To meet regulatory compliance, you need to know where your regulated data is being stored and that you’re able to monitor access to this data in real-time.

Data at Rest in Cloud File-Sharing Services

So, what exactly is “data at rest”?

Simply put, data at rest describes the state of your data once it’s stored in a cloud app such as Box, OneDrive, Google Drive or Dropbox. But “rest” doesn’t mean “safe.” These services automatically sync folders and files with users, and they have access permissions that can be set by the content owner to enable easy sharing of regulated or sensitive data with internal or external users – often without the user fully understanding the defined permissions.

While your data sits in these cloud services, it means that without proper protection, the data could be compromised, breached, or simply shared with individuals it shouldn’t be. That’s because hackers can employ “Man in the Cloud” attacks as referenced above or any number of account takeover mechanisms (social engineering or brute-force attacks among others) to obtain valid credentials and access an account. Once in an account, the hacker can do as he or she pleases with the data (download, delete, edit, etc.).

What types of security features can help you keep your files in cloud drives safe while at the same time readily available to the appropriate people in your organization?

Cloud security features

Data Governance dashboard lets you see at a glance the sensitive or regulated data stored in your cloud apps.

Security Options for Files Stored in the Cloud

When data is at rest, the aim of your organization is simple: “Authorize the right people to see and access the data but deny access to unauthorized users.”

Providing data classification and security to file-sharing apps is precisely what Skyfence’s latest release brings to the table.


Skyfence Cloud Gateway categorizes sensitive data by type and highlights the files and content owners of regulated data.

The newest features of Skyfence announced today include:

  • Comprehensive scanning of cloud storage apps like Microsoft OneDrive and Box for sensitive or regulated data
  • Identification and flagging of data and files as sensitive or regulated
  • Visibility into the extent of file-sharing permissions (e.g., who owns the data, who has viewed, who has shared)
  • Enforcement of risk remediation measures
  • Ensuring compliance with applicable security and privacy regulations (e.g., PHI, PII, PCI DSS)

In addition to these enhancements, Skyfence is the only solution that can distinguish between managed and unmanaged (BYOD) devices then apply granular DLP policies. This allows organizations, for example, to allow a BYOD device to only view a file while a user with a managed device is allowed to download the document to their endpoint. Click here to check out a short video of this.

To find out if your “data at rest” is “data at risk” or if you need help figuring out which security options would be best for your requirements, click here to speak with a Skyfence specialist or request a demo.