Data leakage risk rises with cloud storage services

Companies significantly increase their risk of data leakage when smartphone- and tablet-toting employees use cloud storage services DrobBox, Box and SugarSync, a university study shows.

Word documents and PDF files retrieved from these services from an iOS or Android device were stored in cache, where they remained until the storage limit was reached, at which point they would be overwritten by new data, researchers from the University of Glasgow, Scotland, found.

In the case of iOS devices, the data was stored in memory, while Android stored the information in an SD memory card. Meta-data related to the application could also be retrieved.

The study has its flaws. Most notably, the researchers used older versions of the operating systems. They tested iOS 3 on an iPhone 3S and Android 2.1 on an HTC Desire.

While not all the information kept in the older phones would be recoverable in the latest iOS and Android devices, experts agreed that some data would still be accessible, either by someone who stole the phone or to malware that gained root access to the device.

[In depth: Cloud security rebuttle -- Don't rebuke the many for the sins of the few

"From a forensics perspective there is little you can do on a device today without leaving some kind of remnants," said Paul Henry, a forensic analyst for Lumension. "With DropBox, I can typically decrypt the database and get details of your activities and yes you may find actual cached copies of files in memory as well."

The risk of data leakage has intensified with the bring-your-own-device (BYOD) trend. Most organizations let employees use their personal devices for work, but vary widely on the strictness of policies to ensure security.

The biggest danger with BYOD is employees using applications such as storage services for tucking away business documents, so they can be worked on from home. This mixing of corporate and personal data increases the chance of a security breach.

George Grispos, a lead researcher in the university study, said the separation of corporate and personal data is critical on any mobile device. "The cloud applications must be part of the bigger picture of how you segregate the device," he said.

Options include sandboxing or virtualization, but they all need to be tested to determine how they effective they are at preventing data leakage, said William Bradley Glisson, director of computer forensics at Glasgow.

Storage services are just one of many mobile apps that pose a data security risk. Ws released its findings Tuesday in testing the popular Any.DO, a business and personal calendar tool. The company found that the app stored passwords and sensitive user data in plain text and was susceptible to man-in-the-middle attacks. ny.DO is available through Apple's App Store and Google Play.

Read more about cloud security in CSOonline's Cloud Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsData Protection | Cloud Securitysoftwaredata leakcloud computinginternetdata protectionUniversity of Glasgowcloud storageSugarSynchtc

More about AppleGoogleHTCLumensionSugarSync

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts