Cloud computing's distributed architecture helps ensure service resilience and robustness. Meanwhile, the big data stored in the cloud are valuable and sensitive and they are becoming attractive targets of attackers. In real life, attackers can carry out attacks such as Advanced Persistent Threat (APT) to invade cloud infrastructure and steal cloud users' confidential data through encrypted transmission. Unfortunately, the most commonly used methods, e.g., Deep Packet Inspection (DPI), cannot detect encrypted data leakage efficiently. In this paper, we propose a novel method to detect encrypted data exfiltration for cloud. Generally speaking, the proposed method is composed of two steps. First, cloud providers analyze all outgoing network traffic and find out encrypted traffic. Second, cloud providers determine whether the encrypted traffic is launched by cloud users expectedly. If not, the encrypted traffic will be considered as data exfiltration. Specially, in the first step, DPI and entropy technology are used together to find out encrypted traffic efficiently and in the second step, we determine whether the encryption is expected or not through building cloud users' network behavior profile. We have carried out extensive experiments in real-world network environment and the experimental results validate the feasibility and effectiveness of our method.