In October 2015, an administrator at a US-based IT services company copied a Google Drive link into the company’s Slack application to share with his team. When he did that, a pop-up message asked if he wanted Slack to import the document (and all further Google Docs links). As most of us would do, he accepted this integration.
This was a routine prompt as Slack makes a copy of the Google Drive documents on their servers. The problem here was that this company was 18F, an IT services company working for the US federal government. And the documents that were being copied onto an unauthorized third party application - Slack - were sensitive documents that contained personally identifiable information of federal employees and contractors.
This came to the fore in March 2016 during a routine audit - five months after the admin had made the Slack / Google Drive integration choice - during which hundreds of Google Drive accounts were exposed. The Office of Inspector General released a lengthy statement that summarized it thus: "Bottom line: It’s not ok to let an external company automatically index and store our Google Drive documents.” This led to several hearings all the way up to the US Congress where the contractor was berated for their lack of control, with a US Congressman even saying “... it appears these ‘experts’ need to learn a thing or two about protecting sensitive information”.
The world we live in today is one where the use of SaaS applications for collaboration and productivity is on the rise. By one estimate from IDC, the use of SaaS collaboration apps such as Google Suite and O365 grew by 72 percent in a single year! It’s easy to see why these services are popular -- there is no need to worry about hosting applications, capital expenditures, updates, etc. That simplicity and affordability is a big draw, especially for small and medium-sized enterprises.
However, that ease of use is a double-edged sword. It is very easy to expose sensitive documents either by carelessly sharing it widely or with malicious intent by trusted insiders - for example, by employees leaving the company who may take important and sensitive documents with them. A lot of the SaaS applications have multiple such points of data exposure.
1. Shared calendars: It is very easy to make a calendar public and open to the world. This happened at McKinsey where a phone number and meeting ID was made public for a weekly call where sensitive projects were discussed. They believe competitors listened in on this channel. The same happened at JP Morgan Chase and at Deloitte.
Publicly sharing a Google Calendar2. Shared Links: It is very easy in EFSS (enterprise file sync and share) systems - like Google Drive and Microsoft’s OneDrive - to create and share links with the public, with partners, and others. However, that’s an IT administrator’s nightmare. It’s very difficult for the IT team to get a view of what documents have been shared like this, who outside the company has access to them and, who within the company has been doing this.
3. Granting access to third party applications: As seen with the Slack/Google Drive example earlier, it’s very easy for an employee to grant access to a third party app that accesses sensitive information within the company. OAuth2 - which is used by almost all SaaS applications - makes it really easy for disparate SaaS applications to work together. But it is also makes it easy for a potentially malicious application to get access to sensitive information with just the click of a button.
As the number of SaaS applications used by companies explode, this problem will only grow exponentially. It is impossible to centrally manage and report on activities of users across myriad applications.
With such SaaS sprawl, a single tool is needed to centrally manage, provision, control and report on activities for all users and resources.
We suggest a three-step process to better protect yourselves from the kinds of data exposure problems mentioned above:
1. Education: Educate employees to ensure that they are aware of the actions they should take to limit access to documents, not share their calendars widely or authorize third party applications. They should periodically review their sensitive documents and correct any invalid exposure, as well as check what applications they have previously authorized. On Google, you can do it from “My Account -> Apps with Account Access”
2. Admin Lockdown: In some cases, an administrator can centrally lock down access to third party applications or control what levels of data exposure are allowed within the company.These controls tend to be very coarse - they are either on or off. For example, you cannot specify that users in certain groups (IT administrators, executives etc.) can install certain whitelisted apps or share documents while others cannot. For these kinds of granular controls and reporting, we suggest you look at third party applications.
3. Third Party Applications - As the use of SaaS applications grows, there is a new generation of tools that provide better control and management across such applications. An administrator can connect the company’s SaaS applications to such tools which then become the single pane of glass for management and security for the SaaS applications.The use cases they address cover both security and centralized management.
Security Use Cases:
- Identify points of data exposure like the ones discussed earlier in this article
- Insider threat protection from careless or malicious activities
- Set policies and identify policy violations – for example blacklist and whitelist access to sensitive documents
- Automatically remediate in case of violations – for example, remove public links to sensitive documents.
Management Use Cases:
- Bulk operations - take action across multiple resources and SaaS applications in one click
- Centralised reporting and alerting
- Onboarding and offboarding from one tool across all SaaS applications - this helps you cleanly remove people, remove access across all apps and reclaim SaaS licenses
- Custom workflows
One such tool is Adya - which helps manage and protect your SaaS applications. To get your free Google Drive exposure report to see who outside the company may have access to your documents, go to https://www.adya.io/ .
Adya was part of the first cohort of the NetApp Excellerator - which is targeted at B2B startups in the data management space. As a global leader in data management solutions, NetApp is using its experience and market access to guide startups in adjacent spaces. Applications are being accepted for the next cohort at http://startup.netapp.in/
(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of YourStory.)