We’ve written about how the security vulnerabilities of SaaS applications are not fully appreciated, even by IT professionals. Imagine now trying to persuade a layman that there’s been a data breach through an organization’s commonly used SaaS app. Imagine further that the people sounding the alarm are a couple of high school students. Do you think the message is going to get through?
If you answered “nope,” you’re right. As a result, sensitive information regarding New York City’s public schools remained exposed for months – until the students raised the issue again.
That’s the story reported recently by Chalkbeat, a publication focused on educational matters. The students, from Brooklyn Tech High School, discovered in August 2020 that the Google Drive the district used to store records was not properly configured to prevent access to records that should have remained private. Initially, the visible documents were nothing particularly sensitive – sign-up sheets for parent-teacher conferences, second graders’ classwork, and college recommendation letters.
After they presented their findings to an administrator, they thought the matter was settled. But they checked again the following March, only to discover that now they could see such documents as records of teacher Social Security Numbers, phone numbers, addresses and pay information. They finally got action when they reached one of the teachers and said, “I have your Social Security Number.”
That prompted the district administration to wake up and take action, but not before exposing the personal information of some 3,000 students and 100 employees.
What went wrong?
Technically, this is not a complicated issue. The Google Drive that was vulnerable had not been configured properly to limit access. Eventually, the district curtailed access to the documents that shouldn’t have been visible to begin with.
Still, Google Drive doesn’t provide the flexibility that school administrators or any other users would want in terms of providing access to files. There are three choices: make them public, make them accessible to those with a link, or restrict access to selected individuals. An administrator might want to share files with one department, such as the HR department that would need to keep track of employee information, but not teachers or students. Or they might want to share with an identified group, such as the second-grade parents looking for those sign-up sheets. Google Drive doesn’t provide that granularity or flexibility that we have said is a limitation of the controls of many SaaS applications.
With so few options, it would hardly be shocking if a similar situation arises again, given the limited options available in Drive and similar, widely used applications.
A better approach
No SaaS administrators, security personnel or IT administrators should rely on notification from high school students – or users of any sort – to become informed of a breach. That should be an automated message, driven by a platform with enough sophistication to quickly determine the vulnerability and shut it down quickly. On the flip side, the security measures should not be so strict as to prevent normal business operations, including sanctioned collaboration via sanctioned SaaS applications. That is, policies should be readily available to balance the need for protection and the normal, expected flow of information.
And given that rarely does an organization rely on just a single SaaS application these days, the platform monitoring and remediating such threats should be able to watch all the apps at once and allow administrators to remove unwanted access across one or more apps in open single action.
Guess what? Just such a platform exists today: the DoControl platform. We’ll be happy to give you a demo – there are no prerequisites for this class!
