Without thinking about it, most of us whose jobs require collaboration with external parties have been putting our organizations at risk. We’ve taken to SaaS applications in a big way, by sharing sensitive documents and other assets using Box outside our company, inviting contractors and service providers into our Slack channels, or collaborating with external development partners via GitHub.
Those activities seem harmless enough, but DoControl has found danger lurking in these collaboration channels. They provide an opportunity for others to gain access to your corporate data and use it for all the wrong reasons.
Based on an analysis of our customers’ environments, about 18% of data in SaaS applications is exposed to external collaborators, most of which do not need the access anymore. Of the companies that allow document owners to grant public access, about 2 percent of their SaaS assets are shared publicly. That may sound like a really low rate, but the threat is significant due to the extensive use of SaaS applications to create millions of files common in even modestly sized organizations. A company of just 1,000 employees may be providing public access to up to 200,000 SaaS assets, which means they’re tolerating up to 200,000 potential incidents of data exposure.
Are we advocating for a retreat from collaboration through SaaS applications? Absolutely not. They’re part of the landscape now, and trying to uproot them would result in a less-fertile business environment and stunted growth.
The many SaaS apps to track
Consider the way a new marketing campaign may be executed these days with external partners, such as subject-matter consultants, project managers, creative agencies and development experts. All of these parties are going to need to be kept abreast of the stages of the project, potentially using Microsoft 365 products, Teams, SharePoint, Box and others. In no time, data access is being granted to numerous external people or organizations via multiple SaaS applications.
Or consider a document that contains sensitive legal information, that is shared with a single point of contact at an external legal advisor assisting on some work beyond the company’s internal expertise. Asked to share the information with others in their firm, a company employee changes permissions to allow anyone with a link to see the sensitive document. Once that asset is shared throughout the vendor group, it’s too easy for someone else in that organization to share the document with absolutely anyone else.
Are there controls in the SaaS apps themselves to guard against such unintended sharing? To a degree, yes, but they’re quite limited. Most do not give a company visibility into who has access to the company information. Nor do they allow the company to quickly remediate all access to a particular user of the entire domain. And even if they worked better than they do, there’s still a tremendous amount of manual time and effort that has to go into applying the native controls of so many separate SaaS applications.
Relationships don’t last forever
Given all the sharing we discussed above, it’s easy to see how data exposure in SaaS applications can grow to unmanageable levels. It's important to understand that the greater risk to your data being exfiltrated really stems from the exposure of your data to vendors and collaborators you no longer work with. Once projects have been completed, contracts have been terminated, or vendors have been replaced, their access to the data in these systems is very often left exposed.
We stated above that 18% of data in SaaS applications is exposed externally, but further analysis shows that the access to the vast majority of that data ends after just a couple weeks. In today’s agile environments, projects are often broken up into stages and each stage is completed very quickly. Once completed and the teams have moved onto the next phase of a project or that particular business relationship ends, access to those assets used for collaboration is no longer necessary but the access is rarely ever remediated.
All this collaboration leads to a cascading situation of data access to valuable information, where access is no longer needed as the relationships have ended. Given the dynamic nature of these projects and partnerships, it becomes an unmanageable task for security and IT teams to continually remediate access to data in all your SaaS applications.
The need for centralized SaaS data-access control
As we have noted in other blogs, keeping track of the threats posed by your SaaS applications is a daunting task. Our previous post highlighted how significant internal threats are on their own. Adding on the dangers posed by external threats as we’ve shown here should make it even more evident that the status quo won’t work.
DoControl gives you a complete inventory of your SaaS applications being shared externally, as well as internally. With that, you can keep watch on activities and deploy access policies in broad or narrow methods to trigger automated processes and limit data exposure. And so equipped, you and your company can continue to take advantage of the many benefits of SaaS applications without all the dangers that by now should be increasingly clear. We’d be more than happy to help you get a better understanding of DoControl and how our solution can help you relax about data access control for your SaaS apps. Use this contact form to get in touch. We look forward to hearing from you.
Research-based benchmarks to assess risk across critical threat model
Consider the advantages of a native CASB solution from your SaaS vendor versus an independent 3rd-party provider - and other crucial considerations when choosing a CASB.