min read
Jul 9, 2021

The Hidden Danger of External Sharing via SaaS Apps

Without thinking about it, most of us whose jobs require collaboration with external parties have been putting our organizations at risk. We’ve taken to SaaS applications in a big way, by sharing sensitive documents and other assets using Box outside our company, inviting contractors and service providers into our Slack channels, or collaborating with external development partners via GitHub.

Those activities seem harmless enough, but DoControl has found danger lurking in these collaboration channels. They provide an opportunity for others to gain access to your corporate data and use it for all the wrong reasons. 

Based on an analysis of our customers’ environments, about 18% of data in SaaS applications is exposed to external collaborators, most of which do not need the access anymore. Of the companies that allow document owners to grant public access, about 2 percent of their SaaS assets are shared publicly. That may sound like a really low rate, but the threat is significant due to the extensive use of SaaS applications to create millions of files common in even modestly sized organizations. A company of just 1,000 employees may be providing public access to up to 200,000 SaaS assets, which means they’re tolerating up to 200,000 potential incidents of data exposure.

Are we advocating for a retreat from collaboration through SaaS applications? Absolutely not. They’re part of the landscape now, and trying to uproot them would result in a less-fertile business environment and stunted growth. 

The many SaaS apps to track 

Consider the way a new marketing campaign may be executed these days with external partners, such as subject-matter consultants, project managers, creative agencies and development experts. All of these parties are going to need to be kept abreast of the stages of the project, potentially using Microsoft 365 products, Teams, SharePoint, Box and others. In no time, data access is being granted to numerous external people or organizations via multiple SaaS applications. 

Or consider a document that contains sensitive legal information, that is shared with a single point of contact at an external legal advisor assisting on some work beyond the company’s internal expertise. Asked to share the information with others in their firm, a company employee changes permissions to allow anyone with a link to see the sensitive document. Once that asset is shared throughout the vendor group, it’s too easy for someone else in that organization to share the document with absolutely anyone else.

Are there controls in the SaaS apps themselves to guard against such unintended sharing? To a degree, yes, but they’re quite limited. Most do not give a company visibility into who has access to the company information. Nor do they allow the company to quickly remediate all access to a particular user of the entire domain. And even if they worked better than they do, there’s still a tremendous amount of manual time and effort that has to go into applying the native controls of so many separate SaaS applications.

 

Relationships don’t last forever

Given all the sharing we discussed above, it’s easy to see how data exposure in SaaS applications can grow to unmanageable levels. It's important to understand that the greater risk to your data being exfiltrated really stems from the exposure of your data to vendors and collaborators you no longer work with. Once projects have been completed, contracts have been terminated, or vendors have been replaced, their access to the data in these systems is very often left exposed.

We stated above that 18% of data in SaaS applications is exposed externally, but further analysis shows that the access to the vast majority of that data ends after just a couple weeks. In today’s agile environments, projects are often broken up into stages and each stage is completed very quickly. Once completed and the teams have moved onto the next phase of a project or that particular business relationship ends, access to those assets used for collaboration is no longer necessary but the access is rarely ever remediated.

All this collaboration leads to a cascading situation of data access to valuable information, where access is no longer needed as the relationships have ended. Given the dynamic nature of these projects and partnerships, it becomes an unmanageable task for security and IT teams to continually remediate access to data in all your SaaS applications.


The need for centralized SaaS data-access control

As we have noted in other blogs, keeping track of the threats posed by your SaaS applications is a daunting task. Our previous post highlighted how significant internal threats are on their own. Adding on the dangers posed by external threats as we’ve shown here should make it even more evident that the status quo won’t work.

DoControl gives you a complete inventory of your SaaS applications being shared externally, as well as internally. With that, you can keep watch on activities and deploy access policies in broad or narrow methods to trigger automated processes and limit data exposure. And so equipped, you and your company can continue to take advantage of the many benefits of SaaS applications without all the dangers that by now should be increasingly clear. We’d be more than happy to help you get a better understanding of DoControl and how our solution can help you relax about data access control for your SaaS apps. Use this contact form to get in touch. We look forward to hearing from you.

Adam Gavish is the Co-Founder and Chief Executive Officer of DoControl. Adam brings 15  years of experience in product management, software engineering, and network security. Prior to founding DoControl, Adam was a Product Manager at Google Cloud, where he led ideation, execution, and strategy of Security & Privacy products serving Fortune 500 customers. Before Google, Adam was a Senior Technical Product Manager at Amazon, where he launched customer-obsessed products improving the payment experience for 300M customers globally. Before Amazon, Adam was a Software Engineer in two successfully acquired startups, eXelate for $200M and Skyfence for $60M.

Adam is a lifetime information geek, breaking down business and technical problems into components to generate long-term learning. He loves running outdoors, playing with LEGOs with his son, and watching a good movie with his wife.

Adam holds a B.S. in Computer Science from the Academic College of Tel-Aviv Yafo and an MBA from the Johnson Graduate School of Management at Cornell University.

Get updates to your inbox

Our latest tips, insights, and news