Let’s talk about a certain word and the concept behind it for a second. The word is “granularity.”
You say it’s overused to the point of becoming a buzzword? I won’t argue. But when it comes to SaaS security and data access control, the word and the concept it represents are critically important.
Here’s what I mean: For almost all of the popular SaaS applications, the security controls don’t allow “granularity” in enforcement. They paint their restrictions with a broad brush, covering areas that should remain untouched – or they don’t paint at all. The needs of business and security must be balanced. If they’re not, the security controls are either ineffective or counterproductive.
Let’s take a look at the areas in which granularity – or discrete enforcement, if you prefer – is needed but lacking.
Public sharing of files and data
We’ve laid out in a previous blog post the ways in which security can be compromised on SaaS applications. Public sharing – making files available to the entire public – is one of those areas.
Your organization may want to allow some of your departments to share publicly while prohibiting others. Sales and marketing, for example, can benefit from pushing content to the public quickly. Other departments such as the finance, legal and R&D departments may not want to let any of their files come into public view.
But guess what? For applications such as Google Drive, Microsoft OneDrive, Box and Dropbox, public sharing can either be enabled or disabled. On/off, black/white -- either everyone is allowed to share publicly or no one is.
External sharing of files and data
External sharing is similar to public sharing, but limited to one or more specific partners or outside parties. Your organization may share content with your marketing agency, public relations firm, auditors, media outlets, investors, etc.
Again, the major SaaS applications use a sledgehammer approach to external sharing. You can vanquish external sharing altogether or let everyone share and share alike. There is some ability to control the hammer: Specific external domains might escape its security pounding. But that’s not really helpful.
For example, you probably want to allow your finance department to share only with your auditor, and you likely want to ensure that your external marketing agency or PR firm can only receive material from your marketing or communications department. Or you may want to share information for a limited time, such as letting your R&D department share access to an external manufacturer for a specific product. Leaving access open beyond the time of the project might allow that manufacturing partner to snoop around and discover proprietary information it could pass along to your competitors. And once the file or database access is shared, it may be impossible with the native SaaS application controls to rein it in.
Sharing links to sensitive data internally
Inside your organization, employees may be freely sharing with each other within and across departments in potentially dangerous ways. During budget negotiations, it would be detrimental for everyone to see the information the finance department has assembled, for example, just as HR data should not be shared with anyone outside of that business unit. And a disgruntled employee who’s soon to separate from the company may be grabbing sensitive data that could hurt your organization if it were released externally or taken to a competitor.
Again, having greater control – more granularity – helps circumvent these dangers without impeding internal business needs. At minimum, you’d want to have such links expire after a set time period, as well as the ability to remove sharing links to sensitive assets before their widespread distribution can cause damage.
DoControl’s granular controls provide critical balance
At DoControl, we don’t believe in an either/or set of security features. Business is too nuanced for such heavy-handedness. We’ve designed our platform so you can selectively apply controls as needed – letting marketing share documents publicly while ensuring finance can’t, for example, or restricting R&D updates to key partners externally and internally. You can set auto-expiration dates for data access to any asset that should have limited exposure and shut off access for those no longer having a business need while preserving it for those that still do.
Even if a SaaS application could provide this level of granularity within its native security controls, the problem remains that the controls ONLY affect that single app. DoControl provides such control across ALL your SaaS applications.
Let us show you what we mean with greater, um, granularity in a demo. We look forward to hearing from you.
This stat comes from the industry report we published earlier this year: The Immense Risk of Unmanaged SaaS Data Access. It’s a great read. We recommend you check it out.
We are excited to announce our expansion of DoControl’s integrated technology partnership program to include Datadog. As a leading platform provider for monitoring and security for cloud applications, the integration with Datadog allows security operations teams to have a more holistic view of risk across the mission-critical Software as a Service (SaaS) applications being leveraged to enable business enablement and productivity.
The last time the RSA Conference was a live, in-person event was right before the world as we knew it came to a screeching halt. Every technology vendor did their best to rollout “virtual” events which were in no way comparable to the real thing. Everyone – including all of us here at DoControl – was missing the “human connection.” As a vendor that was “born out of the pandemic,” we were very excited to (for the first time!) meet face-to-face with prospects, customers, peers, partners and more to talk about all things Software as a Service (SaaS) data security.
When it comes to addressing insider risk, security starts within. Protecting sensitive company data from exfiltration and misuse requires a combination of the right people, process, and technology. Managing insider risk and preventing threats to the business is not achieved with any of these pillars individually. Modern businesses require technology that prevents and detects unauthorized access to critical assets; processes to support automated data access remediation; and people that are educated about – and watchful of – potentially risky activity who can course-correct during potentially risky activity. Modern organizations need all three pillars interconnected in order to protect their most critical assets.