min read

Your 3rd Party Collaborators Share Your Company's Data with 4th Parties

Exponential growth is great for business in many ways: Start-ups work around the clock in the hopes of catching fire in their marketplace; investors make big bets on companies to increase the value of their portfolios by orders of magnitude; influencers try to create viral waves to see their list of followers blow up.

But not all exponential growth is good. Especially when it comes to trying to control unmanaged SaaS data access by parties external to your company.

What is 4th-Party Data Access?

4th-party data access occurs when an external party to your company shares your files or data with another party that is external to them. Such data access is an unfortunate and common side effect of SaaS collaboration. Collaboration via SaaS is just short of a modern miracle, but there’s a fine line to be drawn between easy business enablement and wildly out-of-control data access. 

Did you know that, on average, companies that allow external sharing of SaaS data assets have data that has been exposed to 42 4th-party domains? This stat comes from the industry report we published earlier this year: The Immense Risk of Unmanaged SaaS Data Access. It’s a great read. We recommend you check it out.

Some 4th-party access can be legitimate and necessary. Sometimes a service provider or contractor needs to bring in external expertise and resources in order to get the job done for your company. For example, your external corporate event planner has access to a spreadsheet containing the names, family members, phone numbers and home addresses of your workforce. The event planner partners with an independent Etsy retailer to create and deliver hand-made invitations. The event planner needs to share the recipients’ information with the retailer so the invitations are sent to the right people and places. Intentions aside, in this example, a verified third party has now shared company data with an unvetted fourth party. 

In too many cases, though, 4th-party access is a result of careless or unintended data access, opening the company up to unimagined data exfiltration.

How does unintended 4th-party sharing happen?

A project may require collaboration with vendors who contract their own freelancer specialists. Ongoing sharing of assets in progress requires a significant amount of manual data-access intervention. Controlling the data access to from 1st to 3rd to 4th party – on a single project – gets complex and arduous very quickly. 

Thus, the easier, less involved and more often traveled route: Enabling sharing for anyone with a link. 

Negligent, or unintended data sharing can fly under the proverbial radar with shocking ease. For example, an external party tries to access a Google Workspace file on their personal device; the device defaults to their personal credentials and automatically sends a request for access to the file’s owner; the owner recognizes the requester and grants access, but doesn’t realize the request is for access via personal credentials; data access is now out of control. 

What does intentional 4th-party sharing look like and what are the dangers?

Here is a very common scenario. You share a purchase order with a potential customer through a File Sharing SaaS platform (i.e Google Drive). That customer shares that purchase order with their attorneys using the same SaaS app. From this moment, you have a 4th party (attorneys) that was never screened through a 3rd party risk assessment and now exposed to your company data (the purchase order) containing sensitive information (pricing, discounts, etc). In many cases, 4th parties may not meet your security requirements which can result in leaking your company data. If those attorneys don’t have MFA set up, their SaaS account can be taken over which puts your company data in the hands of the wrong entity.

What’s a SaaS-dependent company to do?

SaaS collaboration is a fact of modern business. Manually trying to wrangle unmanaged data access across a portfolio of SaaS apps is a fool’s errand. Companies need automated intelligence to identify 4thy-party exposure and shut down unwarranted access. They need a purpose-built platform that can perform a complete SaaS data inventory to locate files, identify ownership, understand access and remediate problematic sharing. 

DoControl purpose-built that centralized platform so you can view all your SaaS apps, assets and permissions; monitor the threats they pose; enforce policies more granular than the apps’s native features allow for; and automate remediation of intentional, accidental and downright negligent SaaS asset sharing. To learn more, let’s talk.

Adam Gavish is the Co-Founder and Chief Executive Officer of DoControl. Adam brings 15  years of experience in product management, software engineering, and network security. Prior to founding DoControl, Adam was a Product Manager at Google Cloud, where he led ideation, execution, and strategy of Security & Privacy products serving Fortune 500 customers. Before Google, Adam was a Senior Technical Product Manager at Amazon, where he launched customer-obsessed products improving the payment experience for 300M customers globally. Before Amazon, Adam was a Software Engineer in two successfully acquired startups, eXelate for $200M and Skyfence for $60M.

Adam is a lifetime information geek, breaking down business and technical problems into components to generate long-term learning. He loves running outdoors, playing with LEGOs with his son, and watching a good movie with his wife.

Adam holds a B.S. in Computer Science from the Academic College of Tel-Aviv Yafo and an MBA from the Johnson Graduate School of Management at Cornell University.

Get updates to your inbox

Our latest tips, insights, and news