Collaboration is the essence of SaaS applications. This word or some form of it appears in the top two headings of the Google Workspace home page. You’ll find it six times on the Microsoft 365 home page, three times on Box, and once on Workday. Visit almost any SaaS site and you’ll likely see “collaboration” appear as part of the app’s main selling point.
Being on the cloud makes collaborating with others easier than ever, as content within your applications can be shared instantly.
However, its shareability is a two-sided coin. On the other side are often sensitive links on easily accessible public websites. From competitors trying to glean trade secrets to whistleblowers sharing inside information with reporters and legislators, the exposure caused by leaked documents can cause a lot of damage. As much as collaboration is essential to SaaS, sharing links creates a high-risk situation and a real breach, which can be mitigated with good processes.
Learn how to gain visibility across your SaaS stack.
File and document sharing
M365, Salesforce, Google Workspace, and Box use slightly different terminology, but there are basically two ways to share files and documents from SaaS applications. The file owner can make the resource available to specific users or to “anyone with the link”.
Sharing files with specific users can be tedious and time consuming. As the file is passed on to various stakeholders, the file owner should add all users as needed. When working with external vendors, you will need to coordinate with the vendor’s contacts to understand who will be working with the files. Each user’s email address must be added individually, and if someone is missing, the file owner must go back to the sharing settings and add it.
Sharing files with anyone who knows the link is much less cumbersome. Document owners can simply copy the link, send it to the vendor, and forget about managing the document. Additionally, they often request access from private accounts (e.g., Gmail emails) rather than business-monitored email accounts. This could be because the external vendor only has a private domain, or because they are also logged in to a private account, and have mistakenly requested access.
However, as tempting as it is to freely share the link, doing so sets the document ready to be leaked. You can also access files from your account. The danger that files can be leaked increases exponentially.
Google Drive, Microsoft Sharepoint, NYC Schoolchildren
New York City school officials learned the hard way about the dangers of link sharing. In 2021, school officials confirmed a data breach containing sensitive information of more than 3,000 of her students and 100 of her staff members in the NYC public school system. The data was exposed when students got access to Google Drive.
The story came shortly after the Microsoft Sharepoint breach when a student doing homework came across a draft document discussing when schools would reopen in the wake of COVID-19. The letter included details of testing policies, quarantine policies and other information that the school system was not ready to make public. This data was exposed due to insecure document sharing settings.
Learn how to secure your SaaS stack by managing apps, users, and user devices.
Google Forms in the military
School officials aren’t the only ones who need to be careful with shared links. In 2021, a military unit asked soldiers to complete a Google form on COVID-19 vaccines. Each soldier entered a name and her ID number and answered questions about the coronavirus.
However, the creators of the Google Form did allow respondents to see the results. Anyone with the link could access the soldier’s name and his ID number. The data was listed chronologically, making it easier to group specific soldiers by unit. This data was accessible to anyone with a browser and a link.
Military units removed the forms after being warned, but it’s impossible to know how far the data was leaked.
Box files published to the world
According to TechCrunch, in 2019 security researchers discovered that sensitive business and customer data stored in Box had been compromised by dozens of companies. Using a script that scanned Box accounts, the researcher discovered more than 90 of his companies, including Box, allowing the data to be viewed by anyone with the link.
Companies such as Amadeus, Apple, Edelman, and Herbalife published customer names and contact information, project proposals, donor names, patient information, and more. This information could easily have been protected if the company had used the access controls available within the platform.
Best practices for preventing data leaks and data loss
The data contained in the SaaS app resides in the cloud, but does not need to be exposed to anyone with a link. Security-conscious organizations should follow these guidelines to ensure data safety.
Share files with specific users – Requiring users to log in before accessing data greatly reduces the potential for data misuse
Add an expiration date to your shared link – Most documents and files are shared and eventually forgotten, so companies don’t even realize they’re at risk. By adding an expiration date to the link, that oversight won’t hurt the company.
Password protect all links – Add a layer of data security by requiring password protection for all externally facing files
Create Resource Inventory – It lists all corporate resources in one place, including sharing settings for each file, giving security teams a single view to assess risk and exposure.
All unprotected links may expose your data. As the sharer of the link, it is imperative to know the hygiene of the recipient’s device, whether to share the link with others, or even give them access to her email account. Is possible. Securing links is one of the main safeguards available to limit this risk.
Another way to prevent over-sharing of links is automated using the SSPM solution. An SSPM like Adaptive Shield helps organizations protect against data loss by identifying which resources are publicly shared and at risk. You can also identify resources that have been shared with no expiration date or that are set to allow guests to share items. Once the security team is aware of the attack surface, they can fix and protect the links as needed.
Watch a 15 minute demo showing how to protect your organization from data loss.
