Collaboration sits at the essence of SaaS applications. The word, or some form of it, appears in the top two headlines on Google Workspace's homepage. It can be found six times on Microsoft 365's homepage, three times on Box, and once on Workday. Visit nearly any SaaS site, and odds are 'collaboration' will appear as part of the app's key selling point.
By sitting on the cloud, content within the applications is immediately shareable, making it easier than ever to work with others.
However, that shareability is a two-sided coin. On the flip side are often sensitive links sitting on public-facing websites that can be easily accessed. The exposure caused by leaked documents can cause tremendous harm, from competitors trying to gather corporate secrets to whistleblowers sharing internal information with reporters or legislators. As integral as collaboration is to SaaS, sharing links creates a high-risk situation, and real-life breaches, that can be mitigated through the right processes.
Sharing Files and Documents
There are essentially two ways to share files and documents out of a SaaS application, although the terminology used by M365, Salesforce, Google Workspace, and Box is slightly different. The file owner can either make the resource available to specific users or make it available to "anyone with a link".
Sharing the file with specific users can be cumbersome and time-consuming. As the file gets passed to different stakeholders, the file owner needs to add every user as they need it. When working with an outside vendor, that requires coordination with the vendor contact to understand who will be working with the file. Each user's email address needs to be added individually, and if someone is missed, the file owner needs to go back into the sharing settings and add them.
Sharing a file with anyone who has the link is much less cumbersome. The document owner can copy the link, send it to the vendor, and not have to think about document management any longer. Additionally, often people request access from a private account (for example, their gmail email) instead of a business-monitored email account. This could be due to the fact that sometimes external vendors only have a private domain, or it could be they are also logged in to their private account and so they accidentally request access to it.
However, as tempting as it is to share the link freely, doing so primes the document to being leaked. There is no controlling what happens to the file once the link is shared, and users can access the file from any account. The degree of risk that the file can be leaked increases exponentially.
Google Drive, Microsoft Sharepoint, and NYC Schoolchildren
New York City school officials learned the dangers of link sharing the hard way. In 2021, school officials confirmed a data leak that contained sensitive information of over 3,000 students and 100 staff members in the NYC public school system. The data was exposed when a student gained access to a Google Drive.
That story came on the heels of a Microsoft Sharepoint breach, during which a student doing homework stumbled onto a draft document discussing when schools would reopen during COVID-19. The letter included details of testing policies, quarantine policies, and other information that the school system was not ready to release. This data was exposed due to unsecured document-sharing settings.
Google Forms in the Armed Forces
It isn't just school officials who need to be careful with their shared links. In 2021, an armed forces unit asked soldiers to fill in a Google form relating to their COVID-19 vaccines. Each soldier entered their name and ID number, and answered questions relating to coronavirus.
However, the author of the Google Form allowed respondents to review the results. Anyone with the link had access to the soldiers' names and ID numbers. The data was listed chronologically, making it easy to group specific soldiers by their unit. This data was accessible to anyone with a browser and link. After being alerted, the military unit removed the form, but it's impossible to know how far the data leaked.
Box Files Exposed to World
According to TechCrunch, in 2019 security researchers found dozens of companies were leaking sensitive corporate and customer data that was saved in Box. Using a script to scan for box accounts, researchers found over 90 companies – including Box – with data that was visible to anyone with the link.
Companies, which included Amadeus, Apple, Edelman, and Herbalife, exposed customer names and contact information, project proposals, donor names, patient information, and more. This information could have easily been protected had companies used the access controls available within the platform.
Best Practices to Prevent Data Leakage and Data Loss
The data contained in SaaS apps lives on the cloud, but it doesn't need to be exposed to anyone with a link. Security-conscious organizations should follow these guidelines to ensure their data remains secure.
Share files with specific users – Requiring users to login before they can access the data drastically reduces the likelihood of data falling into the wrong hands
Add expiration dates to shared links – Most documents and files are shared and eventually forgotten about, putting companies in a position where they don't even know that they are exposed. By adding an expiration date to the link, that oversight won't come back to hurt the company.
Password protect all links – Add an additional layer of data security by requiring password protection on all external-facing files
Create a Resource Inventory – List all corporate resources in a single place that includes each file's share settings, providing security teams with a single view that enables them to evaluate risk and exposure.
Every unprotected link has the potential to expose data. As the link sharer, it is impossible to know the hygiene of the recipient's device, whether they will share the link with others, or even whether they provide others with access to their email account. Securing links is one of the main ways of protection available to limit this risk.
Another approach to protecting against links being overly shared is the automated method, through use of an SSPM solution. An SSPM, like Adaptive Shield, helps organizations protect against data loss by identifying which resources are being publicly shared and are at risk. It can also identify resources that are shared without an expiration date, or are set to allow guests to share the item. Once the security team is aware of the attack surface, they can remediate and secure the link as needed.