Secure data sharing has historically posed significant challenges for enterprises. This third entry in my blog series on the 2023 State of SaaS Security Report (the intro blog is here, and the second, focused on SaaS breaches, is here) delves into the hurdles faced by organizations governing data. This post explores legacy methods of data sharing (email attachments, file transfer software and sync & share solutions) as well as modern, cloud-based SaaS methods. Along the way, organizations have been challenged by a lack of effective shared data lifecycle management, which is borne out in the findings of the report. For example, on average, 90 percent of a company’s external data shares haven’t been accessed for more than 90 days.
The Dark Ages of Data Sharing
When I first started in cyber security in the early 2000s, protecting data and sharing securely were difficult challenges for enterprises along multiple dimensions:
Email often imposed attachment size limitations. This was often frustrating, as there was no standard on maximum attachment size. Every organization could set a different limit, or live dangerously and set no limit at all! I once saw an Exchange cluster go down because someone tried sending a 1 gigabyte Microsoft Access database to 32 internal recipients.
The result was that email was down for the entire organization for most of the day. Incredibly, we couldn’t find any elegant solution to this problem at the time. The best way to prevent a single employee from taking down the entire organization’s comms was user education. A lack of file size awareness was a critical availability risk to the organization!
File Transfer Software
Dedicated file transfer products like Filezilla, MOVEit, and Accellion made it easier to share or send large amounts of data without trusting a third party, but placed all the risk in the hands of the sender. Easily guessable, or shared credentials were often abused to explore FTP servers and other file transfer servers. More recently, vulnerabilities have had a massive impact on the customers of these products, affecting hundreds, if not thousands of organizations.
There’s now an alternative to this nightmare: let someone else manage the file transfer software.
Enterprise File Sync and Share
One of the earliest file, sync, and share software startups, Box, envisioned a future where files would be synchronized between devices, saving users the trouble of remembering where they put things, or having to constantly transfer files between devices. As this category of products matured, it became a core pillar of what end users think of as “the cloud”, with a copy of all files stored by a third party.
This architecture made sharing a very simple process, regardless of the size or quantity of files. Today, sharing files is a simple, routine task. While this new level of convenience removed the need to manually organize data, we also began to lose awareness of what data was being stored or synched.
The Golden Age of Data Sharing
Today, the simplicity of cloud-based SaaS data sharing creates a significant productivity boost and virtually eliminates the need for legacy file sharing methods. Files can be shared within seconds, eliminating the need for downloading. Products like Google Drive, Dropbox, Box and OneDrive allow recipients to directly edit or review files in their browsers, facilitating real-time collaboration. Simultaneous file editing or reviewing has become a standard practice in business workflows.
However, with this power comes a corresponding responsibility. Every individual employee must apply the principle of least privilege when sharing data. In reality, most business professionals are unfamiliar with the term 'least privilege'. They typically opt for the "anyone with the link" option, as it seems hassle-free. Choosing any other option poses potential access control issues that require troubleshooting, which is time-consuming and undesirable when a seemingly effortless and universally functional option exists.
Adding to this challenge, more and more SaaS tools support external data sharing. Most of us associate data sharing with products that have ‘drive’ and ‘box’ in the name, but SaaS platforms like Zoom, Monday, Notion, GitHub and even Salesforce now have options to share data externally.
Due to a lack of use, current data share controls are no more effective now than they were in the dark ages of data sharing.
The Path Ahead For Data Sharing Control
Note that this section isn’t titled “the path back to data sharing control”. As mentioned earlier, most organizations have never had much control over data. File servers were dumping grounds for data. Exfiltration was possible over a myriad of methods: removable media, file transfers, email, SaaS, cloud, and more. This current age of API-enabled cloud and SaaS is the first real opportunity to exercise some control over how data is accessed and shared.
Data sharing is missing a lifecycle management component. Our work with customers shows that one of the most common data-sharing use cases is single-use sharing. Someone needs to share data once, perhaps for a single meeting or project. Ideally, the data share should be revoked as soon as it is no longer needed, but that doesn’t typically happen. Data assets are often shared indefinitely, whether it’s necessary or not.
Our research data shows some clear patterns. On average, 90 percent of a company’s data shares haven’t been accessed for more than 90 days. These shared resources represent risk to the organization, but sit abandoned and unused. This is 90 percent of an average of 193,000 shared assets per company, or 54 shared assets per employee. Additionally, 30 percent of these shared assets are shared with a personal (not corporate or B2B) account, such as a GMail, iCloud or Outlook.com account.
There’s a clear opportunity to actively manage the lifecycle of shared data assets. SaaS APIs make it possible to identify unused sharing, notify employees of the issue and/or automatically unshare them when they are no longer needed. It’s a win/win for organizations, as employees won’t miss what they’re not using, and the organization painlessly reduces risk without imposing significant overhead on the security team.
Check out the 2023 State of SaaS Security Report
These are just a few highlights from this year’s State of SaaS Security report from Valence Threat Labs! This blog series will continue to explore and share interesting insights from the report, but why wait? Check out the full report for more details and real-world examples of SaaS breaches now!