Collaboration is a strong selling point for SaaS applications. Microsoft, Github, Miro and others promote the collaborative nature of their software applications, enabling users to do more.
Links to files, repositories, and boards can be shared with anyone, anywhere. This encourages teamwork, helping to create stronger campaigns and projects by encouraging collaboration among employees dispersed across regions and departments.
At the same time, the openness of data SaaS platforms may also be problematic. A 2023 survey by the Cloud Security Alliance and Adaptive Shield found that 58% of security incidents in the past two years involved data breaches. Obviously, sharing is good, but data sharing must be limited. Most SaaS applications have mechanisms to control sharing. These tools are very effective in ensuring that company resources are not publicly visible on the public Internet. This article explores three common data breach scenarios and recommends best practices for secure sharing.
Learn howView files shared publicly from SaaS
Make proprietary code public
GitHub repositories have a long history of leaking data. These breaches are often caused by user error, where a developer accidentally exposed a private repository, or an administrator changed permissions to facilitate collaboration.
GitHub leaks have affected major brands, including X (formerly Twitter), whose platform’s proprietary code and internal tools were leaked online. GitHub breaches often reveal sensitive secrets, including OAuth tokens, API keys, usernames and passwords, encryption keys, and security credentials.
When proprietary code and company secrets are leaked, it can put business continuity at risk. Securing the code in your GitHub repositories should be a top priority.
The surprising risks of making your calendar public
On the surface, publicly shared calendars don’t seem to pose much of a security risk. The calendar does not contain sensitive information. In fact, they contain a treasure trove of information that organizations don’t want to fall into the hands of cybercriminals.
The calendar contains meeting invitations with video conferencing links and passwords. Making this information available to the public may result in unwanted or malicious attendees attending your meeting. The calendar also includes agendas, briefings, and other sensitive material.
Information in the calendar can also be used for phishing or social engineering attacks. For example, if a threat actor with access to Alice’s calendar discovered that she had a call with Bob at 3 o’clock, the threat actor could pretend to be Alice’s assistant and call Bob and ask Bob to email some sensitive information before the meeting .
Work with external service providers
While SaaS applications simplify collaboration with agencies and other service providers, these collaborations often involve members who are short-lived on the project. Unless managed, shared files and collaboration boards make these materials readily accessible to everyone working on the project.
Project owners often create a username for the organization or share key documents with anyone who has the link. This simplifies management and saves money on license fees. However, the project owner has given control to those who can access and process these materials.
Not only can anyone on the external team access proprietary project files, but if they remember their username and password, they often retain that access after they leave the company. When a resource is shared with anyone with a link, they can easily forward the link to their personal email account and access the file at any time.
Figure 1: Users retain access to shared Google Docs even if the employee who shared the document leaves the company |
Discover which configurations expose your data to the public.
Best practices for secure file sharing
Resource sharing is an important aspect of enterprise operations. SaaS security company Adaptive Shield recommends that companies follow these best practices when sharing files with external users.
- Always share files with individual users and require some form of authentication.
- Never share via “Anyone with the link.” Administrators should disable this feature if possible.
- When allowed by the application, add an expiration date to shared files.
- Added expiration date for file sharing invitations.
- Remove sharing permissions from any public files you no longer use.
Additionally, organizations should look for a SaaS security tool that can identify publicly shared resources and flag them for remediation. This feature will help companies understand the risk they take on publicly sharing files and guide them in protecting any files at risk.
Learn how Resource inventory All publicly accessible resources can be identified.