The average organization today uses 214 file sharing and collaboration services, one of the many indicators of the massive adoption of this space. As enterprises take to the cloud to collaborate, security and governance of shared information remains a primary concern. 16.2% of the files uploaded to cloud file sharing services contain sensitive data, including Personally Identifiable Information (PII) such as Social Security Numbers and phone numbers, Protected Health Information (PHI) such as patient diagnoses, medical treatments, payment data, and IP such as source code and trading algorithms. The risk of data loss in the cloud is compounded when sensitive data is shared with unauthorized partners or with emails from personal domains. An average company connects with 1,586 business partners via the cloud and while 8.1% of business partners are high-risk, 28.2% of data is shared with high-risk partners. Without the right checks and balances on file sharing in the cloud, enterprises make themselves vulnerable to data loss.
To improve controls around collaboration on sensitive content, companies are using Cloud Access Security Brokers (CASBs), which are solutions that act as a control point to enforce security, compliance, and governance policies for cloud services. Enterprises with file sharing and collaboration deployments are increasingly leveraging CASBs to add a layer of protection so they can prevent loss of data due to unauthorized access and achieve governance and compliance.
The latest research from Gartner indicates that by year-end 2018, 50% of organizations with more than 2,500 users will use a cloud access security broker (CASB) product to control SaaS usage, up from less than 5% today. File sharing and collaboration rank among the top category of cloud services used, so they will be a key consideration as enterprises look to secure their usage. Here are 5 ways in which CASBs are being used by enterprises today to secure their collaboration:
- Secure your existing shared data: Analysis from Skyhigh shows that about 17% of the documents stored in enterprise file sharing and collaboration services such as Box, OneDrive, and SharePoint Online contain sensitive data. While both these companies have invested heavily in their security infrastructure, companies may remain vulnerable if confidential data in the cloud can be accessed by unintended parties either due to incorrect sharing privileges or malicious acts from insiders. So, after a CASB is deployed, enterprises use on-demand scanning capabilities provided by CASBs to scan their cloud deployments for sensitive data such as SSN, phone numbers, protected health information. Once detected, companies can take remedial actions by revoking access to these files.
- Audit publicly shared data: Cloud file sharing and collaboration services are engineered not just to move file systems to the cloud, but to collaborate easily with internal teams as well as external partners. This capability provides substantial benefits in turning projects around quickly, but also raises some security concerns. When Skyhigh analyzed sharing data in corporate-sanctioned file sharing and collaboration services, we found that 35.7% documents are shared either internally, with outside collaborators, or both. Of the documents shared externally, 9.2% contain sensitive or confidential information. When collaborating, users may end up selecting incorrect sharing privileges for sensitive files, opening them up to unauthorized parties. For example, when users create links to files and folders, it is difficult to control how broadly the link is shared and who is accessing the data. So, when companies deploy CASBs, they use the solution to detect all the files that are open for public access and scan them for sensitive data. This way, the company is aware and can immediately revoke access to the sensitive files shared broadly.
- Blacklist/whitelist sharing domains: In a recent mega breach affecting CVS, Costco, Walmart, RiteAid, and Tesco, the common point of vulnerability was a third party vendor that provided photo processing websites and services to these retailers. Hackers leveraged the trusted connections that this vendor had, to compromise the retailers’ systems. This, along with other breaches, has caused companies to increase scrutiny on how they collaborate with agencies, consultants, suppliers and other external parties, and ensure that data is exchanged with authorized partners only. One way enterprise are enforcing controls on external collaborators is by using a CASB to maintain a ‘whitelist’ or a list of domains that employees can share information with. They usually start off with only their domain name on the list and augment it with domain names of trusted partners as sharing requests come in. A large multi-national firm is using this process and scaling it using automated custom workflows, where their app cross checks a list of existing partners to authorize the addition of a new partner name to the whitelist.
- Enable sharing by users or groups: To minimize risk of data loss, some companies limit privileges based on business units. This way, teams that frequently work with external agencies, such as marketing and support, have more sharing privileges than other teams such as engineering and payroll. Leading CASB solutions allow companies to implement this policy seamlessly by integrating with the company’s Active Directory (AD) and LDAP systems, thus enabling IT to enforce sharing policies at a business unit level or a user level. This integration with AD is beneficial to companies from a threat detection standpoint as well. The CASB can provide insight into which business units (or users) are sharing sensitive information, so companies can take remedial measures to prevent unauthorized access if required.
- Enforce cloud sharing policies: Enterprises have spent millions of dollars to implement DLP systems on-premises, but these systems are often ineffective in securing collaboration. They operate within the enterprise perimeter and usually have no visibility into the cloud. Furthermore, encrypted data and link sharing make it difficult for these systems to accurately parse data and enforce policies. So, enterprises use CASBs to extend their DLP policies to cloud services, and create contextual collaboration policies that leverage DLP to classify data and then enforce collaboration controls based on the classification of the data. In addition to detecting and remediating sensitive data shared using collaboration services, companies are also enforcing policies that prevent downloading of shared data to unmanaged devices. The recently discovered Man in the Cloud attacks, which allow hackers to access data from cloud file sharing applications via sync clients, could be avoided by applying the appropriate DLP policies to shared data.
Enterprise file sharing and collaboration is a billion dollar industry that is poised to see significant growth as more enterprises look to leverage the benefits of cloud-based collaboration. At the same time, enterprise spend on information security is going up, with cloud being one of the drivers. As companies look to collaborate securely, they are using CASBs to impose the right level of controls and governance without impacting user productivity. The seamless blending of collaboration with security is a theme that will be widely discussed and explored as we head to Boxworks. If you are interested to dig deeper, come talk to the leading CASBs at the event.