When Sharing Goes Bad
Blog Article Published: 07/31/2014
By Krishna Narayanaswamy, Chief Scientist, Netskope Among the many benefits cloud apps bring is the ability to collaborate. Key to collaboration is sharing data, findings, reports, videos, and other information assets. Whether you’re sharing the latest sales presentation, a link to a customer video, or a win/loss report in a data and analysis app, you’re moving your business ahead by making information transparent and getting your team on the same page. Every quarter, we release a look-back at anonymized, aggregated data across tens of billions of transactions from millions of users in our Netskope Cloud Report. A key theme that emerged this quarter is the activity of sharing. Typically when people think about sharing, what comes to mind is sharing documents like contracts, videos, and Power Points within a cloud storage app like Box, Dropbox, or OneDrive. It is that. In fact, within the cloud storage category, there are 3 shares for every 1 upload. Even more interesting is the fact that sharing is alive and well in nearly every type of cloud app, not just in cloud storage. In the Netskope Active Platform, we analyze 55 different cloud app categories, from customer relationship management to finance and accounting to human resources to supply chain management. We noticed that people share from cloud apps in 49 of those categories. More than one out of every five cloud apps enable sharing. Three popular non-storage apps that enable sharing include financial and human resources app, Workday, project management app, Trello, and productivity app, Evernote. Why should you care? Well, if you’re an IT or security leader, you probably care an awful lot about your organization’s sensitive data. If people are sharing content in the apps in your environment, you need to know about it. Sharing can be very benign or very risky, depending on content and context. It can range from a user sharing pictures from a company picnic to an “insider” sharing non-public financial results with investors, an engineer sharing top secret product designs with collaborators outside of the company, or an executive inadvertently sharing the company’s acquisition plans with an unauthorized party. Our advice is to discover your apps and understand which ones enable sharing. Then look at their risk. The Cloud Security Alliance has a fantastic way of looking at this with their Cloud Controls Matrix (in fact, they just came out with a new version of the matrix, you can find it here and STAR rating system. Then look at the data and sharing patterns. Have a conversation with your business leaders and users so they understand what’s going on and what the risks are. And then triage the riskiest areas first and decide what to do. Maybe the right thing is to set a policy addressing sharing (e.g., no sharing outside of the company if you’re in the “insiders” group in your enterprise directory). Or if policy enforcement isn’t in your company culture, having an informed conversation is the best choice. Either way you slice it, having the intelligence at your fingertips is the best way to start. Know what apps you have, what their risk profile is, which enable sharing, who’s sharing, what they’re sharing, and who they’re sharing with.