Addressing the risks of using bulk remediation with Google Drive [Q&A]
Bulk remediation in Google Shared Drives can be useful in removing unneeded permissions, revoking expired access and ensuring that data remains secure.
But it can also present significant challenges due to the complex nature of managing permissions across a large number of files and users. Administrators face the difficulty of ensuring accurate and appropriate access levels for each file and user.
We spoke to Adam Gavish, CEO and co-founder of DoControl, to discuss the risks of bulk remediation and how to address them.
BN: What are the associated data risks when using Google Drive and shared documents?
AG: Many organizations use Google Drive to store and exchange company files internally and externally. Due to the collaborative nature of Google Drive and shared documents, these files can be accessed easily by the public, held externally with vendors, or shared within private emails. As companies scale with more employees and shared drives, their data risk exposure exponentially increases. When using Google Drive, shared files can enable business-critical data exposure that could potentially get into the wrong hands.
For example, let's say an organization recently laid off a remote employee that shared work files externally with their private email. After leaving the company, the former employee will still have access to this company data. Even worse, if they begin working for a competitor, they could easily grant their new employer access to the sensitive company files, reports, and data. In most cases, once internal links are publicly shared with an external source, the owner of the file cannot see who else it was shared with. This poses a critical security risk as anyone, including bad actors or competitors, can easily steal personal or proprietary information within the files.
BN: What trends have you seen exacerbating this issue?
AG: Smaller-sized companies tend to underemphasize their risk of data exposure when sharing files externally. Even if an organization only has a small number of employees, it only takes one publicly shared asset to expose the company's private data.
Additionally, the growing adoption of Software as a Service (SaaS) applications and digital transformation are exacerbating this problem. In today's digital age, companies are becoming more digitized and shifting from on-premises or legacy systems to the cloud. As they increase company size and the number of SaaS applications used, more company data will be stored in the cloud. This increases the likelihood of public exposure as the data can be easily shared with external sources.
BN: How can organizations best protect themselves from this risk?
AG: Organizations looking to protect themselves from this risk should look to bulk remediate their data security. By bulk remediating, IT leaders can quickly ensure a large amount of sensitive company files remain private and are unable to be accessed by third parties without explicit permission. This is a quick way to guarantee data security as organizations scale and become more digital.
IT admins can use a bulk remediation solution to categorize each internal file by level of exposure. Once the most at-risk assets are identified, they can decide where to prioritize remediation and remove permissions accordingly. According to a company’s compliance regulations, they can also automate workflows to remove external access for files after a set amount of time.
BN: Can you explain the challenges IT admins face when trying to 'bulk remediate'?
AG: As an organization grows, they will likely retain more employees, vendors, and shared drives. When attempting to remediate inherited permissions for multiple files, administrators face the difficulty of ensuring accurate and appropriate access levels for each file and user. It requires meticulous planning and a thorough understanding of the existing permission structure to avoid unintended consequences.
Coordinating and executing bulk remediation actions can also be time-consuming and resource-intensive, particularly when dealing with shared drives that contain a vast amount of files and multiple cloud, developer, security, and IT teams with diverse access requirements. The process becomes even more intricate when trying to strike a balance between minimizing disruption to users’ workflows and enforcing proper data security measures.
BN: What advice can you give to organizations trying to mitigate SaaS data security and manage file permissions?
AG: Organizations looking to mitigate their SaaS data security and manage file permissions should first understand their current risk exposure and the number of shared files and SaaS applications that are being used within the company. This will help them prioritize remediating access to documents that contain sensitive information or PII which need to quickly be remediated. Once IT teams have visibility of their level of data exposure, they should identify an automated bulk remediation solution that will help them quickly manage complex file permissions. This will ensure that all security gaps are closed quickly. As companies scale, they should look for flexible solutions that will help them automatically remediate these vulnerabilities to save time and money.
Additionally, companies should ensure they are only using SaaS applications that are up to their specific security standards. This is crucial to not only avoid sensitive data exposure, but also comply with federal business compliance regulations. IT admins should reassess each quarter their overall data posture and whether current SaaS applications are properly securing their private assets. Automation workflows within specific bulk remediation plans should be continuously updated to ensure companies are not missing security blind spots.
Each organization has different standards and policies that they will determine as best practices to keep their internal files and data safe. As the world becomes increasingly digital and the demand for SaaS applications exponentially grows, it is important for businesses to ensure they are not leaving their sensitive data exposed to third parties. Those that fail to remediate their SaaS security might be the next victim in a significant data breach.
Image credit: Wavebreakmedia/depositphotos.com