Cloud collaboration platforms make sharing easy and security hard. With the recent explosion of remote work and cloud collaboration platforms like Teams, it’s important to understand that the easier it is for users to share data, the harder it can be to spot and fix risks before it’s too late.
I wrote this to help you understand the challenges around protecting data in the cloud, where ease of use and high-velocity collaboration outpace control.
Locking down data exposure on-premises is difficult even though IT staff has more control over how users share data than they do in the cloud. As cloud apps like Microsoft 365 put employees in the driver’s seat, employees are dictating the pace of collaboration, with very little oversight from IT — and that means the risk of a breach goes through the roof.
It doesn’t take long for data permissions to get out of hand. On average, over 20% of a company’s folders end up exposed to every employee. Many of these folders contain sensitive files that should only be accessible to a handful of people, not hundreds or thousands. Any executive would be terrified to learn that the average employee can access over 17 million files when they need access to far fewer to do their job.
The rise of cloud storage raises the security stakes exponentially – one misstep, such as a misconfigured folder, and your sensitive information could be exposed not just to employees, but to anyone with internet access.
Why are these kinds of problems so hard to solve?
It’s hard to visualize data at today’s scale, harder to identify and prioritize risks, and even harder to remediate them. In the on-prem world, administrators must cross-reference multiple tools just to understand who has access to a single folder — and today’s organizations have hundreds of thousands of folders. A handful of administrators just can’t keep up with an army of users and a blizzard of folders, even when the administrators are the ones setting up the shares.
In the cloud world, administrators again must reference multiple tools to understand access. But in the cloud, end users, not administrators, dictate the structure, scale and pace of collaboration. In Microsoft Teams, for example, it’s easy for any user to create a new team and share files — they can invite users from inside or even outside the organization (if external sharing is permitted) and share all sorts of stuff.
If you create a team, you become its owner. As an owner, you can make other users team owners, and then they can invite members, too. Members can share both folders and files from Teams, SharePoint Online or OneDrive. In the cloud, you have many more people sharing many more objects, and changes happen much faster. The cloud greatly accelerated collaboration and change, while administrators got very little help to keep up — it still requires multiple tools just to see who has access.
To make things more interesting, very few organizations can simply search their on-prem files as if they’re on Google. This means employees can’t just search for words like “payroll” and quickly find those unsecured goodies they shouldn’t see. Cloud data stores often have embedded search engines.
Microsoft’s Delve even surfaces interesting files in 365 without requiring a user to type anything at all. Any accessible file is fair game — sensitive or not. That means snooping insiders and attackers that get access have an easier time finding interesting da