Cloud collaboration platforms make sharing easy and security hard. With the recent explosion of remote work and cloud collaboration platforms like Teams, it’s important to understand that the easier it is for users to share data, the harder it can be to spot and fix risks before it’s too late.
I wrote this to help you understand the challenges around protecting data in the cloud, where ease of use and high-velocity collaboration outpace control.
Locking down data exposure on-premises is difficult even though IT staff has more control over how users share data than they do in the cloud. As cloud apps like Microsoft 365 put employees in the driver’s seat, employees are dictating the pace of collaboration, with very little oversight from IT — and that means the risk of a breach goes through the roof.
It doesn’t take long for data permissions to get out of hand. On average, over 20% of a company’s folders end up exposed to every employee. Many of these folders contain sensitive files that should only be accessible to a handful of people, not hundreds or thousands. Any executive would be terrified to learn that the average employee can access over 17 million files when they need access to far fewer to do their job.
The rise of cloud storage raises the security stakes exponentially – one misstep, such as a misconfigured folder, and your sensitive information could be exposed not just to employees, but to anyone with internet access.
Why are these kinds of problems so hard to solve?
It’s hard to visualize data at today’s scale, harder to identify and prioritize risks, and even harder to remediate them. In the on-prem world, administrators must cross-reference multiple tools just to understand who has access to a single folder — and today’s organizations have hundreds of thousands of folders. A handful of administrators just can’t keep up with an army of users and a blizzard of folders, even when the administrators are the ones setting up the shares.
In the cloud world, administrators again must reference multiple tools to understand access. But in the cloud, end users, not administrators, dictate the structure, scale and pace of collaboration. In Microsoft Teams, for example, it’s easy for any user to create a new team and share files — they can invite users from inside or even outside the organization (if external sharing is permitted) and share all sorts of stuff.
If you create a team, you become its owner. As an owner, you can make other users team owners, and then they can invite members, too. Members can share both folders and files from Teams, SharePoint Online or OneDrive. In the cloud, you have many more people sharing many more objects, and changes happen much faster. The cloud greatly accelerated collaboration and change, while administrators got very little help to keep up — it still requires multiple tools just to see who has access.
To make things more interesting, very few organizations can simply search their on-prem files as if they’re on Google. This means employees can’t just search for words like “payroll” and quickly find those unsecured goodies they shouldn’t see. Cloud data stores often have embedded search engines.
Microsoft’s Delve even surfaces interesting files in 365 without requiring a user to type anything at all. Any accessible file is fair game — sensitive or not. That means snooping insiders and attackers that get access have an easier time finding interesting data to steal.
Now that administrators and security staff must stay afloat while managing both on-prem and cloud data stores, how can you help them?
First, look for automation that reduces chaos as quickly as it’s created. Putting users in charge of their data is the right goal, but they need automation to help them stay on the rails. Like modern cars that alert you when you’re drifting outside your lane, or even safely drive themselves, access controls need to be self-healing, and your data stores need to clean themselves up. Manual clean-up projects are painstaking and never-ending, and they leave organizations sitting on too much risk.
If you’re like most executives, there’s a good chance you don’t understand where sensitive data is, who has and needs access to it, or who uses it. Automation can help you understand your data — with insight into what’s most at risk and what’s stale or unneeded. Automation can act on these insights and reduce risk quickly and safely.
Second, once your risk surface area is minimized, you need to detect what slips through the cracks — legitimate users who abuse their access or become compromised by outside attackers, malware or advanced persistent threats.
A decade ago, most people thought error-correcting and self-driving cars were purely in the realm of science fiction, but the technology is coming to a driveway near you. Automation for data protection is here, too — risk visualization, self-healing data exposure and sophisticated detection.
Organizations that choose to accelerate their collaboration with cloud technologies have a choice: They can either blissfully accelerate their collaboration and accumulate massive risk, or they can automate data protection to keep pace with the speed of cloud collaboration.