Exposure: is it good or bad?
Well, if it’s wanted (as in the case of positive media coverage for your business), it can be a dream come true. But if it’s unwanted (as in the case of sensitive data exposure), it can be a nightmare.
We don’t want you to wake up one day and find yourself in a Google Workspace data exposure nightmare. And yet the chances of that happening are greater than nightmares after binge watching horror flicks.
Here’s why Google Workspace data exposure is so common - and the steps you can take to make sure your business doesn’t fall prey.
1. Oversharing
Have you ever shared a Google Drive file with “anyone at the organization”? Or even with “anyone with the link”?
If yes, be honest: did every single person at your business with a Google Workspace account really need access to that file? Or was your choice just a way of making sure that you didn’t have to waste time responding to share requests?
If it’s the latter, you’re in good company. No one wants to waste time dealing with unnecessary digital paperwork. So organization-wide access (and even public access) is not an uncommon choice for sharing settings.
But if it’s not uncommon, it’s also not without risk. In fact, it’s with a lot of risk. Because the more users who have access to a data asset, the greater its chances of being exposed to the wrong eyes. And when we’re talking about sensitive data assets, this isn’t a chance you want to take.
Sensitive? you may ask. Who would share sensitive data assets on such a broad scale?
If you’re asking the question, we guess you wouldn’t. But plenty of users would. In a 2023 client analysis of companies with over 1000 employees, we found that the average company had 35K sensitive assets shared publicly and 2.1M sensitive assets exposed company-wide.
Such numbers definitely call for some sensitivity training. That’s why a significant number of DoControl’s clients use DoControl’s workflows and bulk historical remediation abilities to reduce oversharing and maintain a position of least privilege access.
2. GenAI (Gemini) responses
The effects of oversharing are exponentially increased when generative AI enters the picture. GenAI, which in Google Workspace usually takes the form of Google’s Gemini, is quickly becoming ubiquitous in SaaS apps, promising quicker work and greater productivity.
The exposure problem? GenAI apps use existing access permissions to guide them as to what they can and cannot use in their responses to a user prompt. If the user in question has access permissions for a data asset, it is fair game to be used in a response.
That’s all well and good - if the user was given access intentionally. But if the user was given access as part of a not-so-thought-out “organization-wide” share, then AI’s bringing this sensitive data to their attention is a disservice to your data security.
The integration of GenAI into your workflows brings this and other data exposure risks, so use with care. That’s why a strong data access governance program is essential before allowing Gemini or any other GenAI unfettered access to your Google Workspace data assets.
3. Incomplete offboarding #1: former employees
When a person’s status changes from “employee” to “former employee,” their Google Workspace access permissions should turn into former access permissions.
Does that make sense? Certainly.
Does that make it happen? Certainly not.
90% of companies we surveyed in our 2023 analysis had former employees who accessed assets stored in SaaS applications after they left the company. At least one of these access incidents happened almost two years after the employee was no longer employed!
While most organizations do have offboarding processes, the process doesn’t always take care of existing access permissions, especially if the user is offboarded by an IDP.
Adding to the problem is when users give asset access to their personal email accounts. This may have happened for convenience when the user was still at the company, or it may have been an intentional act to retain access for after user departure. Either way, even if the user’s corporate Google Workspace account is deleted and all its permissions removed from Google Drive assets, if said assets were also set to give access to now-former-user@gmail.com or now-former-user@yahoo.com, they remain exposed to access and misuse.
4. Incomplete offboarding #2: former contractors
No food or drug comes without an expiration date, and the same should hold true for third-party access permissions.
Your organization contracts with third parties for defined projects, or defined periods of time. The third party’s access to your data assets should automatically expire when their contract does.
Unfortunately, this is often not implemented, and third parties remain with indefinite access to your data assets. The matter gets worse when the third parties give access to their own fourth-party subcontractors. The relevant project or relationship might have ended three years ago… but you wouldn’t know that by looking at the asset’s access permissions.
Prevention of data exposure by former contractors is the reason why DoControl makes removal of third- and fourth-party access a capability in its workflows and bulk remediation functions. Organizations should have the ability to put an expiration date on external access of assets and, if that didn’t happen, they should have the ability to easily find what should be expired access and remediate.
5. Apps with unnecessarily wide permission scopes
It’s not only human users that endanger data with the threat of exposure. If you’re like most organizations, the number of connected oAuth apps in your Google Workspace environment grows by the day.
Many of those apps are both legitimate and judicious in the permissions they request when you connect them. For example, an app’s purpose is to take event details written in Google Sheets and create corresponding events in your Google Calendar. So it requests Read permissions for Sheets and Read and Write Permissions for Calendar. Utterly logical.
The problems start when you have an app like this that requests Read and Write permissions for Sheets, Docs and Slides. Uhhh… why? What does that have to do with why you want the app? Nothing, but there’s a good chance whoever installed the app didn’t pause to ask that question. And thus you end up with over-permissioned apps that can see and influence more corporate data than you would want.
The over-wide permission scope request could be malicious, with the intent to expose or corrupt your data. More likely it was the result of a lazy app developer who felt it was easier to ask for all possible permissions, including ones the app shouldn’t need. Either way, however, it increases your attack surface and the risk of data exposure.
This all-too-common phenomenon is the reason why DoControl provides Shadow App Discovery & Remediation: to thoroughly analyze all connected oAuth apps and their permission scopes - and to correct overly wide scopes that could lead to data exposure.
Be Uncommon
Google Workspace data exposure may be common, but it doesn’t have to be common for you.
To avoid the nightmare of data exposure, take a close look at your Google Workspace data permissions and policies in light of the above exposure risks. If you find that your data is unnecessarily accessible by employees, former employees, former contractors, oAuth apps, or anyone or anything else, take action to correct the situation now.
Then you’ll be able to sleep soundly at night.
Sweet dreams.