Gal Nakash, CTO
November 11, 2022
In response to security concerns about collaboration tools, providers are constantly looking for ways to support customers with their collaboration security. With mixed results.
Take this initiative from Google – quarterly data protection insights sent to customer admins as Google Workspace Alerts. While the idea of giving customers the ability to understand what types of data are being shared outside the organization, the execution still relies on content over context, and is of very limited real value to customers.
Let’s understand what is wrong with Google’s execution of the data protection insights for Drive initiative.
It’s quarterly, not real time
The data protection insights for Drive alert is sent out quarterly. This means that some of the files that were shared externally have been exposed for up to three months. If this share was unjustified, that leak could cause a lot of damage in three months. In contrast, real time alerts would enable the security team or data owner to limit the impact.
46% of files contained in Drive is a lot of files
Just think about how many files your organization holds. At Reco, we’re pretty small and new, and we’ve already got 12,157 Drive files, of which 2,446 files contain sensitive content (as defined by us). According to the alert, 46% of those files, some 1,128 files, were shared externally. That’s a lot of files to go through following an alert. On to the next point.
The alert doesn’t provide context
The alert and the report it leads to provide very generic information – 713 files containing an email address were shared externally, 89 files containing gender identity data were shared externally, and so on. But the report doesn’t provide any context as to who the data was shared with or why they were shared externally.
Without this contextual information, the report is not actionable, the security team will have to go through each
and every one and conduct a full investigation to understand whether it was justified or not.
It further encourages static rules
In another effort to be helpful, the report contains rule recommendations and a direct link to review and set the rule. This recommended rule is to globally prevent sharing email addresses. This is a pretty generic rule that we already chose to disable because of the consequences.
Disabling the ability to share a file containing an email address would mean that every time someone tried to carry out that action it would be blocked, preventing people from being able to do their jobs. Furthermore, it would increase the number of out of context alerts the admin received, further adding to the security team’s workload, for a relatively low risk data share.
As mentioned above, while the intention of the insights report is to give visibility to Google Drive users as to where their data is in danger, in reality, this report doesn’t support Google Drive users to remediate security risks and improve their data protection.
What’s missing from these reports is context.
The missing context will enable security teams to know the who, what, and where of any external data sharing. For example, (hypothetically) the organization is procuring services for employees with a private healthcare provider. This provider needs to know about the employees in the scheme, including their gender identity, and a member of the HR team shares it with them as part of the setup process. In this case the data sharing is justified, but without context, it looks like 89 sensitive documents were shared.
The context in this case would have several benefits.
First, a tool that analyzed the context of all interactions (not just this specific set) would be able to understand why this action was taken, and ignore it because it also understands that the action is legitimate. This would significantly reduce the number of alerts, and ensure that the user only received alerts for illegitimate actions, enabling the security team to focus on what is important.
Secondly, context would help the security team understand what to remediate, and how to remediate it. No security analyst or even a team can understand every interaction that takes place in an organization. Without context, they will need to investigate every alert, slowing down the remediation process, and where there are thousands of alerts, critically slowing down business interactions, and taking up security team time when they could be doing something more important.
Finally, it would enable organizations to set more meaningful rules that genuinely prevent data leakage without slowing down the business. At Reco, we put that context into every alert, ensuring that our users only receive actionable alerts and insights about unjustified actions.