Majority of your Drive files are not used by their owners anymore
As organizations expand, they amass a substantial number of Drive files shared externally. However, a significant portion of these files are no longer actively used by their owners.
At elba, we conduct continuous scans of our clients' Drive organizations, aiding them in monitoring externally shared assets. Through this, we gain first-hand data to assess the magnitude of the challenge posed by data at rest.
Our findings reveal that, on average, almost 70% of Drive files shared externally have not been accessed by their owner for more than 12 months. Essentially, this indicates that a large portion of the company's data is exposed externally, with no control exercised by the owner.
Google Drive accounts for 80% of Data loss risk
The challenge posed by data at rest is all the more important given that Google Drive accounts for a major part of Data loss risk inside an organization.
First, on a volume perspective. Our research shows that amount of data stored in Google Drive organizations is by far larger than on any other SaaS used inside the company, be it CRM, HRIS etc. There are two reasons for that: in most organizations Google Drive is the legacy tool by excellence as it’s the first one implemented with the Google Workspace suite; then, its team-agnostic and is used by all teams inside the organizations.
Not only the amount of data stored in Google Drive is massive, but it’s also very sensitive, mostly because of Google Sheets. Sheets host many types of sensitive data: PII in product data extracts or temporary duplicates of CRM waiting to be enriched, confidential data in business plans…
It turns out that inactive Drive files raise many concerns regarding Data loss risk.
Should you blame your team?
Hey, but aren’t your teams aware that Google Drive shipped a super feature to add expiration dates to files shared externally?
Well, it seems we can't rely on this feature for numerous reasons:
- First, the feature is buried in settings and is hardly user-friendly
- Second, 99% of the time, it's difficult to determine exactly when the person you're sharing the file with won't need it anymore
- Finally, this feature is relatively new, and many files were shared long before its implementation
Implementing guardrails with elba
How to manage data at rest in your Google Drive? Well, we've got you covered. With our Auto-fix feature, you can implement guardrails to automatically revoke permissions for inactive files.
Here's how it works: you simply define a threshold, which serves as the maximum duration a file can remain shared externally without being accessed by its owner. Beyond this threshold, all external permissions will be automatically revoked.
In practical terms, every day, elba will conduct a scan on your Google Drive organization to identify files shared externally that haven't been accessed by their owners for, let's say, more than 6 months. Elba will then automatically set the file to private to prevent potential loss of sensitive data.
Solving risks related to data at rest in one click
The impact of our Auto-fix feature has been remarkably significant for our clients. On average, upon initial activation, Auto-fix has secured more than 25,000 files that were previously shared externally.
The workaround in managing this manually is essentially non-existent. Google Drive does not offer a consolidated view of inactive files, let alone the ability to revoke permissions at scale. This leaves a massive surface vulnerable to potential attacks.
A huge step forward for your compliance monitors
Data at rest poses not only a significant risk challenge but also a crucial compliance concern. Security certifications are increasingly emphasizing data loss prevention requirements, making it imperative to address data at rest challenges.
Here's a brief overview of how this Auto-fix feature could assist in compliance with certification frameworks:
ISO27001 - A.8.12: Data leakage prevention: Auto-fix will help you comply with this monitor, as it detects and proactively alert upon the transfer and/or disclosure of data, especially to file sharing platforms or applications
SOC2 - CC6.7 & CC6.1 requirements:
- Auto-fix will help you achieve CC6.7 requirement as it restricts ability to authorise and execute transmission, movement, and/or removal of information
- Auto-fix will help you achieve CC6.1 requirement as it implements access review over potential sensitive information
HIPAA - Security and Privacy Rules:
- Technical safeguards: Auto-fix prevents potential PI / PHI from leaving the environment, with automated policies that revoke external access
- Administrative safeguards: Auto-fix supports the Security management process as it implements procedures for preventing, detecting, containing, and correcting violations
PCI DSS - Section 12: Auto-fix is an integral part of meeting Section 12 requirements, as it contributes to the information security policies defined for the organization