Folder Sharing breach— what went wrong!

Security is a primary concern when organizations select a file sharing and content collaboration or content management solution. Recently, a report by security research firm Adversis discovered that a few companies using Box were accidentally exposing their internal files. These breached files were being indexed by Google and there was the potential for leaking sensitive proprietary information.

Breach – what’s the story behind it?

This breach was not a Box security issue, but rather it was how the admins set up Box or the fact that the administrators relied on the end-users to set security policies. Basically, users were able to share folders (not just a file, but all the files in the folder) and did not require authentication or access permissions.

Now, imagine sharing a home directory outside the organization; that was essentially what happened. This was the cloud-version and it was indexed by Google, therefore the results could potentially show up in general population “searches.” Hence the breach.

Luckily, for most of the companies, much of the content in question was not sensitive, but there was sensitive content available, so this is simply another lesson in security and cloud services. The researchers found that the exposed documents could include sensitive details such as:

• Social Security numbers and bank account numbers
• Passport photos
• Confidential files related to a company’s prototypes/design
• Employee lists, financial data, and invoices
• Customer lists and meeting archives
• IT data, VPN configurations and network diagrams

This is an example of unintentional data loss, and it’s an opportunity to think through this situation and avoid it in the future. More on how the breach was detected later.

While this might seem like an outlier, but is it? Multiple vendors allow end users to share with external users without any protection. In fact, Microsoft also has been in the news because of similar security breaches. In the image below, you can see the link to the folders that were shared from OneDrive and SharePoint and were easily traceable; this has been reported on in the past.

The key takeaway: 

Folders that are shared anonymously with no authentication are at a significant risk for any company because in today’s digital world, it’s likely there is sensitive data in those folders.

Syncplicity was designed for the enterprise. We say this often, but what does that mean? This is a perfect scenario to explain exactly what we mean. It’s in the architecture. You don’t get to make this stuff up, it’s in the design. Here are some very specific ways that Syncplicity stands out from Box or OneDrive.

• Top of the list–Syncplicity users cannot share folders anonymously. When a user shares a folder internally or externally all participants need to authenticate before the content can be accessed or edited. And because of this, there is always analytics on who has access to the folder, and the actions they took. This is not possible with anonymous shared folders and is likely a GDRP violation–no ability to track or audit.
• Simply stated, users who do not have an account on Syncplicity will not have access to your files; any forwarded URL to any Syncplicity folder will require a user to authenticate. It simply prevents your data from popping up in a Google search because the search engine has no access to the folders and files.
• Because Syncplicity requires authentication using a valid e-mail address, we provide participants with free accounts so that it does not impact our customers licensing. See enterprise first, designed for companies that take security seriously.

Admins can also whitelist certain domains so that data can be shared with “partner.com” but not with “competitor.com.”

• Part of what makes Syncplicity special is our granular group-based policies. Box notes that they want to keep things simple and user-friendly (which is awesome, and we do this too), but there are some things that should stay in the enterprise. With Syncplicity, you simply put those users who need ‘looser’ security in a special group, while other users have the security settings applied according to their role or group. It does make sense that the VP of Marketing requires a different security setting than the contractor who is on site for only two weeks.
• With Security Policies, you can control who shares externally and you can put lightweight security on less sensitive information. Take link expiration, for example, the content expires no matter what after a certain period of time or requires passwords. Or you might add additional protection to very sensitive data.
• And, there is always Remote Wipe. If you decide to no longer share your folder, simply remove the name from the list of participants in a Syncplicity folder and the data will be remotely wiped from all their devices.

In the end, Syncplicity is a File Sharing and Content Collaboration Platform that was constructed from the ground up with an architecture that meets Enterprise-Class security for managing large volumes of unstructured data. While pleasing end-users!

Want to learn more? Here are more reasons why companies are choosing Syncplicity over Box.