Office 365: G Suite Security Needs More Than Just Surface Level API Monitoring

From Microsoft Office 365 to Google G Suite, businesses regularly use productivity applications from the major cloud services, but have not given enough thought to protecting the data that flows through these services.

Most companies focus on the data in specific files, but the information contained in and attached to e-mail messages and other communications—such as in Slack or Google Hangouts—often poses a greater risk. In Symantec's 2018 Shadow Data Report we analyzed 22,000 cloud applications and services, 758 million documents, and over 1.4 billion emails and attachments, finding that—while 13 percent of files are broadly shared—a much greater portion, 32 percent, of e-mails and attachments are broadly shared. While only 1 percent of each set of files, messages and attachments contain sensitive data, that is still millions of sensitive data objects, a very large potential surface area for a breach.

The lack of visibility of sensitive data in common cloud applications—what we call shadow data—puts companies at risk of a serious breach. Moreover, most major cloud access security brokers (CASBs) do not provide an adequate depth of visibility either. Most CASB options only track the files in OneDrive and Sharepoint, or GDrive and Sites, but O365 and GSuite encompass many apps, not just file sharing. E-mail, shared collaboration spaces, messaging, calendar scheduling, and other applications that hold sensitive data are not adequately visible.

Lack of visibility is not the only issue. Many CASB solutions only offer remediation of an issue after the fact—they can’t prevent an action, such as blocking your entire customer base from being attached to a ‘reply all’ email. This failing is largely because the services do not have a way to inspect your cloud traffic inline.

Companies need to both gain visibility into where sensitive data resides and the ability to control that data. Otherwise, sensitive corporate data will be stored in Microsoft's or Google's clouds without the same compliance and security controls that companies exert in-house.

Gain Control Over Data in E-mail

E-mail is a good example of the problems associated with data and cloud services. While corporate security teams may worry about data being insecurely stored on file-sharing apps such as OneDrive and GDrive, 65% of data in these clouds is actually shared through e-mail messages, not to mention the data shared in messages or calendar events.

Of the 1.4 billion e-mails scanned in Symantec's study, 448 million were broadly shared. And while only 1 percent of those messages contained sensitive information, that is still more than 4.4 million messages containing sensitive data without commensurate security controls.

Because these statistics are aggregated from our CloudSOC service—they represent companies that are arguably more focused on security than the average business—the figures are likely conservative. Companies that rely only on security measures that only look at Microsoft's and Google's file sharing apps will likely have significantly less visibility into their use of data and consequently less security over their sensitive data because if you can’t see the data, you can’t enforce DLP over it.

Don't be Slack on Messaging Security

E-mail is not the only potentially unwatched channel for sensitive data to leak from your company. Developers collaborating in Slack, marketing professionals exchanging data in Salesforce, or associates chatting in Google Hangouts are all potential sources of sensitive data leaks.

If employees are dropping data directly into application notes or comments or embedding data in meetings on the calendar, your company likely has no visibility or control over that information. If any of the accounts with access to chat forums containing sensitive data become compromised or include a malicious insider, then your company will likely lose much of that data, because you don’t know what you don’t know, and there is a lot going on in these platforms.

Go Deep on APIs and Beyond to Inline Controls

Security for cloud apps often relies on application programming interfaces, or APIs. These are user- and developer-focused services that are exposed by the vendor through a specific interface. Many cloud security access brokers (CASB) use APIs as their foundation for gaining visibility into what is going on with your company's cloud services. However, many of them only look at files in OneDrive and Sharepoint or GDrive and Sites. They never look at content in email or in other apps embedded in these services or content written directly within these platforms.

Plus, there is only so much you can get out of an API integration because it is inherently and “after-the-fact” method. Data must already be in the app before an API can analyze it, identify if it is sensitive data at risk of exposure and act to remediate it because you are not looking at the inline activity. Preventing an employee from accidentally sending an e-mail to the entire company with Reply All, for example, might be seen after the fact through the API, but could not be prevented beforehand.

To gain true visibility, businesses should be looking at users' actions before they reach the cloud. This requires inline visibility and control via a CASB Gateway. With inline security, an email or a message containing sensitive data can be identified in transit and stopped before the data is leaked. And this inline control must be able to look at many different apps. With the use of a forward proxy CASB gateway, organizations can even control transactions with unsanctioned apps or personal non-corporate accounts.  Otherwise, they run the risk of watching a breach after its happened, rather than preventing a breach of sensitive data.

Symantec’s CloudSOC CASB solution for cloud app security offers visibility deeper into more apps in Office 365 and G Suite as well as other common cloud services via APIs and leverages a CASB gateway that can give inline visibility and controls over transactions with both sanctioned and unsanctioned cloud apps as well as corporate and personal cloud accounts.

If you found this information useful, you may also enjoy:

• CloudSoc: Secure Use of Cloud Apps & Services
• CloudSOC and Email Security.cloud for Microsoft Office 365