Exfiltration is a decidedly unpleasant word, and it’s rarely connected with Google’s benign application suite used freely by millions all over the world — Google Apps. Specifically, how secure is Google Drive?
Google Drive, a potentially massive repository of intellectual property, personal information — even photos and movies — features a user-friendly browser interface.
Google Apps for Work has been rebranded G Suite, but the security and sharing mechanisms in place are the same. Once a document has been uploaded to a Google server farm, users can click on a G Suite document and turn on link sharing. Within a couple of clicks, the document will have been rendered public (albeit not necessarily discoverable — no SEO secret sauce applies). Unless provided this link by the user, it would take some additional malware or forensics sleuth to discover this document, but users have a way of involuntarily making things easier for access.
These now-public links can be shared through less secure platforms, such as Facebook, Twitter or email. Users may also have forgotten that an entire folder containing the new document was previously shared.
More Ways to Share
There are other ways to exchange information with Google Drive. Through a Google public API, third parties can develop ftp-like tools that enable the exchange of thousands of files through a convenient user interface.
Developers with average skills can develop applications that access G Suite documents. The problem isn’t lax security in Google software. Google implements best practices and has above-average intrusion detection methods. Instead, by leveraging exogenous security lapses, bad actors can leverage the public API to exfiltrate documents or spreadsheets they have discovered.
Too Easy to Share?
When a user decides to share a Google document, form or spreadsheet, Google wants the user to share. Sharing means the document is available to another potential user, whose data can be collected for data mining. This is a fundamental feature of the public cloud company business model. It’s true not only for Google but for Facebook, Twitter, Dropbox, Box and Microsoft’s Azure and MSN enterprises.
A Safer Way
Instead of asking “How secure is Google Drive?”, consider asking how the movement of data in the enterprise is monitored and managed. Ipswitch and other providers recognized the potential risk and have developed tools that monitor and manage file transfers.
Sometimes referred to as enterprise file synchronization and sharing (EFSS), managed file transfer is a stronger contender for a safer way for coworkers to transfer files. This is true for any desktop-to-collaboration activity, not only for G Suite transfers.
Rather than relying on potentially expensive, cycle-stealing data loss prevention (DLP) tooling, provision enterprise users with tools that allow for collaboration while reducing the risk.