SaaS applications have become the backbone of productivity and collaboration, but the convenience of cloud-based tools brings significant security challenges that often fly under the radar. As security leaders, it’s crucial to understand the risks of data sharing in SaaS to protect your organization’s most valuable assets.
Data from our recent survey shows that 58% of organizations experienced at least one SaaS-related security incident in the past year. This same report found that 94% of external data shares in SaaS applications were inactive, and also that 46% were shared to personal email accounts, exposing organizations to serious, unmanaged risk.
To reduce the frequency of SaaS security incidents, we must first bring order to the wild west of SaaS data sharing.
Let’s examine the critical data sharing concerns in SaaS every organization should address.
SaaS Data Sharing is Much More Expansive Than You Think
SaaS applications host vast amounts of critical data. Most of the attention is usually focussed on collaboration platforms like OneDrive, Sharepoint 365, or Google Drive. While these platforms account for a significant amount of typical data shares, almost every app, for example Salesforce, Slack, GitHub and Workday, has data sharing capabilities that is out of the security team’s purview.
The challenge in governing data sharing for these apps is compounded by the decentralized ownership of these apps, usually sitting in respective business units, as well as the diverse range of data sharing methods available, including internal features, external links, email, and APIs.
The types of data shared by these apps includes a range of sensitive information including personally identifiable information (PII) such as employee records, customer records, financial data, internal communication, intellectual property, including source code and blueprints to name a few.
You Can't Protect What You Can't See
For many security leaders, the most alarming aspect of SaaS data sharing is the profound lack of visibility. Traditional security tools were not designed for cloud-based, collaborative environments, leaving security teams in the dark about:
- Who has access to what data
- When and how often data is being accessed
- Where sensitive information is being shared
- What data is being downloaded or exported
This visibility gap makes it nearly impossible to detect anomalous behavior that might indicate a breach or data theft.
Long-lived Sharing
One of the most insidious risks in SaaS environments is long-lived sharing permissions. When employees set up sharing links or grant access to files and folders, these permissions rarely include an expiration date. This means that months or even years after the collaboration has ended, external parties may still have access to sensitive information. As organizational data grows exponentially, tracking these persistent access points becomes increasingly difficult, creating an expanding attack surface.
We routinely find millions of shared files with upwards of 90% of these data shares and access dormant. Conducting regular permission and sharing audits are essential practices to mitigate this risk. Security leaders should advocate for SaaS solutions that support automatic revocation of shared access based on organizational specific data security policies.
Conducting regular permission and sharing audits are essential practices to mitigate this risk. Security leaders should advocate for SaaS solutions that support automatic revocation of shared access based on organizational specific data security policies.
Open Link Sharing
Perhaps the most concerning feature of modern SaaS applications is the ability to create shareable links that grant access to anyone possessing the URL. While convenient, these links dramatically expand the potential attack surface.
Consider what happens when an employee creates an "anyone with the link can view" sharing option for a document containing customer data or intellectual property. That link might be:
- Forwarded in emails to unintended recipients
- Posted in public forums accidentally
- Discovered through web crawlers if included on public pages
- Found in browser history on shared or compromised devices
This exact scenario played itself out with the Japanese game developer Ateam, who as a result of a Google Drive sharing misconfiguration, exposed personal information of nearly 1 million people for over six years.
The lack of authentication requirements means these links could expose sensitive information to unauthorized parties, without leaving any audit trail of who accessed the data.
Sharing With Personal Email Accounts
Convenience often drives employees to share corporate data with personal email addresses – either their own for "work from home" scenarios or colleagues' personal accounts to circumvent access limitations.
This practice dramatically increases risk in several ways:
- Personal accounts lack enterprise-grade security controls
- Security teams have no visibility into or control over personal accounts
- Data shared to personal accounts remains accessible after employees leave an organization
Implementing strict data loss prevention (DLP) policies that prevent sharing to personal domains, combined with employee education about the risks, can help address this risk.
The Non-Human Identities Ecosystem
The interconnected nature of modern SaaS environments creates significant security challenges. A typical organization manages thousands of non-human identities–connections between SaaS applications utilizing OAuth tokens, API keys, or service accounts. These digital identities represent vulnerable entry points, especially due to the fact that security controls or authentication mechanisms are absent. The risk is heightened by the fact that these identities are granted with one-time, long lived authorization consents that rarely undergo review. Third-party access compounds this risk.
Vendors, partners, and contractors often receive access to critical systems without adequate vetting or restrictions. The Cyberhaven (2024) and Midnight Blizzard (2024) attacks demonstrated how dramatically supply chain vulnerabilities can impact organizations, with compromised SaaS vendors serving as potential entry points to thousands of customer environments.
Customers are often alarmed to find hundreds and thousands of third party integrations active with access to sensitive data, yet these connections have been dormant for months or even years. That is why it is essential for organizations to implement comprehensive vendor assessment protocols, limit third-party access to the minimum necessary, continuously monitor for suspicious sharing activity, and revoke unused integrations routinely, ideally on an automated, time-bound basis.
Consequences of Data Exposure
The combination of easy sharing, poor visibility, and persistent access creates the perfect conditions for sensitive data leakage. Whether through malicious intent or simple human error, the exposure of confidential information can have devastating consequences:
- Regulatory compliance violations and potential fines
- Intellectual property theft affecting competitive advantage
- Customer data breaches damaging trust and reputation
- Financial loss from remediation costs and potential litigation
Final Word
As SaaS adoption continues to accelerate, the security challenges associated with data sharing will only grow more complex. The combination of easy sharing, poor visibility, and persistent access creates the perfect conditions for sensitive data leakage. Whether through malicious intent or simple human error, the exposure of confidential information can have devastating consequences.
To effectively address these risks, security leaders must adopt a multi-faceted approach underpinned by SaaS security tooling that enables:
- Regular user access reviews and permission right-sizing
- The development and enforcement of clear data sharing policies with regular compliance reviews
- The ability to detect and revoke open link file sharing or sharing to personal email accounts
- Visibility and revocation capabilities over the third-party integrations ecosystem
- The capability to detect and respond to suspicious data sharing activities
Security leaders who address these risks now will be better equipped to protect their organizations while still preserving the collaboration benefits that make SaaS applications so valuable. The future of SaaS security lies in striking the right balance between empowering users with powerful collaboration tools and implementing the guardrails needed to keep sensitive data secure.
Find and fix SaaS risks. See how Valence brings order to SaaS data sharing.
.jpg)
