Lets assume your company uses Box Enterprise – just as an example. And then assume that your employees create a file or a folder and want to share it with someone, so they create a link.
In the case of Box, the link URLs can be randomly generated or created by the user.
A little Google searching and a little brute force engineering and you can find the company Box sub-domain and then, likely, the URLs.
Researchers found thousands of Box subdomains, thousands of URLs and terabytes of data.
Data included passport photos, socials and bank account numbers, trade secret engineering documents, employee lists, financial data, invoices, VPN data, network configurations – you get the idea.
Pretty simple, actually.
And not very secure.
But there is a way to improve security – its just, maybe, a little less convenient. But which is more important – protecting your intellectual property, or …
Configure your cloud storage to require a userid and password to get access – not just anyone who has the link that was emailed.
Restrict access to domain login accounts only, if possible.
Create cloud storage policies and procedures surrounding protecting corporate data.
Train users about the security implications of cloud storage.
This is not a bug but rather a feature.
While each cloud storage vendor does things a little differently, there is a lot of commonality between them.
Given the terabytes of data that the researchers found without looking too hard, think about how much data is likely out there, exposed, for the taking.
Is any of it yours? Source: Adversis.