Another company has ended up accidently exposing sensitive data due to inadequate governance of saas cloud applications.
The company in question was office-space provider Regus.
The data exposed was job performance details of over 900 employees.
According to the Telegraph newspaper, a partner accidentally posted the data online using Trello.
The ICO in the UK are aware of the problem and are investigating whether the breach requires enforcement action.
How did it happen?
Trello provides a facility to make “boards” accessible by choosing a target group of users. One of these choices is to publish the data to everyone. It was choosing this option that caught out the partner undertaking the reviews when sharing the data with Regus.
This is not the first time an organisation has got itself into trouble when using Trello.
The cloud app is known for having features that pose a risk to an organisation’s data if used incorrectly.
To paraphrase a well-known uncle – “with great collaboration comes great power”.
It is also likely that staff have been using the app unknown to Regus governance teams. If so, this means they were probably not fully aware of the risk involved.
Could it happen again?
This story highlights the risk of misconfiguring cloud applications with powerful data sharing features.
What makes such risk even greater is that the organisation may not be aware that an application is in use. The reality of the situation is that such applications may often be employed by many users in the form of shadow IT.
This is an obvious risk to corporate data governance. It also heightens the potential for a highly public breach of legislation. The outcome is often reputation damage and may lead to enforcement action in some cases.
This is where a well-defined approach to governance of saas cloud applications is key.
Mitigating risk through governance of saas cloud applications
Regus were not using the Ampliphae SaaSGuard platform. If they had, this could have gone a long way to mitigate the risk involved. SaaSGuard could also have helped to reduce the scale of enforcement action or reputational damage they may incur.
Ampliphae SaaSGuard would have allowed Regus IT and Governance teams to:
- Be immediately aware that Trello was in use by Regus Staff.
- Understand who in the organisation was using Trello, and why they were using it.
- Understand that Trello is a cloud app targeted at project management – a scenario which often involves handling sensitive data.
- Be aware that Trello offers features which can be a risk in certain use cases.
All the above would have alerted Regus governance teams to investigate why a cloud app with these characteristics was in use by a team regularly handling sensitive data (Regus HR in this case).
Such an investigation could have allowed Regus to target more specific and even just-in-time education. This would have been towards staff using such cloud app about the risk involved.
To go even further, Regus could have allowed SaaSGuard to automatically restrict the use of Trello. To do this, SaaSGuard would intervene when non-approved and/or insufficiently trained users attempted to use Trello.
Find out more
If you would like to learn more about the issues related to SaaS Governance, please consider downloading our free eBook – Taming the Monster. Get it here.