Are document storage/sharing SaaS providers doing enough to protect sensitive data, in your opinion?

773 views14 Comments

Director of Information Security Operations in Consumer Goods, 1,001 - 5,000 employees
Of course not, I need to have monitoring rules and tools like varonis for example 
Director, Security Operations in Telecommunication, 501 - 1,000 employees
No. While using a SaaS provider for this will actually increase protection for many, which is a good thing, this is not enough.  As with any SaaS solution, many people feel that by shifting to SaaS, they've been able to shift the responsibility as well, which isn't the case.  It's important to focus on the SaaS provider's capabilities during procurement due diligence, and also have a good vendor management program in place to ensure ongoing compliance.  Often overlooked, but just as important is ensuring you have some ability to monitor activity focuses on the SaaS repositories, no different than monitoring your own systems.
CIO/CISO in Healthcare and Biotech, 11 - 50 employees
Not nearly enough, given the maturity of 3rd-party controls available to supplement the obvious gaps within the primary providers. I'm hoping many of the features available in some of these data detection and protection solutions ultimately get integrated, or in the extreme case, hopefully some of these control providers get acquired by the storage providers so that their functionality can be seamlessly integrated.
Director of Information Security in Manufacturing, 1,001 - 5,000 employees
No, I do not think so.  The platform should not only have the technical ability to safeguard sensitive data (and most of them do), but also make it natural and easy for people to do so.   Setting a default is a start, but also noticing the nature of the document (e.g. a spreadsheet with financial data) or the type of audience should be strong indicators to help trigger a warning or a choice to the user.    If you e.g. write an e-mail and forget to attach, or you include external recipients, you get a warning.   This would help at least some of our users if we can do that for document storage as well.

I also believe that expiration dates should be something that is built in.   When creating a document, set a data after which a warning will be given and then deletion will be initiated.

Last but not least, at least some basic auditing capabilities would be nice.  What are the documents I have shared, and when was the last time anybody even had a look at my documents....
Director in Construction, 1,001 - 5,000 employees
Document management should not be confused with document storage SaaS provider solutions.  The only way to protect information is to (a) know what information you are trying to protect and (b) implement appropriate access control, monitoring... with regard to how to protect it.  Unfortunately, the masses are just looking for quick and 3sy ways to share documents and they find cheap and easy SaaS providers for this small aspect of a larger business problem.
CISO in Finance (non-banking), 10,001+ employees
Well it depends on what kind of offering you are taking from the SaaS and Document storage provider and what has been decided as part of agreement. Security on the cloud or any vendor engagement is a shared responsibility and you cannot rely on them completely for all the security controls which will protect the sensitive data and Organization have to play larger role to ensure adequate controls are implemented. Thorough risk assessment and audit need to be done by the organization Information security team before moving the data to their setup and identified controls need to be put in for the reported risks and security issues. There will be controls from organization end that need to be deployed ex. access control, monitoring tools, higher encryption standards, network security, VAPT of the application which vendor has provided and along with the controls which vendor has already implemented ex. their physical security controls, firewall, access management, VAPT. Regular monitoring of controls need to be done and for critical providers atleast once a year security review must be done. Vendor must also get the audit done atleast once a year from independent auditor and report must be provided to the organization. Vendor incident response process must be reviewed by the organization.
Senior Director of IT in Software, 10,001+ employees
Not enough. There should be additional 3rd party/self made solution in place.
CISO in Healthcare and Biotech, 2 - 10 employees
As far as the basics go, this is table-stakes.  Data segmented by customer, held in encrypted storage, and better yet, in its own virtual instance.  Running monitoring and intrusion tools is a plus, with a robust notification process if something happens, such as unavailability or worst-case scenario - compromise.  This question needs to be part of the assessment for any SaaS provider.
Director, Information Security Engineering and Operations in Manufacturing, 5,001 - 10,000 employees
No. That being said, some may not see themselves as "playing" in the field of document security, only document storage.
Executive Director, Enterprise Infrastructure & Cybersecurity in Finance (non-banking), 10,001+ employees
CSP could do more. Rule and Role based access in addition to default control implementation 

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
43.5k views132 Upvotes319 Comments

Community User in Software, 11 - 50 employees

organized a virtual escape room via - even though his team lost it was a fun subtitue for just a "virtual happy hour"
Read More Comments
11.5k views26 Upvotes63 Comments

Implementing end-to-end encryption26%

Regularly monitoring for threats53%

Setting strict access control rules5%

All of the above14%


1.3k views1 Comment