For organizations leveraging collaborative SaaS applications like Slack, Google Drive, and Confluence, preventing the abuse of corporate credit cards can be a significant challenge. Addressing an issue like this requires understanding the behavioral factors contributing to this behavior, as well as developing the appropriate technical approach to addressing this problem. In this post, we’re going to cover this issue by speaking to how it happens, why it matters, and what controls you can put in place to address it.
What does corporate credit card exposure entail?
Exposure and abuse of corporate credit cards via collaborative SaaS apps can happen for various reasons. These include:
- Sharing credit card information via SaaS apps for convenience. Employees, like business admins, may unwittingly share credit card information with other employees who need the credit card to pay for business-related one-time purchases. These are ad hoc purchases that have a genuine business purpose, like maybe paying for an add-on PR service for a product launch. For convenience and expedience, an admin may choose to simply share the credit card information over a service like Slack.
- Sharing credit card information via SaaS apps to intentionally bypass financial constraints. Some employees may have credit limits on the corporate card they have access to, or may not have access to a credit card at all. So they might ask for a credit card number or look through content in SaaS applications like Slack, Google Drive, Asana, or Confluence to find instances where a corporate credit card has been shared in order to charge the card.
- Accessing a shared credit card for the deliberate purpose of fraud/abuse. Sometimes an employee may simply be malicious and want to commit financial fraud. Though the motivation here is different, the approach they would take is pretty similar to the cases shared above.
What are the long-term consequences of corporate credit card exposure?
While exposure can contribute to or stem from the causes mentioned above, leaving this data exposed in SaaS applications can have a variety of consequences including:
- Immediate fraud and abuse. As highlighted by the cases above, one consequence of employees freely sharing credit card information in SaaS applications is that the card is immediately abused by the parties the card is shared with.
- Third-party abuse. Most data in SaaS applications is subject to whatever retention policies you have in place upon setup and configuration of the service. For apps like Slack, if you haven’t specified a retention period, your data will be permanently stored. This means if you have contractors—or worse yet, hackers, who gain access to your applications, they might either deliberately search for or accidentally find exposed credit card information.
How should you address credit card exposure in SaaS applications?
Addressing credit card exposure in Slack requires a solution that:
- Integrates with SaaS apps at the API layer to provide the appropriate amount of visibility. Being API connected also means the solution can take action on your behalf once a credit card is discovered.
- Uses machine learning to detect sensitive data like credit cards. Because valid credit card numbers are generated with the Luhn algorithm, searching for exposed credit card numbers with regex is not helpful, as it would generate high false positives. With a machine learning solution, you can use context and apply sensitivity thresholds to zero-in on the types of exposure incidents you want to prevent.
Luckily, Nightfall meets all of these criteria. By using Nightfall you can discover the sharing of sensitive information like credit card numbers in real time. With Nightfall you have the ability to automatically remediate messages and documents containing credit card numbers while sending custom notifications to employees who violate this policy in order to educate them about proper handling of sensitive information.Luckily, Nightfall meets all of these criteria. By using Nightfall you can discover the sharing of sensitive information like credit card numbers in real time. With Nightfall you have the ability to automatically remediate messages and documents containing credit card numbers while sending custom notifications to employees who violate this policy in order to educate them about proper handling of sensitive information.
How does Nightfall address credit card exposure in SaaS apps?
Nightfall works in three simple steps that you can complete in under 3 minutes:
- Authentication. As an API-centric platform, Nightfall allows you to integrate with major SaaS applications in just seconds using OAuth 2.0. Simply sign in to an authorized account and authenticate with Nightfall.
- Create detection rules. Nightfall scans for sensitive data matching any criteria you specify. For credit card numbers, you can use our out-of-the-box credit card number detector to scan for credit card numbers in popular SaaS applications like Slack, Google Drive, Confluence, Asana, and more.
- Create a remediation policy. The Nightfall platform allows you to use any detectors you’ve selected and grouped together under a detection rule and then add them to policies. Policies specify the “what” “where” and “how” of your remediation strategy within a given application and will determine what activity Nightfall will alert you to. You can also choose to set an automated policy that will allow Nightfall to automatically take remediative action after sending an alert.
Through the Nightfall policy engine, you UI you must:
- Select the detection rule to use for a given policy. For credit card numbers, you can use our out-of-the-box credit card detector.
- Tell Nightfall where to look for credit card numbers. Whether you want to look for credit card numbers within documents located in a specific Google Drive folder, a single Google Document, or in a private Slack channel Nightfall has you covered.
- Tell Nightfall what to do once findings are discovered. Nightfall can be configured to take real-time remediative action upon discovering that credit card numbers have been shared. In Slack, for example, you can have Nightfall automatically redact, quarantine, or delete messages containing credit card numbers while optionally deciding to notify employees who violate this policy. In Google Drive you can delete files containing credit cards, or change their permissions so that only authorized individuals have access to the file.