Unlisted Links & Data Security: A Guide

TL;DR

No, unlisted links to sensitive data are generally not acceptable. While they seem more secure than public links, they offer a false sense of security and don’t meet proper cyber security standards. This guide explains why and what you should do instead.

Why Unlisted Links Aren’t Secure

Unlisted links (like those on YouTube or Google Drive) aren’t the same as properly secured data. They rely on obscurity, not strong protection. Here’s why they are risky:

• Easy Sharing: Anyone with the link can access the data and easily share it further.
• No Access Control: You typically don’t have granular control over who *specifically* can view or edit the information.
• Search Engine Crawling (Potential): While less likely, some unlisted content can be indexed by search engines under certain circumstances.
• Lack of Audit Trail: It’s hard to track who has accessed the data using an unlisted link.

Steps to Secure Sensitive Data Properly

1. Identify Sensitive Data: First, know what needs protecting! This includes things like:
   • Personal information (names, addresses, dates of birth)
   • Financial records
   • Confidential business documents
   • Intellectual property
2. Choose a Secure Storage Solution: Don’t rely on general file-sharing services for sensitive data. Consider these options:
   • Cloud Storage with Access Control: Services like Microsoft OneDrive, Google Workspace (with proper settings), or Box allow you to set permissions and track access.
   • Dedicated Document Management Systems (DMS): These offer robust security features, version control, and audit trails.
   • On-Premise Servers with Restricted Access: If appropriate for your organisation, store data on servers within your own network, protected by firewalls and strong authentication.
3. Implement Strong Authentication:
   • Multi-Factor Authentication (MFA): This adds an extra layer of security beyond just a password.
   • Strong Passwords: Enforce complex passwords and regular changes.
   • Principle of Least Privilege: Only grant users the minimum access they need to perform their job.
4. Encryption: Protect data both in transit (when it’s being sent) and at rest (when it’s stored).
   • TLS/SSL: Ensure all communication uses HTTPS.
   • Data Encryption at Rest: Many cloud storage providers offer this automatically; check their documentation. For on-premise servers, use encryption tools like BitLocker (Windows) or LUKS (Linux).
5. Access Control & Permissions: Carefully manage who can view, edit, and share the data.
   • Role-Based Access Control (RBAC): Assign permissions based on job roles.
   • Regularly Review Permissions: Ensure users still need access to the data they have.
6. Audit Logging & Monitoring: Track who accesses sensitive data and when.
   • Enable Audit Logs: Most secure storage solutions provide this feature.
   • Regularly Review Logs: Look for suspicious activity.
7. Data Loss Prevention (DLP): Consider tools that can prevent sensitive data from leaving your control.
   • These tools scan content and block unauthorized sharing or transmission of sensitive information.

Example: Securing a Google Drive File

Instead of an unlisted link, share with specific email addresses and set permissions:

1. Right-click on the file in Google Drive.
2. Select ‘Share’.
3. Enter the email addresses of people you want to grant access to.
4. Choose the appropriate permission level (Viewer, Commenter, Editor). Avoid giving Editor access unless absolutely necessary.

Command Line Example: Checking File Permissions (Linux)

To view permissions on a file:

ls -l filename

This will output something like -rw-r--r-- 1 user group size date filename. Understand the permission codes to ensure only authorised users have access.

Final Thoughts

Unlisted links are a quick fix, but they don’t provide adequate cyber security for sensitive data. Invest in proper storage solutions and implement strong security measures to protect your information effectively.