He added that the bigger question for CISOs to consider is whether data sharing with third parties is part of their threat model. He said there are inherent risks to sending data to cloud providers, but the benefits of using reputable cloud providers may outweigh the risks.
“It’s key from a CISO perspective,” said Esnar Seker of CISO at Socradar. “When configuring Google Analytics, you have to make sure you don’t need to accidentally pass sensitive data to the tracking code to prevent it from being related to embedding personal information. For example, if your application generates a URL, he said example.com/results? user = johndoe&dob=01011990unless the data is explicitly filtered out, Google Analytics will collect these parameters.
He said that letting Google Analytics capture form live values should also be avoided. This includes names, emails, dates of birth or anything classified as personally identifiable information or personal health information. He pointed out that many websites accidentally pass them to JavaScript variables that can be picked up by the analysis script.
