Why ‘Anyone With the Link’ Is No Longer Good Enough: A Case for Zero-Trust File Sharing
Somewhere along the way, “share a link” became the default answer to file collaboration. It’s fast, it’s frictionless, and it works across every platform and device. It’s also one of the most persistent security liabilities in modern business operations.
The problem isn’t file sharing itself. Sharing files securely is entirely achievable. The problem is the cultural and architectural assumptions that have built up around it — assumptions that are actively being exploited by attackers, and that leave organizations exposed in ways that are difficult to audit after the fact.
The Real Problem With Public Links
When you generate a shareable link and send it to a client or colleague, you lose control of that link the moment you hit send. It can be forwarded. It can be indexed by a browser or email service. It can be captured by a phishing attack targeting the recipient. And in most cases, nothing in your system will tell you that the link was accessed by someone other than the person you intended.
Beyond external exposure, consider internal proliferation. In organizations where sharing links is the norm, sensitive files routinely end up accessible to far more people than intended. Old links stay active long after a project ends. Former employees and contractors retain access until someone manually revokes it — if anyone ever does.
Zero-Trust Applied to File Sharing
Zero-trust is a security framework built on one principle: don’t trust any user or device by default, regardless of whether they’re inside or outside your network. Every access request must be authenticated, authorized, and continuously validated.
Applied to file sharing, this means access is always tied to a verified identity — not a link. Instead of sending someone a URL that grants access, you grant a specific user account access to a specific file or folder. They authenticate to access it. Every access event is logged with a name, timestamp, and IP address. When you revoke their access, it disappears immediately — no link to deactivate, no residual exposure.
This architecture also makes compliance reporting dramatically easier. When an auditor asks who accessed a sensitive file and when, you have an answer. With shared links, you often don’t.
Practical Controls That Make a Difference
You don’t have to rip and replace your current file sharing infrastructure to significantly improve your security posture. Several targeted controls make an immediate difference.
Expiring access. Any external sharing should have a defined expiration date. If a client needs to access a proposal, their access should expire after 30 days — not remain active indefinitely because nobody thought to turn it off.
Password-protected links as a minimum floor. If you must use link-based sharing, at minimum require a separate password that you communicate through a different channel. This doesn’t provide identity-based access control, but it eliminates the scenario where a forwarded link alone grants full access.
Download restrictions. View-only access prevents recipients from pulling sensitive files into personal storage where you have no visibility or control. This is especially important for contracts, financial data, and any files containing personal information.
Audit trail requirements. If your file sharing platform can’t tell you who accessed what and when, that’s not a capability gap — it’s a compliance gap. Access logging is a baseline requirement for any regulated data, and it’s simply good practice for everything else.
The External Sharing Audit You Probably Haven’t Done
Most organizations, if they ran a full audit of their externally shared files today, would be surprised — and not in a good way. Links from three years ago still active. Files shared with personal email addresses from former vendors. Entire project folders accessible to clients who should have been off-boarded months ago.
This audit is worth doing. Most major cloud storage platforms have an administrative view that shows all externally shared content. Schedule it quarterly. Revoke anything that doesn’t have a clear, current business reason to remain accessible.
Getting the Balance Right
Security controls that make file sharing so cumbersome that people route around them aren’t controls — they’re the illusion of controls. The goal is a system where secure sharing is also the easiest path, not a burden people actively try to avoid.
That means choosing platforms where identity-based access is as fast as link generation, where expiration dates are built into the workflow, and where the default settings favor protection over convenience. Getting file sharing right isn’t about restricting collaboration — it’s about making sure you always know who’s collaborating and on what.