In the eight years since it launched, Notion has become a much-loved collaboration and productivity tool used by enterprises large and small across the globe.
Because it’s intuitive to use, cloud-based and brimming with helpful features, many employees rely on Notion for tasks like note taking, sharing documents, project management and database storage.
But, despite its popularity, Notion isn’t inherently secure. In fact, without the right integrations, your Notion could be a data leak waiting to happen.
Here, we’ll look at Notion’s vulnerabilities in more detail, offering actionable tips to help security teams secure this SaaS app.
Understanding Notion’s security framework
As noted on its website, Notion has implemented robust measures to ensure the security and integrity of customer data, applications, and infrastructure.
For example, access monitoring is a top priority, with logging enabled on all critical systems for a wide range of activities, including failed and successful logins, application access, administrator changes, and system modifications.
Hosted by AWS, Notion also stores customer data utilizing a combination of databases. AWS’s durable infrastructure guarantees a 99.9% object durability rate, providing a reliable foundation for data storage.
Automated backups of both customer and system data are performed daily. These backups are encrypted using the same standards as live production data and are continuously monitored and alerted for any anomalies.
Notion’s security extends to data encryption practices too, with customer data encrypted at rest using AES-256 across Notion’s internal networks, cloud storage, database tables, and backups. Data transmitted in transit is similarly safeguarded through encryption protocols like TLS 1.2 or higher.
Notion also maintains a bug bounty program for responsible disclosure and conducts thorough code analysis for every release. Credential management is automated with Key Management Services (KMS), and the company says it ensures timely vulnerability management and patching.
Additionally, Notions’ office networks are firewall-protected, and it employs both network and host-based intrusion detection systems, along with a SIEM solution for real-time incident management.
Notion’s approach to vulnerability disclosure
As mentioned, Like many SaaS providers, Notion has a bug bounty program that encourages security researchers to discover and disclose vulnerabilities discovered within its software, as outlined in its responsible disclosure policy.
Here are a couple of recent vulnerabilities discovered in Notion, alongside their potential impact.
- CVE-2024-23745: In Notion Web Clipper 1.0.3(7), a vulnerability known as Dirty NIB attack affects .nib files. These files can be manipulated to execute arbitrary commands. Even if modified within the application, Gatekeeper may still allow execution, enabling unauthorized commands within the application’s context. Exploiting this flaw could lead to unauthorized command execution within Notion, potentially compromising sensitive user data or enabling malicious actions.
- CVE-2024-23743: Notion through 3.1.0 on macOS may be susceptible to code execution due to RunAsNode and enableNodeClilnspectArguments. It’s important to note that the attacker must launch the Notion Desktop application with nonstandard flags to turn the Electron-based application into a Node.js execution environment, as stated by the vendor.
Notion security risks on the customer side
Being a software-as-a-service (SaaS) application, Notion adheres to the cloud’s shared responsibility model. While Notion takes responsibility for securing its infrastructure, customers bear the onus of configuring settings, managing user identities, and safeguarding data within the platform.
This is where the greatest cybersecurity and compliance risks lie. As Gartner notes, 99% of cloud data breaches will be the fault of the customer by 2025—a result of misconfigurations, improper use of data and insider negligence.
Here is a deeper look at the risks:
HIPAA violations
Notion serves as a valuable tool for healthcare professionals, facilitating various tasks that involve handling sensitive Personally Identifiable Information (PII) and Protected Health Information (PHI).
However, the usage of Notion in healthcare settings introduces significant regulatory considerations, particularly concerning compliance with mandates such as the Health Insurance Portability and Accountability Act (HIPAA) and the California Consumer Privacy Act (CCPA).
The inadvertent sharing of PHI and PII with third-party applications or public-facing pages within Notion poses a significant risk of compliance violations. Healthcare professionals must adhere to strict regulations governing the privacy and security of patient information, and any unauthorized disclosure of such data can result in severe consequences, including hefty fines and reputational damage.
Imagine a scenario where a healthcare professional unintentionally shares patient records containing PHI on a public-facing page within Notion or inadvertently grants access to a third-party application that is not compliant with HIPAA regulations. Such actions could constitute a serious breach of patient privacy and could potentially lead to legal liabilities and regulatory sanctions.
Credentials leakage
Notion serves as a popular platform for creating company wikis, facilitating seamless collaboration and information sharing among employees. However, this convenience comes with inherent security risks, particularly regarding the inadvertent exposure of credentials for internal systems.
In many organizations, Notion is utilized as a repository for storing documentation, including how-to guides and instructional materials that may contain sensitive credentials for accessing internal systems. While this facilitates accessibility and knowledge sharing, it also introduces the risk of inadvertent exposure if proper access controls are not implemented and maintained diligently.
Improperly configured access controls within Notion workspaces can potentially grant unauthorized users access to sensitive credentials, thereby exposing the organization to the risk of insider misuse. Malicious insiders or external threat actors who gain access to these credentials could exploit them to compromise internal systems, perpetrate unauthorized activities, or exfiltrate sensitive data.
Credentials compromise
The risk of malicious actors gaining unauthorized access to Notion accounts remains a significant concern, particularly through methods such as password guessing or the acquisition of compromised credentials from the dark web. While Notion does offer multi-factor authentication (MFA) as an additional layer of security, the persistent threat landscape highlighted by frequent data breaches emphasizes the necessity for supplementary security measures.
Despite the effectiveness of MFA in mitigating certain types of attacks, it is not foolproof, and determined adversaries may still find ways to bypass this security measure. The widespread availability of compromised credentials on the dark web, with billions of passwords readily accessible to malicious actors, underscores the importance of adopting a comprehensive approach to account security.
Misconfigurations and data leakage
Misconfigurations represent a significant threat to the security of data stored within Notion workspaces. These misconfigurations frequently arise from employees inadvertently setting incorrect permissions, resulting in the exposure of sensitive information to unauthorized individuals or even the public.
Such misconfigurations can have serious consequences, including data breaches, unauthorized access, and data theft. When sensitive information is left unprotected due to misconfigured permissions, it becomes vulnerable to exploitation by malicious actors seeking to exploit these vulnerabilities for personal gain or malicious purposes.
Moreover, misconfigurations can undermine an organization’s compliance efforts, as they may result in violations of regulatory requirements and industry standards governing the protection of sensitive data. This can lead to legal liabilities, financial penalties, and reputational damage for the organization.
Insecure integrations
The integration capabilities with third-party tools within Notion indeed offer immense potential for streamlining workflows and enhancing productivity. However, it’s crucial to acknowledge that these integrations also introduce inherent risks to data security and compliance.
The interconnected nature of these integrations means that any vulnerabilities or weaknesses present in the third-party tools could potentially be exploited to gain unauthorized access to Notion files and data. This could result in sensitive information being compromised, leading to serious repercussions such as data breaches, regulatory violations, and reputational damage
Are Notion’s native security features enough?
While Notion offers several foundational security features such as multi-factor authentication, Single Sign-On (SSO), and permissions management, which are crucial in fortifying defenses against prevalent cyber threats like credential stuffing and business email compromise, its native capabilities do not extend to comprehensive data protection, data loss prevention, or data classification functionalities.
In today’s increasingly complex cybersecurity landscape, where data breaches and non-compliance present colossal risk, the absence of robust data security measures within Notion can leave sensitive information vulnerable to unauthorized access, leakage, or misuse. Without adequate safeguards in place, organizations may inadvertently expose themselves to regulatory penalties, reputational damage, and financial losses.
To mitigate these risks and ensure a secure environment for collaboration and information sharing within Notion, organizations must explore specialized security integrations. These integrations are designed to augment Notion’s existing security framework by providing advanced capabilities such as data encryption, automated data classification, real-time threat detection, and incident response.
By leveraging these specialized security solutions, organizations can proactively identify and mitigate potential security threats, safeguard sensitive data from unauthorized access or leakage, and maintain compliance with industry regulations and data protection laws.
Additionally, implementing these integrations demonstrates a proactive approach to cybersecurity, instilling confidence among stakeholders and fostering a culture of trust and accountability within the organization.
Mitigating risks: Strategies for users and teams
Bearing the above in mind, organizations should follow the below steps to bolster Notion security:
Ensure regular review of user permissions
Notion fosters seamless collaboration among employees, clients, and freelancers. However, as vital as granting access is, revoking it holds equal importance.
It’s essential to regularly review who has access to what within Notion. When an employee departs or a project concludes, conduct thorough reviews and revoke access rights accordingly, ensuring access is granted only on a need-to-know basis.
Invest in specialized SaaS DLP
Notion lacks built-in data loss prevention (DLP) capabilities. Fortunately, we’ve partnered with Notion to introduce AI-infused data classification and protection. Our solution, Polymer DLP for Notion, autonomously identifies, classifies, and addresses sensitive data exposure within Notion.
Leveraging natural language processing (NLP), Polymer DLP seamlessly integrates with Notion, swiftly scanning databases for historical and new sensitive information such as PHI, PII, and credit card data.
Depending on your risk tolerance, Polymer DLP can redact sensitive data instantly or enforce granular access controls, significantly reducing the risk of data exposure without disrupting employee workflows.
Incorporate active learning
In addition to safeguarding data, you should prioritize building a culture of security through real-time training.
Leading SaaS DLP tools feature built-in psychological nudges, which provide real-time, bite-sized employee training when users violate compliance or data security policies.
Over time, these pop-ups reduce the likelihood of repeat offenses by helping users understand the individual role they play in safeguarding enterprise cybersecurity.
The future of Notion’s security enhancements
In a recent announcement, Notion unveiled a series of enterprise-focused enhancements aimed at bolstering security and compliance, notably including an integration with Polymer DLP. These advancements underscore Notion’s dedication to assisting customers in meeting stringent security and compliance standards.
By integrating with Polymer DLP, Notion has taken a significant step towards enhancing data protection within its platform, reflecting a commitment to prioritizing the security needs of its users.
Looking ahead, as the field of generative AI continues to gain prominence, it wouldn’t be surprising to witness Notion leveraging machine learning and natural language processing technologies to further fortify its security infrastructure.
While specific details regarding such initiatives have yet to be disclosed, it’s likely that Notion will continue to explore new integrations and technologies to optimize security outcomes for its customers.
Conclusion
Ultimately, Notion is a reliable, secure platform for small and large organizations keen to use its features. However, this application—like all SaaS apps—is as secure as you configure it to be.
With Notion taking a proactive approach to vulnerability management, the most likely cause of a data breach in this app will be due to customers’ errors: misconfigurations, a lack of visibility over sensitive data or credentials compromise.
It’s, therefore, crucial to take a proactive approach to Notion security, using its recently released security integrations to enhance security and reduce the risk of a costly data breach.
FAQs
- What are the security issues with Notion? The major security issues in Notion relate to errors on the customer side, such as misconfigurations and accidental data sharing.
- Is Notion a secure platform? Notion can be secure, but is vulnerable to data breaches and leaks caused by misconfigurations. Bolster Notion security by using a data loss prevention (DLP) integration to protect sensitive data from exposure.
- Can anyone look at your Notion? This depends on your settings. If your page is private, no one else will be able to see it. However, if your page is public, potentially anyone with internet access can discover and edit it.
- Is everything in Notion private? In Notion, personal workspaces are set to ‘private’ by default until you share it. Within team workspaces, pages can be seen and edited by all team members unless certain privileges have been set.