The rapid rise of third-party apps is the new battlefront of BYOD security, and as enterprises seek to protect PII, they are struggling to keep risky third-party apps unhooked from sensitive assets. According to a new study out today, the number of third-party apps has risen significantly in the last two years and many of them add considerable risk to organizations.
Conducted among 10 million end users, the analysis done for the CloudLock Q2 2016 Cloud Cybersecurity Report found that the number of potential third-party apps is 30 times greater than it was two years ago, with an increase of 19% in just the last three months. Meanwhile, the third-party application installations connecting to corporate networks has increased by 11 times since 2014. According to a report, nearly one-third of these apps can be classified as high-risk.
The difficulty for enterprises is that while powerful apps have enabled users to get more done from anywhere, that very power poses a lot of risk. When these apps are authorized with API access to corporate data with a complicated mesh of authorizations through numerous SaaS ecosystems, it becomes increasingly difficult to keep data safe. For example, the convenience and seamlessness of OAuth authenthicated apps poses problems for enterprises.
"Third-party apps authorized via OAuth-connections have extensive -- and at times excessive -- access scopes," the report says. "Because they can view, delete, externalize, and store corporate data, and even act on behalf of users, they must be managed carefully."
According to the report's data, the average number of apps connecting to organizations has jumped from 130 to 733 since 2014. The risk rating granted to these apps by CloudLock was determined based on a matrix of factors, including the permissions required to authorize the app, crowdsourced trust ratings, and research -based vulnerability ratings. Only about 15% of apps today are considered low-risk.
"The shift to the cloud creates a new, virtual security perimeter that includes third-party apps granted access to corporate systems," says Ayese Kaya Firat, director of customer insights and analytics for CloudLock. "Today, most employees leverage a wide variety of apps to get their jobs done efficiently, unwittingly exposing corporate data and systems to malware and the possibility of data theft."
- What's At Risk When CISOs Say 'No'
- Epic Security #FAILS of the Past 10 Years
- Understanding the Cloud Threat Surface