With the dramatic shift to remote workforces over the last six months (and projected to continue through 2021), more organizations are struggling with the security concerns of third-party software-as-a-service (SaaS) applications and extensions. While these apps can significantly extend the functionality and capabilities of an organization's public cloud environment, they can also introduce security challenges. For instance, many have permission to read, write, and delete sensitive data, which can significantly impact your organization's security, business, and compliance risk. Assessing the risk of these applications to your employees is key when trying to maintain a balance between safety and productivity. So how do you balance the two?
It's vital first to understand the risk of third-party applications. In an ideal world, each potential application or extension is thoroughly evaluated before it's introduced into your environment. However, with most employees still working remotely and you and your administrators having limited control over their online activity, that may not be a reality today. However, reducing the risk of potential data loss even after an app has been installed is still critically important. The reality is that in most cases, the threats from third-party applications come from two different perspectives. First, the third-party application may try to leak your data or contain malicious code. And second, it may be a legitimate app but be poorly written (causing security gaps). Poorly coded applications can introduce vulnerabilities that lead to data compromise.
While Google does have a screening process for developers (as its disclaimer mentions), users are solely responsible for compromised or lost data (it sort of tries to protect you … sort of). Businesses must take hard and fast ownership of screening third-party apps for security best practices. What are the best practices that Google outlines for third-party application security? First, it recommends properly evaluating the vendor or application, and next, that you screen gadgets and contextual gadgets carefully.And don't expect the SaaS providers to take responsibility. In fact, Google takes no responsibility for the safety of the applications on its Marketplace, so any third-party app or extension downloaded by your employees becomes your organization's express responsibility. What do you need to know to help screen apps and keep your employees safe? Here are some application security best practices.
Google notes that you should evaluate all vendors and applications before using them in your G Suite environment (thanks, Google). To analyze whether a vendor or application is acceptable to use from a G Suite security perspective, consider starting with the following evaluation (before you install the application). Look at reviews left by customers that have downloaded and installed the third-party application. Reviews are listed for all G Suite Marketplace apps and often contain valuable insights.
It's nearly impossible to manually manage and analyze the hundreds of applications that are likely being downloaded across a large corporate environment. You and your IT staff need a solution that shows all the apps in one centralized place. You need it to assess the risk associated with each app and offer functionality that enables you to quickly take action when vulnerabilities are identified.
But it's not only an assessment and monitoring solution that will eliminate the risk. Beyond the typical concern of unsanctioned app downloads, other security issues can occur in conjunction with employee actions. You need to combine technology and training to help mitigate these risks, such as during sensitive data transfer, when an employee installs an app that connects to the G Suite environment and starts migrating sensitive data from a corporate account to their personal private cloud storage account. This commonly happens when an employee decides to leave a company.
Another common risk occurs during employee termination. When a company fires an employee, IT admins usually suspend the user account. When you suspend a G Suite account, all the apps still have access to sensitive data accessible by the user. This can be a potential source for a data breach.
Finally, compromised third-party apps can be hacked by cybercriminals. Developers may not be able to quickly identify the breach before it starts downloading or migrating an abnormal amount of data or before it changes the scope of permissions, which constitutes strange behavior.
As you can see, the risk of downloading external apps extends even beyond an employee's tenure at the organization. Having solutions to help mitigate the risk (and training your employees on the risks) is critical to closing this security loophole. The threats, variants, complexities, hybrid networks, bring-your-own-device policies, and many other factors make it nearly impossible for organizations to rely on manual efforts for adequate security.
But the good news is that machine learning and automation are helping organizations more easily recognize deviations from "normal" app behavior, thus reducing the risk associated with these third-party apps.