Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Dmitry Dontov
Dmitry Dontov
Connect Directly
E-Mail vvv

Reducing the Risk of Third-Party SaaS Apps to Your Organization

Such apps may try to leak your data, or can contain malicious code. And even legitimate apps may be poorly written, creating security risks.

With the dramatic shift to remote workforces over the last six months (and projected to continue through 2021), more organizations are struggling with the security concerns of third-party software-as-a-service (SaaS) applications and extensions. While these apps can significantly extend the functionality and capabilities of an organization's public cloud environment, they can also introduce security challenges. For instance, many have permission to read, write, and delete sensitive data, which can significantly impact your organization's security, business, and compliance risk. Assessing the risk of these applications to your employees is key when trying to maintain a balance between safety and productivity. So how do you balance the two?

Related Content:

Cloud Identity and Access Management: Understanding the Chain of Access

How Data Breaches Affect the Enterprise

New From The Edge: Delivering Santa from Third-Party Risk

It's vital first to understand the risk of third-party applications. In an ideal world, each potential application or extension is thoroughly evaluated before it's introduced into your environment. However, with most employees still working remotely and you and your administrators having limited control over their online activity, that may not be a reality today. However, reducing the risk of potential data loss even after an app has been installed is still critically important. The reality is that in most cases, the threats from third-party applications come from two different perspectives. First, the third-party application may try to leak your data or contain malicious code. And second, it may be a legitimate app but be poorly written (causing security gaps). Poorly coded applications can introduce vulnerabilities that lead to data compromise. 

While Google does have a screening process for developers (as its disclaimer mentions), users are solely responsible for compromised or lost data (it sort of tries to protect you … sort of). Businesses must take hard and fast ownership of screening third-party apps for security best practices. What are the best practices that Google outlines for third-party application security? First, it recommends properly evaluating the vendor or application, and next, that you screen gadgets and contextual gadgets carefully.And don't expect the SaaS providers to take responsibility. In fact, Google takes no responsibility for the safety of the applications on its Marketplace, so any third-party app or extension downloaded by your employees becomes your organization's express responsibility. What do you need to know to help screen apps and keep your employees safe? Here are some application security best practices.

Google notes that you should evaluate all vendors and applications before using them in your G Suite environment (thanks, Google). To analyze whether a vendor or application is acceptable to use from a G Suite security perspective, consider starting with the following evaluation (before you install the application). Look at reviews left by customers that have downloaded and installed the third-party application. Reviews are listed for all G Suite Marketplace apps and often contain valuable insights.

You should also look and analyze the third-party application vendor's terms of service, privacy policy, and deletion policy agreements to ensure there are no unwanted, hidden clauses that may affect the security. And finally, contact the third-party application vendor directly with questions regarding gray areas that could prove dangerous.

It's nearly impossible to manually manage and analyze the hundreds of applications that are likely being downloaded across a large corporate environment. You and your IT staff need a solution that shows all the apps in one centralized place. You need it to assess the risk associated with each app and offer functionality that enables you to quickly take action when vulnerabilities are identified. 

But it's not only an assessment and monitoring solution that will eliminate the risk. Beyond the typical concern of unsanctioned app downloads, other security issues can occur in conjunction with employee actions. You need to combine technology and training to help mitigate these risks, such as during sensitive data transfer, when an employee installs an app that connects to the G Suite environment and starts migrating sensitive data from a corporate account to their personal private cloud storage account. This commonly happens when an employee decides to leave a company. 

Another common risk occurs during employee termination. When a company fires an employee, IT admins usually suspend the user account. When you suspend a G Suite account, all the apps still have access to sensitive data accessible by the user. This can be a potential source for a data breach. 

Finally, compromised third-party apps can be hacked by cybercriminals. Developers may not be able to quickly identify the breach before it starts downloading or migrating an abnormal amount of data or before it changes the scope of permissions, which constitutes strange behavior.

As you can see, the risk of downloading external apps extends even beyond an employee's tenure at the organization. Having solutions to help mitigate the risk (and training your employees on the risks) is critical to closing this security loophole. The threats, variants, complexities, hybrid networks, bring-your-own-device policies, and many other factors make it nearly impossible for organizations to rely on manual efforts for adequate security.

But the good news is that machine learning and automation are helping organizations more easily recognize deviations from "normal" app behavior, thus reducing the risk associated with these third-party apps. 

Dmitry Dontov is the CTO and Founder of Spin Technology, a cloud data protection company based in Palo Alto and a former CEO of Optimum Web Outsourcing, a software development company from Eastern Europe. As a serial entrepreneur and cybersecurity expert with over 20 years of ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-22
This affects all versions of package jquery-ui; all versions of package org.fujion.webjars:jquery-ui. When the "dialog" is injected into an HTML tag more than once, the browser and the application may crash.
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege.
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1 backend editing function does not filter special characters. Users after log-in can inject JavaScript syntax to perform a stored XSS (Stored Cross-site scripting) attack.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...