Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

12/29/2020
02:00 PM
Dmitry Dontov
Dmitry Dontov
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Reducing the Risk of Third-Party SaaS Apps to Your Organization

Such apps may try to leak your data, or can contain malicious code. And even legitimate apps may be poorly written, creating security risks.

With the dramatic shift to remote workforces over the last six months (and projected to continue through 2021), more organizations are struggling with the security concerns of third-party software-as-a-service (SaaS) applications and extensions. While these apps can significantly extend the functionality and capabilities of an organization's public cloud environment, they can also introduce security challenges. For instance, many have permission to read, write, and delete sensitive data, which can significantly impact your organization's security, business, and compliance risk. Assessing the risk of these applications to your employees is key when trying to maintain a balance between safety and productivity. So how do you balance the two?

Related Content:

Cloud Identity and Access Management: Understanding the Chain of Access

How Data Breaches Affect the Enterprise

New From The Edge: Delivering Santa from Third-Party Risk

It's vital first to understand the risk of third-party applications. In an ideal world, each potential application or extension is thoroughly evaluated before it's introduced into your environment. However, with most employees still working remotely and you and your administrators having limited control over their online activity, that may not be a reality today. However, reducing the risk of potential data loss even after an app has been installed is still critically important. The reality is that in most cases, the threats from third-party applications come from two different perspectives. First, the third-party application may try to leak your data or contain malicious code. And second, it may be a legitimate app but be poorly written (causing security gaps). Poorly coded applications can introduce vulnerabilities that lead to data compromise. 

While Google does have a screening process for developers (as its disclaimer mentions), users are solely responsible for compromised or lost data (it sort of tries to protect you … sort of). Businesses must take hard and fast ownership of screening third-party apps for security best practices. What are the best practices that Google outlines for third-party application security? First, it recommends properly evaluating the vendor or application, and next, that you screen gadgets and contextual gadgets carefully.And don't expect the SaaS providers to take responsibility. In fact, Google takes no responsibility for the safety of the applications on its Marketplace, so any third-party app or extension downloaded by your employees becomes your organization's express responsibility. What do you need to know to help screen apps and keep your employees safe? Here are some application security best practices.

Google notes that you should evaluate all vendors and applications before using them in your G Suite environment (thanks, Google). To analyze whether a vendor or application is acceptable to use from a G Suite security perspective, consider starting with the following evaluation (before you install the application). Look at reviews left by customers that have downloaded and installed the third-party application. Reviews are listed for all G Suite Marketplace apps and often contain valuable insights.

You should also look and analyze the third-party application vendor's terms of service, privacy policy, and deletion policy agreements to ensure there are no unwanted, hidden clauses that may affect the security. And finally, contact the third-party application vendor directly with questions regarding gray areas that could prove dangerous.

It's nearly impossible to manually manage and analyze the hundreds of applications that are likely being downloaded across a large corporate environment. You and your IT staff need a solution that shows all the apps in one centralized place. You need it to assess the risk associated with each app and offer functionality that enables you to quickly take action when vulnerabilities are identified. 

But it's not only an assessment and monitoring solution that will eliminate the risk. Beyond the typical concern of unsanctioned app downloads, other security issues can occur in conjunction with employee actions. You need to combine technology and training to help mitigate these risks, such as during sensitive data transfer, when an employee installs an app that connects to the G Suite environment and starts migrating sensitive data from a corporate account to their personal private cloud storage account. This commonly happens when an employee decides to leave a company. 

Another common risk occurs during employee termination. When a company fires an employee, IT admins usually suspend the user account. When you suspend a G Suite account, all the apps still have access to sensitive data accessible by the user. This can be a potential source for a data breach. 

Finally, compromised third-party apps can be hacked by cybercriminals. Developers may not be able to quickly identify the breach before it starts downloading or migrating an abnormal amount of data or before it changes the scope of permissions, which constitutes strange behavior.

As you can see, the risk of downloading external apps extends even beyond an employee's tenure at the organization. Having solutions to help mitigate the risk (and training your employees on the risks) is critical to closing this security loophole. The threats, variants, complexities, hybrid networks, bring-your-own-device policies, and many other factors make it nearly impossible for organizations to rely on manual efforts for adequate security.

But the good news is that machine learning and automation are helping organizations more easily recognize deviations from "normal" app behavior, thus reducing the risk associated with these third-party apps. 

Dmitry Dontov is the CTO and Founder of Spin Technology, a cloud data protection company based in Palo Alto and a former CEO of Optimum Web Outsourcing, a software development company from Eastern Europe. As a serial entrepreneur and cybersecurity expert with over 20 years of ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7856
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
CVE-2021-28793
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
CVE-2021-25679
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
CVE-2021-25680
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
CVE-2021-25681
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...