How to reduce the risk of third-party SaaS apps

Third-party SaaS apps (and extensions) can significantly extend the functionality and capabilities of an organization’s public cloud environment, but they can also introduce security concerns. Many have permission to read, write, and delete sensitive data, which can have a tremendous impact on security, business, and compliance risk.

Assessing the risk of these applications is the key to maintaining a balance between safety and productivity. How can organizations take advantage of these apps’ convenience while also maintaining a secure environment?

Understanding the risk

In an ideal world, each potential application or extension would be thoroughly evaluated before it is introduced into the environment. However, with most employees still working remotely and administrators having limited control over their online activity, reducing the risk of potential data loss is just as important after the fact. In most cases, the threats from third-party applications from two different perspectives:

• The third-party application may try to leak your data or contain malicious code
• The application may be legitimate but be poorly written, leading to security gaps – poorly coded applications can introduce vulnerabilities that lead to data compromise

Google takes no responsibility for the safety of the applications on Marketplace, so any third-party app or extension downloaded by your employees becomes your organization’s express responsibility.

Application security best practices

While Google has a screening process for developers, users are solely responsible for compromised or lost data. Businesses must take hard and fast ownership of screening third-party apps for security best practices. What are the best practices that Google outlines for third-party application security?

• Properly evaluate the vendor or application
• Screen gadgets and contextual gadgets carefully

Google notes that you should evaluate all vendors and applications before using them in your Google Workspace environment. To analyze whether or not a vendor or application is acceptable to use from a Google Workspace security perspective before you install the application:

• Look at reviews left by customers who have downloaded and installed the third-party application. Reviews are listed for all Google Workspace Marketplace apps
• Look and analyze closely the third-party application vendor’s Terms of Service, privacy policy, and deletion policy agreements to ensure there are no unwanted, hidden clauses that may affect the security
• Contact the third-party application vendor directly regarding grey areas that may be questionable

The process of analyzing hundreds of applications across a large environment can create a situation that’s nearly impossible to manage. Administrators need a solution that can allow them to see all the apps on their environment in one place and assess the riskiness of each, allowing them to easily take action on those with the most vulnerabilities.

Employee risk factors

Beyond the typical concern of unsanctioned app downloads, other security issues can occur in conjunction with employee actions.

• Sensitive data transfer – an employee installs an app that connects to the Google Workspace environment and starts migrating sensitive data from a corporate account to their personal private cloud storage account. This commonly happens when an employee decides to leave a company.
• Employee termination – When a company fires an employee, IT admins usually suspend the user account. When you suspend a Google Workspace account, all the apps still have access to sensitive data accessible by the user. This can potentially lead to a data breach.
• Compromised third-party apps – An app can be hacked by cybercriminals. Developers may not be able to quickly identify the breach before the attackers start downloading or migrating an abnormal amount of data or change the scope of permissions, which constitutes strange behavior.

As you can see, the risk of downloading external apps extends even beyond an employee’s tenure at the organization.

Automated security vs. manual analysis

The number of threats, variants, complexities, hybrid networks, BYOD, and many other factors makes it nearly impossible for organizations to rely on manual efforts for adequate security. Computers are simply more effective and efficient at parsing logs and correlating activities.

Humans tend to be much less detail-oriented when it comes to repetitive, monotonous tasks such as crunching numbers and examining data. Additionally, computers don’t get fatigued and can work on an ongoing basis.

Machine learning takes advantage of technology and leverages complex mathematical algorithms to learn about an environment and linked applications and recognize deviations from “normal.”

Finding a security solution powered by machine learning that includes an application assessment component is the best way for administrators to protect their cloud environments from third-party threats effectively.