Reducing the Risk of Third-Party SaaS Apps to Your Organization

Such apps may try to leak your data, or can contain malicious code. And even legitimate apps may be poorly written, creating security risks.

Dmitry Dontov, Chief Technology Officer, Spin Technology

December 29, 2020

5 Min Read
Dark Reading logo in a gray background | Dark Reading

With the dramatic shift to remote workforces over the last six months (and projected to continue through 2021), more organizations are struggling with the security concerns of third-party software-as-a-service (SaaS) applications and extensions. While these apps can significantly extend the functionality and capabilities of an organization's public cloud environment, they can also introduce security challenges. For instance, many have permission to read, write, and delete sensitive data, which can significantly impact your organization's security, business, and compliance risk. Assessing the risk of these applications to your employees is key when trying to maintain a balance between safety and productivity. So how do you balance the two?

It's vital first to understand the risk of third-party applications. In an ideal world, each potential application or extension is thoroughly evaluated before it's introduced into your environment. However, with most employees still working remotely and you and your administrators having limited control over their online activity, that may not be a reality today. However, reducing the risk of potential data loss even after an app has been installed is still critically important. The reality is that in most cases, the threats from third-party applications come from two different perspectives. First, the third-party application may try to leak your data or contain malicious code. And second, it may be a legitimate app but be poorly written (causing security gaps). Poorly coded applications can introduce vulnerabilities that lead to data compromise. 

While Google does have a screening process for developers (as its disclaimer mentions), users are solely responsible for compromised or lost data (it sort of tries to protect you … sort of). Businesses must take hard and fast ownership of screening third-party apps for security best practices. What are the best practices that Google outlines for third-party application security? First, it recommends properly evaluating the vendor or application, and next, that you screen gadgets and contextual gadgets carefully.And don't expect the SaaS providers to take responsibility. In fact, Google takes no responsibility for the safety of the applications on its Marketplace, so any third-party app or extension downloaded by your employees becomes your organization's express responsibility. What do you need to know to help screen apps and keep your employees safe? Here are some application security best practices.

Google notes that you should evaluate all vendors and applications before using them in your G Suite environment (thanks, Google). To analyze whether a vendor or application is acceptable to use from a G Suite security perspective, consider starting with the following evaluation (before you install the application). Look at reviews left by customers that have downloaded and installed the third-party application. Reviews are listed for all G Suite Marketplace apps and often contain valuable insights.

You should also look and analyze the third-party application vendor's terms of service, privacy policy, and deletion policy agreements to ensure there are no unwanted, hidden clauses that may affect the security. And finally, contact the third-party application vendor directly with questions regarding gray areas that could prove dangerous.

It's nearly impossible to manually manage and analyze the hundreds of applications that are likely being downloaded across a large corporate environment. You and your IT staff need a solution that shows all the apps in one centralized place. You need it to assess the risk associated with each app and offer functionality that enables you to quickly take action when vulnerabilities are identified. 

But it's not only an assessment and monitoring solution that will eliminate the risk. Beyond the typical concern of unsanctioned app downloads, other security issues can occur in conjunction with employee actions. You need to combine technology and training to help mitigate these risks, such as during sensitive data transfer, when an employee installs an app that connects to the G Suite environment and starts migrating sensitive data from a corporate account to their personal private cloud storage account. This commonly happens when an employee decides to leave a company. 

Another common risk occurs during employee termination. When a company fires an employee, IT admins usually suspend the user account. When you suspend a G Suite account, all the apps still have access to sensitive data accessible by the user. This can be a potential source for a data breach. 

Finally, compromised third-party apps can be hacked by cybercriminals. Developers may not be able to quickly identify the breach before it starts downloading or migrating an abnormal amount of data or before it changes the scope of permissions, which constitutes strange behavior.

As you can see, the risk of downloading external apps extends even beyond an employee's tenure at the organization. Having solutions to help mitigate the risk (and training your employees on the risks) is critical to closing this security loophole. The threats, variants, complexities, hybrid networks, bring-your-own-device policies, and many other factors make it nearly impossible for organizations to rely on manual efforts for adequate security.

But the good news is that machine learning and automation are helping organizations more easily recognize deviations from "normal" app behavior, thus reducing the risk associated with these third-party apps. 

About the Author

Dmitry Dontov

Chief Technology Officer, Spin Technology

Dmitry Dontov is the CTO and Founder of Spin Technology, a cloud data protection company based in Palo Alto and a former CEO of Optimum Web Outsourcing, a software development company from Eastern Europe. As a serial entrepreneur and cybersecurity expert with over 20 years of experience in the security and team management, Dmitry has a strong background in the cloud data protection field, making him an expert in SaaS data security who has an ability to influence teams. He is an author of 2 patents and a member of Forbes Business Councils and YEC. AI & Blockchain fan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights