Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Dmitry Dontov
Dmitry Dontov
Connect Directly
E-Mail vvv

Reducing the Risk of Third-Party SaaS Apps to Your Organization

Such apps may try to leak your data, or can contain malicious code. And even legitimate apps may be poorly written, creating security risks.

With the dramatic shift to remote workforces over the last six months (and projected to continue through 2021), more organizations are struggling with the security concerns of third-party software-as-a-service (SaaS) applications and extensions. While these apps can significantly extend the functionality and capabilities of an organization's public cloud environment, they can also introduce security challenges. For instance, many have permission to read, write, and delete sensitive data, which can significantly impact your organization's security, business, and compliance risk. Assessing the risk of these applications to your employees is key when trying to maintain a balance between safety and productivity. So how do you balance the two?

Related Content:

Cloud Identity and Access Management: Understanding the Chain of Access

How Data Breaches Affect the Enterprise

New From The Edge: Delivering Santa from Third-Party Risk

It's vital first to understand the risk of third-party applications. In an ideal world, each potential application or extension is thoroughly evaluated before it's introduced into your environment. However, with most employees still working remotely and you and your administrators having limited control over their online activity, that may not be a reality today. However, reducing the risk of potential data loss even after an app has been installed is still critically important. The reality is that in most cases, the threats from third-party applications come from two different perspectives. First, the third-party application may try to leak your data or contain malicious code. And second, it may be a legitimate app but be poorly written (causing security gaps). Poorly coded applications can introduce vulnerabilities that lead to data compromise. 

While Google does have a screening process for developers (as its disclaimer mentions), users are solely responsible for compromised or lost data (it sort of tries to protect you … sort of). Businesses must take hard and fast ownership of screening third-party apps for security best practices. What are the best practices that Google outlines for third-party application security? First, it recommends properly evaluating the vendor or application, and next, that you screen gadgets and contextual gadgets carefully.And don't expect the SaaS providers to take responsibility. In fact, Google takes no responsibility for the safety of the applications on its Marketplace, so any third-party app or extension downloaded by your employees becomes your organization's express responsibility. What do you need to know to help screen apps and keep your employees safe? Here are some application security best practices.

Google notes that you should evaluate all vendors and applications before using them in your G Suite environment (thanks, Google). To analyze whether a vendor or application is acceptable to use from a G Suite security perspective, consider starting with the following evaluation (before you install the application). Look at reviews left by customers that have downloaded and installed the third-party application. Reviews are listed for all G Suite Marketplace apps and often contain valuable insights.

You should also look and analyze the third-party application vendor's terms of service, privacy policy, and deletion policy agreements to ensure there are no unwanted, hidden clauses that may affect the security. And finally, contact the third-party application vendor directly with questions regarding gray areas that could prove dangerous.

It's nearly impossible to manually manage and analyze the hundreds of applications that are likely being downloaded across a large corporate environment. You and your IT staff need a solution that shows all the apps in one centralized place. You need it to assess the risk associated with each app and offer functionality that enables you to quickly take action when vulnerabilities are identified. 

But it's not only an assessment and monitoring solution that will eliminate the risk. Beyond the typical concern of unsanctioned app downloads, other security issues can occur in conjunction with employee actions. You need to combine technology and training to help mitigate these risks, such as during sensitive data transfer, when an employee installs an app that connects to the G Suite environment and starts migrating sensitive data from a corporate account to their personal private cloud storage account. This commonly happens when an employee decides to leave a company. 

Another common risk occurs during employee termination. When a company fires an employee, IT admins usually suspend the user account. When you suspend a G Suite account, all the apps still have access to sensitive data accessible by the user. This can be a potential source for a data breach. 

Finally, compromised third-party apps can be hacked by cybercriminals. Developers may not be able to quickly identify the breach before it starts downloading or migrating an abnormal amount of data or before it changes the scope of permissions, which constitutes strange behavior.

As you can see, the risk of downloading external apps extends even beyond an employee's tenure at the organization. Having solutions to help mitigate the risk (and training your employees on the risks) is critical to closing this security loophole. The threats, variants, complexities, hybrid networks, bring-your-own-device policies, and many other factors make it nearly impossible for organizations to rely on manual efforts for adequate security.

But the good news is that machine learning and automation are helping organizations more easily recognize deviations from "normal" app behavior, thus reducing the risk associated with these third-party apps. 

Dmitry Dontov is the CTO and Founder of Spin Technology, a cloud data protection company based in Palo Alto and a former CEO of Optimum Web Outsourcing, a software development company from Eastern Europe. As a serial entrepreneur and cybersecurity expert with over 20 years of ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.