It’s no secret that third-party apps can boost productivity, enable remote and hybrid work and are overall, essential in building and scaling a company’s work processes.
An innocuous process much like clicking on an attachment was in the earlier days of email, people don’t think twice when connecting an app they need with their Google workspace or M365 environment, etc. Simple actions that users take, from creating an email to updating a contact in the CRM, can result in several other automatic actions and notifications in the connected platforms.
As seen in the image below, the OAuth mechanism makes it incredibly easy to interconnect apps and many don’t consider what the possible ramifications could be. When these apps and other add-ons for SaaS platforms ask for permissions’ access, they are usually granted without a second thought, presenting more opportunities for bad actors to gain access to a company’s data. This puts companies at risk for supply chain access attacks, API takeovers and malicious third party apps.
When it comes to local machines and executable files, organizations already have control built-in that enables security teams to block problematic programs and files. It needs to be the same when it comes to SaaS apps.
How Do 3rd Party Apps Gain Access?
OAuth 2.0 has greatly simplified authentication and authorization and offers a fine-grained delegation of access rights. Represented in the form of scopes, an application asks for the user’s authorization for specific permissions. An app can request one or more scopes. Through the approval of the scopes, the user grants these apps permissions to execute code to perform logic behind the scenes within their environment. These apps can be harmless or as threatening as an executable file.
Best Practices to Mitigate Third-Party App Access Risk
To secure a company’s SaaS stack, the security team needs to be able to identify and monitor all that happens within their SaaS ecosystem. Here’s what a security team can share with employees and handle themselves to mitigate third-party apps access risk.
1 — Educate the employees in the organization
The first step in cybersecurity always comes back to raising awareness. Once the employees become more aware of the risks and dangers that these OAuth mechanisms present, they will be more hesitant to use them. Organizations should also create a policy that enforces employees to submit requests for third-party apps.
2 — Gain visibility into the 3rd party access for all business-critical apps
Security teams should gain visibility into every business-critical app and review all the different third-party apps that have been integrated with their business-critical SaaS apps – across all tenets. One of the first steps when shrinking the threat surface is gaining an understanding of the full environment.
Read more: https://bit.ly/3lZ1OtG
You can also read this: Microsoft: Ransomware Relies on the Gig Economy