It's no secret that 3rd party apps can boost productivity, enable remote and hybrid work and are overall, essential in building and scaling a company's work processes.
An innocuous process much like clicking on an attachment was in the earlier days of email, people don't think twice when connecting an app they need with their Google workspace or M365 environment, etc. Simple actions that users take, from creating an email to updating a contact in the CRM, can result in several other automatic actions and notifications in the connected platforms.
As seen in the image below, the OAuth mechanism makes it incredibly easy to interconnect apps and many don't consider what the possible ramifications could be. When these apps and other add-ons for SaaS platforms ask for permissions' access, they are usually granted without a second thought, presenting more opportunities for bad actors to gain access to a company's data. This puts companies at risk for supply chain access attacks, API takeovers and malicious third party apps.
|Oauth mechanism permission request|
When it comes to local machines and executable files, organizations already have control built in that enables security teams to block problematic programs and files. It needs to be the same when it comes to SaaS apps.
How Do 3rd Party Apps Gain Access?
OAuth 2.0 has greatly simplified authentication and authorization, and offers a fine-grained delegation of access rights. Represented in the form of scopes, an application asks for the user's authorization for specific permissions. An app can request one or more scopes. Through approval of the scopes, the user grants these apps permissions to execute code to perform logic behind the scenes within their environment. These apps can be harmless or as threatening as an executable file.
Best Practices to Mitigate Third Party App Access Risk
To secure a company's SaaS stack, the security team needs to be able to identify and monitor all that happens within their SaaS ecosystem. Here's what a security team can share with employees and handle themselves to mitigate third party app access risk.
1 — Educate the employees in the organization
The first step in cybersecurity always comes back to raising awareness. Once the employees become more aware of the risks and dangers that these OAuth mechanisms present, they will be more hesitant to use them. Organizations should also create a policy that enforces employees to submit requests for third party apps.
2 — Gain visibility into the 3rd party access for all business-critical apps
Security teams should gain visibility into every business critical app and review all the different third party apps that have been integrated with their business-critical SaaS apps - across all tenets. One of the first steps when shrinking the threat surface is gaining an understanding of the full environment.
3 — Map the permissions and access levels requested by the connected third party apps
Once the security team knows which third party apps are connected, they should map the permissions and the type of access that each third party app has been given. From there they will be able to see which third party app presents a higher risk, based on the higher level of scope. Being able to differentiate between an app that can read versus an app that can write will help the security team prioritize which needs to be handled first.
In addition, the security team should map which users granted these permissions. For example, a high-privileged user, someone who has sensitive documents in their workspace, who grants access to a third party app can present a high risk to the company and needs to be remediated immediately.
4 — Get the automated approach to handle 3rd party app access
SaaS Security Posture Management solutions can automate the discovery of 3rd party apps. The right SSPM solution, like Adaptive Shield, has built-in logic that maps out all the 3rds party apps with access to the organization's SSPM integrated apps. This visibility and oversight empowers security teams so whether a company has a 100 or 600 apps, they can easily stay in control, monitor and secure their company's SaaS stack.
The Bigger SaaS Security Picture
To secure a company's SaaS stack, the security team needs to be able to identify and monitor all that happens within their SaaS ecosystem. 3rd party app access is just one component of the SaaS Security Posture Management picture.
Most existing cybersecurity solutions still do not offer adequate protection or a convenient way to monitor a company's SaaS stack, let alone the communications between their known apps and platforms, leaving companies vulnerable and unable to effectively know or control which parties have access to sensitive corporate or personal data.
Organizations need to be able to see all the configurations and user permissions of each and every app, including all the 3rd party apps that have been granted access by users. This way security teams can retain control of the SaaS stack, remediate any issues, block any apps using too many privileges and mitigate their risk.