Let’s discuss the risk associated with SaaS applications utilizing OAuth authorization through Google Workspace and Microsoft Office 365 accounts.
Despite the widespread trust in Google Workspace and Microsoft Office 365, based on the reputation of these IT giants, it is important to note that this trust is often unwarrantedly extended to applications available on Google or Microsoft Marketplaces. The utilization of such applications introduces a significant risk, and we will explore the reasons for this in the following section.
1) OAuth authorization - Easy to use
SaaS applications play a pivotal role in enhancing employee productivity. A majority of these applications leverage OAuth for facilitating access to their features. The authorization process is notably user-friendly, eliminating the need for employees to recall multiple logins and passwords for different programs. Instead, they can employ a single set of credentials for all programs.
To illustrate, let's consider an example of OAuth access with Google.
The program will access certain personal information of the user, such as their name and email address. Typically, a program operates without requiring special permissions. However, if, for instance, you decide to install the Grammarly Chrome Extension, you grant the app permission to read and modify all your data across all websites, including Google Workspace documents. The extent of permissions varies among different software. Responsible developers usually request only the permissions essential for the proper functioning of an application.
2) Scope of permissions - what does it mean?
However, a critical issue with OAuth lies in the application's access to user data and its scope of permissions. Unfortunately, not all developers adhere to responsible practices, and in some cases, they may operate in regions with ambiguous app development and data protection laws. This lack of accountability can lead to serious problems. While seemingly innocuous initially, this data can be exploited in an engineering attack targeting your employees.
Take the Mail Merge application, for example, seeking broad permissions to access and manipulate all types of Google Docs files, spreadsheets, presentations, and other files in Google Drive. Additionally, it requests permissions to manage drafts, send emails, adjust settings and filters in Gmail, and operate even when users are inactive. This elevated access level makes Mail Merge a heightened risk for employees. If exploited by a malicious actor, the application could lead to the deletion, download, or encryption of entire Google Drives containing vital corporate data.
3) Should it be a concern for your organization?
The proliferation of software-as-a-service (SaaS) apps continues to grow unabated within organizations. Employees are providing third-party apps access to vital SaaS platforms, including Microsoft 365 (M365) and Google Workspace, resulting in heightened security risks. Unfortunately, security teams and organizations struggle to monitor the expanding number of connected apps and assess the associated level of risk.
Adaptive Shield's "2023 SaaS-to-SaaS Access Report" reveals alarming statistics: in a standard 10,000 SaaS-user organization, an average of 4,371 connected apps link to both M365 and Google Workspace. Moreover, more than 89% of third-party apps associated with Google Workspace and 67% of those connecting to M365 pose a high or medium risk to SaaS data. Many of these apps are granted perilous permissions, enabling them to delete or share sensitive corporate data.
The report outlines that 39% of M365-connected apps are deemed high risk, with an additional 28% classified as medium risk. Conversely, for Google Workspace, 11% fall into the high-risk category, but a significant 78% pose a medium risk, necessitating access to sensitive permissions
The extent of SaaS-to-SaaS access is too vast to be manually managed. To safeguard data from the potential risks introduced by third-party apps and maintain control over the attack surface, organizations need an automated solution. Start with Zygon.