Risks of Third-party Apps You Probably Didn’t Think About

An app for this, an app for that.  It seems in this day and age, there is an “app” for just about anything you want to do or accomplish.  We certainly live in an app-filled world. If previous decades were the age of infrastructure, we are now in the age of applications.

Applications are key to business processes and productivity today.  Most organizations run on top of an application stack that allows carrying out many key business functions.  Now, most organizations are leveraging the public cloud and cloud-based applications for even more powerful collaboration and technology-driven processes.  

Software-as-a-Service (SaaS) environments like G Suite and Office 365 are extremely popular among organizations to host business collaboration, file sharing, email and other services.  Cloud SaaS environments today contain a large number of third-party apps that can easily be integrated into your environment. While there can be benefits to these third-party applications, let’s talk about the risks of third-party apps you didn’t know about.  

What are Third-Party Apps?

First of all, what are the third-party apps we are referring to when thinking about potential risks to your environment?  Third-party “apps” are readily available in both Google’s G Suite and Microsoft’s Office 365 environments. There are third-party apps available covering a wide range of functionality for your SaaS users.  

An example of available third-party application categories include:

  • Remote video conference tools
  • Business Tools
  • Office applications
  • Accounting & finance
  • Administration & management
  • ERP & Logistics
  • HR & Legal
  • Marketing & analytics
  • Sales & CRM
  • Creative tools
  • Web development
  • Task management 

The beauty of third-party apps in regards to cloud SaaS environments like G Suite or Office 365 is that if you have any gaps in the native cloud SaaS tools offered, you can most certainly find a third-party app that provides the functionality you need.  

Third-party apps augment the capabilities of SaaS environments with even more robust tooling, features, and capabilities.  These applications generally follow the same SaaS license model of a “per user” license. By means of the third-party apps offered in cloud SaaS marketplaces, your organization can have an “ala carte” style menu available to pick and choose the apps to satisfy the business functionality needed.  

Below is an example of the G Suite Marketplace where users have an almost unlimited selection of applications to chose from.  By default, users can search and install applications using their G Suite user accounts.  You can browse by application type, or applications can be found by searching for apps by name. 

In today’s mobile-driven world, third-party apps have become a staple of how we interact with services and data.  It has also become an extremely important part of the public cloud. Despite the functionality provided by robust third-party apps, they can bring risks to your organization.  How is this the case?

Risks of third-party apps you probably didn’t think about

Despite their numerous benefits, third-party apps can certainly bring risk to your organization data, compliance, and security.  Let’s take a look at the potential risks that are presented by the use of third-party apps in your cloud SaaS environment.

 

1. Malware including ransomware

2. Data-leak concerns

3. Compliance and regulatory violations

 

 

Often, these particular risks of third-party apps go unnoticed by organizations who are making use of cloud SaaS environments.  Let’s explore these further and see why and how your organization can give attention to these specific third-party app risks.

Malware including ransomware

There is arguably no greater risk to your business-critical data today than ransomware.  Ransomware insidiously and silently encrypts your data so that you can no longer access what is rightfully yours.  Once the encryption process has locked you out of your data, a ransom demand appears, demanding payment before access is restored.

While many have incorrectly assumed that ransomware is an on-premises problem only, this can lead to dangerous consequences for data stored in public cloud storage.  Many organizations today are migrating business-critical services like email and file storage to cloud SaaS environments. Without an understanding of the risks at play with third-party apps integrating with cloud SaaS, data can easily be affected.

Ransomware can easily propagate to cloud SaaS environments by means of file synchronization as well as malicious third-party apps and browser extensions that gain access to cloud data.  New ransomware variants affecting environments today are “cloud-aware” and are able to compromise cloud SaaS environments by means of these malicious applications.  

“Ransomcloud” attacks show how easily a malicious application granted permissions in cloud environments can totally compromise your data.  As demonstrated in the “ransomcloud” attack, an entire user’s mailbox is encrypted by granting permissions to a seemingly benign application that in all actuality is ransomware in disguise.  

This proof of concept demonstrates the dangers of third-party applications that are granted access to your cloud SaaS environments, either intentionally or by accident.  Ransomware attacks can propagate by means of a malicious application or even a browser plugin that has the permissions needed to start encrypting your data. How can malicious third-party apps and browser plugins obtain this level of access to your business-critical data stored in G Suite or Office 365 storage?

End users easily grant permissions

Risky or malicious third-party apps often gain easy access to cloud SaaS environments like G Suite or Office 365 by means of end user-granted permissions.  Public cloud vendors use an OAuth 2.0 token technology to allow end users to grant access to their data without the need for a password to do so. All the end user has to do is grant permissions to a permissions request coming from a third-party app.

All of us are guilty of blindly granting permissions to apps that request them during installation.  How many of us actually read the details of the permissions requested by third-party applications we install on our mobile devices?  Think about an end user with either a company-issued mobile device, or a personal device used to also access company data.

If an end user blindly accepts permissions while installing a risky third-party app and the end user’s phone is connected to your organization’s data, all business-critical or sensitive data the end user has access to is now at risk of compromise by a risky third-party app.

The same is true for browser extensions.  Third-party browser extensions can request the same types of permissions to cloud data as other third-party applications that are installed via mobile devices.  A recent study found that more than a third of all Google Chrome extensions ask users for permission to access and read all their data on any website.

When you think about the possible security implications of third-party apps installed on mobile devices as well as third-party browser extensions, it is imperative to have visibility to and the ability to block these dangers.  This requires controlling which applications are installed in your cloud SaaS environments.  

Data leak concerns

Aside from an all-out ransomware attack on your organization’s data, there is another scary cybersecurity concern that should get the attention of businesses everywhere – data leak.  Next, to ransomware data leak should be extremely concerning to your business.

With data leak, confidential or otherwise sensitive data is “leaked” outside the “walls” of your organization and disclosed to the outside world.  Many businesses deal with confidential data by its nature. You may think of Electronic Medical Records (EMR) information processed by hospitals and other healthcare organizations or financial data that is housed by banking institutions and other financial organizations.  There are many different sources of confidential and other sensitive data that you would never want to leak outside the realms of sanctioned use.

While you may have restrictions in place on who has access to sensitive types of data that exist inside cloud environments, what about the applications that have access to this data?  Think of a scenario with a seemingly legitimate widget application that is downloaded for use on an Android device. The end user who installs the Android widget application also has high-level access to sensitive and confidential data stored in your organization’s cloud SaaS environment.  

Even though the application requests extremely high-level device permissions such as the following, the user simply grants all permissions to the new widget app:

  • Read your text messages (SMS or MMS)
  • Full Network Access
  • Read phone status and identity
  • Modify or delete the contents of your device storage

The widget application now has a high level of access to both the network and storage of the device.  The seemingly legitimate third-party app is actually malicious in nature and starts reading and copying data synchronized with your cloud SaaS environment to a dark web repository defined by the attacker.  What can this cost your business?  

The cost of data breach can be significant as outlined by IBM’s “The Cost of a Data Breach Report 2019”.  According to the yearly report by IBM’s research team, in 2019, the cost of a data breach included the following eye-opening statistics:

  • Average total cost of a data breach – $3.92 million
  • Most expensive country – United States, $8.19 million
  • Most expensive industry – Healthcare, $6.45 million
  • Average size of a data breach – 25,575 records

Keep in mind these are average statistics and may cost your business even more according to the degree and effectiveness of cybersecurity responses you have in place.  It helps to underscore the tremendous responsibility of your organization when it comes to limiting the exposure of your data to third-party applications.  

Compliance and regulatory violations

There is another aspect for businesses today to consider when it comes to keeping data safe and out of the wrong hands – compliance and regulatory.  Compliance and regulatory frameworks are designed to protect customer and other sensitive data.  Compliance regulations provide a framework of standards that, when followed by organizations, helps to ensure the proper security and other fail safes are put in place to protect important types of data.  

Compliance and regulatory frameworks are a good thing for both your business as well as your customer information.  It serves to protect both from negative consequences of data breach. However, today’s compliance and regulatory frameworks can also levy huge fines if your organization is found in violation of or grossly negligent to the point where customer data is compromised.

A great example of this the General Data Protection Regulation (GDPR) that went into effect May, 2018.  GDPR is not only a recommendation, it is required for those who “touch” data of any European citizen.  The fines and consequences for those organizations found in violation of GDPR guidelines can be tremendous.  

As noted here, fines can include:

“For especially severe violations, listed in Art. 83(5) GDPR, the fine framework can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher. But even the catalogue of less severe violations in Art. 83(4) GDPR sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher.”

Under the GDPR guidelines, it is extremely important that organizations take seriously their responsibility to provide data security.  The overall import of the GDPR data protection framework is data protection by design and by default.  A portion of the GDPR checklist helps to highlight this as organizations are expected to ensure the following:

  • Take data protection into account at all times, from the moment you begin developing a product to each time you process data
  • Encrypt, pseudonymize, or anonymize personal data wherever possible
  • Create an internal security policy for your team members, and build awareness about data protection
  • Know when to conduct a data protection impact assessment, and have a process in place to carry it out
  • Have a process in place to notify the authorities and your data subjects in the event of a data breach

 

 

The walkthrough in the data leak example demonstrates how easy it is for a malicious third-party application that is granted permissions by an end user to access sensitive data.  It also demonstrates how easy it would be for an organization to be in violation of compliance regulations like GDPR when customer data is exposed without safeguards in place.  

Taking into consideration the threat and risks of malicious or “leaky” third-party applications and browser plugins must be part of the design when it comes to housing your business-critical data in cloud SaaS environments.  

Eliminate Third-Party App Risks

To effectively eliminate the risks of third-party apps to your business-critical and sensitive data, you need both visibility and control.  First of all, you need visibility to any potential risks in your organization.  Cloud SaaS data security can be challenging for organizations who are accustomed to on-premises environments and who lack the tooling needed to monitor data access properly in the cloud.

Controlling access to data can also be challenging without the right toolsets since data can be accessed from many different kinds of devices and networks.  How can your organization effectively monitor and manage data access and protect the environment from risky third-party applications accessing your cloud data?  

The sheer complexity of today’s environments spanning both on-premises and public cloud locations and the enormity of attack vectors require you use an automated approach to both detect and remediate threats effectively.

An ideal SaaS data protection platform should have an automated sentinel that guards your cloud SaaS environment 24x7x365. You can also utilise an API-based Cloud Access Security Broker (CASB) that integrates to provide Google Apps Security or protect your Office 365 environment.  It provides you with the tools you need to have both the visibility and control over third-party applications in your environment.  

Protection against risky third-party apps as well as other cybersecurity threats to your business is critical.

Be sure to choose the best protection platform for your cloud environment.