![\"\"](\"https:\/\/blogs.ubc.ca\/technut\/files\/2020\/04\/gsuite-1024x680.jpg\")
<\/p>\n<\/p>\n
An app for this, an app for that.\u00a0 It seems in this day and age, there is an \u201capp\u201d for just about anything you want to do or accomplish.\u00a0 We certainly live in an app-filled world. If previous decades were the age of infrastructure, we are now in the age of applications.<\/span><\/p>\n Applications are key to business processes and productivity today.\u00a0 Most organizations run on top of an application stack that allows carrying out many key business functions.\u00a0 Now, most organizations are leveraging the public cloud and cloud-based applications for even more powerful collaboration and technology-driven processes.\u00a0\u00a0<\/span><\/p>\n Software-as-a-Service (SaaS) environments like G Suite and Office 365 are extremely popular among organizations to host business collaboration, file sharing, email and other services.\u00a0 Cloud SaaS environments today contain a large number of third-party apps that can easily be integrated into your environment. While there can be benefits to these third-party applications, let\u2019s talk about the risks of third-party apps you didn\u2019t know about.\u00a0\u00a0<\/span><\/p>\n First of all, what are the <\/span>third-party<\/b> apps we are referring to when thinking about potential risks to your environment?\u00a0 Third-party \u201capps\u201d are readily available in both Google\u2019s G Suite and Microsoft\u2019s Office 365 environments. There are third-party apps available covering a wide range of functionality for your SaaS users.\u00a0\u00a0<\/span><\/p>\n An example of available third-party application categories include:<\/span><\/p>\n The beauty of third-party apps in regards to cloud SaaS environments like G Suite or Office 365 is that if you have any gaps in the native cloud SaaS tools offered, you can most certainly find a third-party app that provides the functionality you need.\u00a0\u00a0<\/span><\/p>\n Third-party apps augment the capabilities of SaaS environments with even more robust tooling, features, and capabilities.\u00a0 These applications generally follow the same SaaS license model of a \u201cper user\u201d license. By means of the third-party apps offered in cloud SaaS marketplaces, your organization can have an \u201cala carte\u201d style menu available to pick and choose the apps to satisfy the business functionality needed.\u00a0\u00a0<\/span><\/p>\n Below is an example of the <\/span>G Suite Marketplace<\/b> where users have an almost unlimited selection of applications to chose from.\u00a0 By default, users can search and install applications using their G Suite user accounts.\u00a0 You can browse by application type, or applications can be found by searching for apps by name.\u00a0 <\/span><\/p>\n In today\u2019s mobile-driven world, third-party apps have become a staple of how we interact with services and data.\u00a0 It has also become an extremely important part of the public cloud. Despite the functionality provided by robust third-party apps, they can bring risks to your organization.\u00a0 How is this the case?<\/span><\/p>\n Despite their numerous benefits, third-party apps can certainly bring risk to your organization data, compliance, and security.\u00a0 Let\u2019s take a look at the potential risks that are presented by the use of third-party apps in your cloud SaaS environment.<\/span><\/p>\n <\/p>\n 1. Malware including ransomware<\/b><\/p>\n 2. Data-leak concerns<\/b><\/p>\n 3. Compliance and regulatory violations<\/span><\/p>\n <\/p>\n <\/p>\n Often, these particular risks of third-party apps go unnoticed by organizations who are making use of cloud SaaS environments.\u00a0 Let\u2019s explore these further and see why and how your organization can give attention to these specific third-party app risks.<\/span><\/p>\n There is arguably no greater risk to your business-critical data today than <\/span>ransomware<\/b>.\u00a0 Ransomware insidiously and silently encrypts your data so that you can no longer access what is rightfully yours.\u00a0 Once the encryption process has locked you out of your data, a ransom demand appears, demanding payment before access is restored.<\/span><\/p>\n While many have incorrectly assumed that ransomware is an on-premises problem only, this can lead to dangerous consequences for data stored in public cloud storage.\u00a0 Many organizations today are migrating business-critical services like email and file storage to cloud SaaS environments. Without an understanding of the risks at play with third-party apps integrating with cloud SaaS, data can easily be affected.<\/span><\/p>\n Ransomware can easily propagate to cloud SaaS environments by means of <\/span>file synchronization<\/b> as well as <\/span>malicious third-party apps<\/b> and <\/span>browser extensions<\/b> that gain access to cloud data.\u00a0 New ransomware variants affecting environments today are \u201ccloud-aware\u201d and are able to compromise cloud SaaS environments by means of these malicious applications.\u00a0\u00a0<\/span><\/p>\n \u201cRansomcloud\u201d attacks <\/span>show how easily a malicious application<\/span> granted permissions in cloud environments can totally compromise your data.\u00a0 As demonstrated in the \u201cransomcloud\u201d attack, an entire user\u2019s mailbox is encrypted by granting permissions to a seemingly benign application that in all actuality is ransomware in disguise.\u00a0\u00a0<\/span><\/p>\n This proof of concept demonstrates the dangers of third-party applications that are granted access to your cloud SaaS environments, either intentionally or by accident.\u00a0 Ransomware attacks can propagate by means of a malicious application or even a browser plugin that has the permissions needed to start encrypting your data. How can malicious third-party apps and browser plugins obtain this level of access to your business-critical data stored in G Suite or Office 365 storage?<\/span><\/p>\n Risky or malicious third-party apps often gain easy access to cloud SaaS environments like G Suite or Office 365 by means of end user-granted permissions.\u00a0 Public cloud vendors use an OAuth 2.0 token technology to allow end users to grant access to their data without the need for a password to do so. All the end user has to do is <\/span>grant permissions<\/b> to a permissions request coming from a third-party app.<\/span><\/p>\n All of us are guilty of blindly granting permissions to apps that request them during installation.\u00a0 How many of us actually read the details of the permissions requested by third-party applications we install on our mobile devices?\u00a0 Think about an end user with either a company-issued mobile device, or a personal device used to also access company data.<\/span><\/p>\n If an end user blindly accepts permissions while installing a risky third-party app and the end user\u2019s phone is connected to your organization\u2019s data, all business-critical or sensitive data the end user has access to is now at risk of compromise by a risky third-party app.<\/span><\/p>\n The same is true for <\/span>browser extensions<\/b>.\u00a0 Third-party browser extensions can request the same types of permissions to cloud data as other third-party applications that are installed via mobile devices.\u00a0 A <\/span>recent study <\/span><\/a>found that <\/span>more than a third of all Google Chrome extensions ask users for permission to access and read all their data on any website<\/span>.<\/span><\/p>\n When you think about the possible security implications of third-party apps installed on mobile devices as well as third-party browser extensions, it is imperative to have visibility to and the ability to block these dangers.\u00a0 This requires controlling <\/span>which applications<\/b> are installed in your cloud SaaS environments.\u00a0\u00a0<\/span><\/p>\n Aside from an all-out ransomware attack on your organization\u2019s data, there is another scary cybersecurity concern that should get the attention of businesses everywhere \u2013 <\/span>data leak<\/b>.\u00a0 Next, to ransomware data leak should be extremely concerning to your business.<\/span><\/p>\n With data leak, confidential or otherwise sensitive data is \u201cleaked\u201d outside the \u201cwalls\u201d of your organization and disclosed to the outside world.\u00a0 Many businesses deal with confidential data by its nature. You may think of <\/span>Electronic Medical Records (EMR)<\/b> information processed by hospitals and other healthcare organizations or <\/span>financial data<\/b> that is housed by banking institutions and other financial organizations.\u00a0 There are many different sources of confidential and other sensitive data that you would never want to leak outside the realms of sanctioned use.<\/span><\/p>\n While you may have restrictions in place on who has access to sensitive types of data that exist inside cloud environments, what about the applications that have access to this data?\u00a0 Think of a scenario with a seemingly legitimate widget application that is downloaded for use on an Android device. The end user who installs the Android widget application also has high-level access to sensitive and confidential data stored in your organization\u2019s cloud SaaS environment.\u00a0\u00a0<\/span><\/p>\n Even though the application requests extremely high-level device permissions such as the following, the user simply grants all permissions to the new widget app:<\/span><\/p>\n The widget application now has a high level of access to both the network and storage of the device.\u00a0 The seemingly legitimate third-party app is actually malicious in nature and starts reading and copying data synchronized with your cloud SaaS environment to a dark web repository defined by the attacker.\u00a0 What can this cost your business?\u00a0\u00a0<\/span><\/p>\n The cost of<\/span> data breach<\/b> can be significant as outlined by IBM\u2019s \u201c<\/span>The Cost of a Data Breach Report 2019<\/span><\/a>\u201d.\u00a0 According to the yearly report by IBM\u2019s research team, in 2019, the cost of a data breach included the following eye-opening statistics:<\/span><\/p>\n Keep in mind these are average statistics and may cost your business even more according to the degree and effectiveness of cybersecurity responses you have in place.\u00a0 It helps to underscore the tremendous responsibility of your organization when it comes to limiting the exposure of your data to third-party applications.\u00a0\u00a0<\/span><\/p>\n There is another aspect for businesses today to consider when it comes to keeping data safe and out of the wrong hands \u2013 <\/span>compliance and regulatory<\/b>.\u00a0 Compliance and regulatory frameworks are designed to protect customer and other sensitive data.\u00a0 Compliance regulations provide a framework of standards that, when followed by organizations, helps to ensure the proper security and other fail safes are put in place to protect important types of data.\u00a0\u00a0<\/span><\/p>\n Compliance and regulatory frameworks are a good thing for both your business as well as your customer information.\u00a0 It serves to protect both from negative consequences of data breach. However, today\u2019s compliance and regulatory frameworks can also levy huge fines if your organization is found in violation of or grossly negligent to the point where customer data is compromised.<\/span><\/p>\n A great example of this the <\/span>General Data Protection Regulation (GDPR)<\/b> that went into effect May, 2018.\u00a0 GDPR is not only a recommendation, it is required for those who \u201ctouch\u201d data of any European citizen.\u00a0 The fines and consequences for those organizations found in violation of GDPR guidelines can be tremendous.\u00a0\u00a0<\/span><\/p>\n As <\/span>noted here<\/span><\/a>, fines can include:<\/span><\/p>\n \u201cFor especially severe violations, listed in Art. 83(5) GDPR, the fine framework can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher. But even the catalogue of less severe violations in Art. 83(4) GDPR sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher.\u201d<\/span><\/i><\/p>\n Under the GDPR guidelines, it is extremely important that organizations take seriously their responsibility to provide <\/span>data security<\/b>.\u00a0 The overall import of the GDPR data protection framework is <\/span>data protection by design and by default<\/b>.\u00a0 A portion of the <\/span>GDPR checklist<\/span><\/a> helps to highlight this as organizations are expected to ensure the following:<\/span><\/p>\n <\/p>\n <\/p>\n The walkthrough in the <\/span>data leak <\/b>example demonstrates how easy it is for a malicious third-party application that is granted permissions by an end user to access sensitive data.\u00a0 It also demonstrates how easy it would be for an organization to be in violation of compliance regulations like GDPR when customer data is exposed without safeguards in place.\u00a0\u00a0<\/span><\/p>\n Taking into consideration the threat and risks of malicious or \u201cleaky\u201d third-party applications and browser plugins must be part of the <\/span>design<\/b> when it comes to housing your business-critical data in cloud SaaS environments.\u00a0\u00a0<\/span><\/p>\nWhat are Third-Party Apps?<\/span><\/h2>\n
\n
Risks of third-party apps you probably didn\u2019t think about<\/span><\/h2>\n
Malware including ransomware<\/span><\/h3>\n
End users easily grant permissions<\/span><\/h4>\n
Data leak concerns<\/span><\/h4>\n
\n
\n
Compliance and regulatory violations<\/span><\/h3>\n
\n
Eliminate Third-Party App Risks<\/span><\/h2>\n