This guest article was provided by Adaptive Shield
Employees are granting third-party apps access to the company’s SaaS apps, especially business-critical ones like Microsoft 365 (M365) and Google Workspace, nonstop. This technological phenomenon is causing major security risks. Security teams do not have visibility of this multitude of connected apps nor are able to quantify the level of risk these apps pose.
Imagine an employee is working on a Google Doc and wants to do a mail merge. This feature isn't natively included so they find a well-rated extension from Add-Ons and install it into their Google Doc. However, in order to install this app, the employee must grant it permissions to see, edit, create, and delete any Google Drive file. The employee doesn’t think too much about it and grants these permissions to the app. However, if a threat actor gains control of this mail merging app, they could easily delete, download, or encrypt entire Google Drives containing critical corporate data.
This threat landscape is explored and mapped out in the recently released, 2023 SaaS-to-SaaS Access Report, Uncovering the Risks & Realities of Third-Party Connected Apps. The report shows that organizations of 10,000 SaaS users with both M365 and Google Workspace average 4,371 apps connected to their SaaS app stack. This datapoint is even more disturbing when paired with the report’s finding which states that 89% of third-party apps connected to Google Workspace and 67% of apps connecting to M365 represent a high or medium risk to a company’s SaaS data.
This article will dive into the key findings from the report and provide an in-depth examination of their significance.
The Sheer Volume of 3rd-Party Connected Apps
The uncovered amount of third-party connected apps is astounding. Furthermore, as companies grow, the number of apps increases as well.
Connected apps on average by company size for the M365 workspace:
<5,000 users: 522 connected apps
5,000-10,000 users: 1,253 connected apps
10,000-20,000 users: 3,508 connected apps
Apps connected to Google Workspace are significantly higher than M365. As shown in the chart below, these are the numbers of Google Workspace connected apps on average by company size:
<5,000 users: 1,309 connected apps
5,000-10,000 users: 4,216 connected apps
10,000-20,000 users: 13,913 connected apps
One of the interesting things noted in the report was that despite Google being connected to significantly more apps, it doesn’t necessarily increase the risk to a company.
While there are more third-party applications typically connected to the Google Workplace, when running the numbers, the amount of oversight and control needed by the security team working with Microsoft and Google to secure the connected apps are on a similar scale. This is shown in the breakdown of high and medium risk scopes found within the apps.
Risky Permission and Scopes
Every third-party app requests specific permissions when connecting to a SaaS app. The report categorises these permissions as low, medium, and high risk, based on the types of permissions being requested by the application.
Many applications with high permission scopes are able to read, update, create, and delete content. Apps are often granted full access to mailboxes, and can send emails as the user.
These permissions pose a significant risk to the company, as apps can be taken over by threat actors, who can steal, sell, encrypt, or publish the data that they find.
Staying on Top of SaaS-to-SaaS Access
The scope of SaaS-to-SaaS access makes it impossible to manage manually. Organizations trying to control this attack surface and protect data from the risks imposed by third-party apps require an automated tool.
SSPMs, like Adaptive Shield, can provide third-party app monitoring, so that security teams gain visibility into each connected app as well as the permissions — and risk — each app poses.