Research by Adaptive Shield has revealed that companies with 10,000 SaaS users have an average of 2,033 applications connected to M365 and 6,710 connected to Google workspace. However, for companies using Google Workspace, this number jumps to an average of 13,913 connected apps for 10,000 to 20,000 SaaS users.
The research also found that 39% of apps connected to M365 and 11% to Google Workspace have high-risk permission access, highlighting the need for businesses to develop policies for integrating apps and prioritize employee training to eliminate these risks.
We sat down with Adaptive Shield CEO Maor Bin to discuss the research's findings in more depth as well as how organizations can mitigate the security risks of SaaS applications.
Can you tell us about the findings of your research on SaaS-to-SaaS connections and the risks they pose to companies using Microsoft 365 and Google Workspace?
Of course. Our research found thousands of unique apps connecting to Microsoft 365 (M365) and Google Workspace. For example, a company using M365 with 10,000 SaaS users averages 2,033 connected apps; a company using Google Workspace with 10,000 SaaS users averages 6,710 connected apps. Both Google Workspace and M365 show an increase in the number of connected apps as the number of users grow.
The risks presented by third-party connected applications are caused by several issues. First, security teams lack visibility into the connected applications, meaning they don’t know anything about the company that developed the app, nor do they know what security measures were built into the application. Additionally, many apps are created by individual software developers, making it even more difficult to understand what security measures are built into the app.
Secondly, each application requests specific permissions to perform its functions. While some app requests are harmless, others require extensive and intrusive permissions. This results in many apps that are unknown to the security team having deep levels of access to the SaaS data. This leads to two major risk factors to consider: the first is that a threat actor can use the app to execute malicious intent; or, much less sinister-sounding but equally as disastrous, the connected app could have a bug that may delete or leak confidential data and files. These bugs might not exist on an application at the initial time it's connected, but could develop later when the app has been updated.
2) What are the most high-risk permissions that apps connected to Microsoft 365 and Google Workspace have, and how can companies mitigate these risks?
High-risk permissions may provide an app with read/write access to company data or files, or allow it to create new files or elements within the app, or even be able to delete data or files.
In a typical M365 or Google Workspace environment, apps are routinely granted the ability to delete all files, send out email on behalf of the user (without the user’s involvement), and read and delete all emails.
Our research uncovered that 39% of connected apps to M365 are requesting high-risk scopes, which amounts to approximately 792 high-risk applications. 118 of those applications (15%) have permission to read, create, update, and delete all files in which the user has access.
Google Workspace is just as concerning. In the same size company, they have 6,710 connected applications, 11% (738) of which have requested high-risk permissions. Of those, 295 (40%) have the ability to edit, create, and delete all Google Drive files.
Mitigating these risks happens in a few ways. Security teams must develop policies for integrating apps, and prioritize training to educate employees on these risks. Other options include using solutions that automate the identification of connected apps and provide security teams with the ability to understand the risks and permissions the apps are requesting.
3) Are there any specific SaaS categories that are more frequently connected than others, and what are the risks associated with these categories?
There are far more apps connected to email clients than any other type of application. This is most likely because everyone in an organization has email, and everyone is looking for ways to use it more efficiently.
Beyond that, are applications that deal with files and documents. This covers productivity applications, like Microsoft Word or Google Docs, and file storage applications, like Sharepoint and Google Drive. The third most connected app category is communication and meetings tools.
4) How can companies balance the need for enhanced features and workflow efficiency provided by SaaS-to-SaaS connections with the potential security risks they pose, and what measures can they take to ensure the security of their data and systems?
Companies need many of the features and workflow improvements offered by SaaS-to-SaaS connections. Google products in particular like Docs, Sheets, and Slides, require third-party applications to deliver key workplace functionality. It’s impractical to place a ban on extending functionality through third-party applications.
Like most areas of cybersecurity, security teams need to manage – rather than eliminate – risk using a platform that provides visibility into the volume of apps and permissions. Organizations already do this in other areas by using application control as a process for security management in the network, endpoints, and systems. Security experts need to implement the same process also for SaaS OAuth apps.
Security teams need to be able to regularly review applications, and disconnect high-risk apps that may have become dormant. It’s imperative that they collaborate with business teams to assess the potential business impacts that disconnecting high-risk applications might have on productivity. Oftentimes, they can replace high-risk applications with others that don’t require intrusive permissions.
Moving forward, teams can require admin approval to connect future applications, limiting an employee’s ability to add applications on their own. Through strategic management, security teams can reduce their risk exposure from these applications, and limit the attack surface to a manageable level.