TNS
VOXPOP
Where are you using WebAssembly?
Wasm promises to let developers build once and run anywhere. Are you using it yet?
At work, for production apps
0%
At work, but not for production apps
0%
I don’t use WebAssembly but expect to when the technology matures
0%
I have no plans to use WebAssembly
0%
No plans and I get mad whenever I see the buzzword
0%
Cloud Services / Compliance / Security

Surprising Results in the 2023 Third-Party App Access Report

SaaS apps pose a significant risk for organizations, making it evident that security teams need deeper visibility into both the sheer number and their permissions.
Mar 27th, 2023 11:26am by
Featued image for: Surprising Results in the 2023 Third-Party App Access Report

Employees are always looking for ways to improve efficiency and reduce complexity in their day-to-day lives. One of the ways they do this is by connecting numerous third-party apps to their Microsoft 365 or Google Workspace. For instance, they may use Automagical Forms to enhance Google Docs’ form-building capabilities or Pixabay Free Images to import images. This SaaS-to-SaaS access has become common practice; the problem is that its security implications are typically overlooked.

Adaptive Shield’s latest report, Uncovering the Risks & Realities of Third-Party Connected Apps,” dives into the risks of using third-party apps. This report helps security teams better understand the extent and severity of this issue, as it answers three central questions:

  1. How many third-party apps are linked to a company’s Software as a Service stack?
  2. What types of permissions do these apps request?
  3. How genuine is the risk that connected apps pose?

A Significant Amount of Connectivity Occurs

According to the research, companies with 10,000 SaaS users average 2,033 applications connected to Microsoft 365 and 6,710 connected to Google workspace. The report illustrates, as seen in figure 1, that as companies grow their number of connected apps does as well.

Figure 1. Average number of apps integrated with Google Workspace by users.

Understanding the risk of third-party apps goes beyond the sum of how many there are to what level of permissions these apps are granted. When an app is integrated, it requests specific permissions that the user must grant.

Users Grant Significant Permissions to Their Apps

App permissions can be divided into three categories: low, medium and high risk. Based on the permission scopes granted, applications can exert considerable control.

As seen in Figure 2, nearly 80% of all apps that connect to Google Workspace are classified as medium risk. Meanwhile 39% of Microsoft 365-connected apps are high risk.

Figure 2. Risk level for apps connected to Microsoft 365 and Google Workspace.

These permissions pose a significant risk to the company, as apps can be taken over by threat actors, who can steal, sell, encrypt or publish the data that they find.

What Can Third-Party Apps Actually Do?

In Microsoft 365, 27% of apps with high scopes can read, update, create and delete content. Many apps are given full access to mailboxes, including the ability to send emails as the user.

Google Workspace’s high-risk app permissions are equally concerning. Forty percent of high-risk scopes provided the app with permission to view, edit, create and delete any or all Google Drive files, while 24% allowed the app to delete all email from a Gmail account.

Figure 3. Top high-risk permissions requested by apps connected to Microsoft 365 and Google Workspace.

These permissions provide threat actors with everything they need to access and steal or encrypt company data. Even without a threat actor, a bug in the software can have disastrous consequences for a company’s data.

Takeaways and Insights into SaaS-to-SaaS

The large magnitude of connected apps pose a significant risk for organizations, making it evident that security teams need deeper visibility into both the amount of connected SaaS apps and their permissions

SaaS security solutions, like Adaptive Shield, secure this attack surface by providing full visibility into connected apps and permission scopes. With this data, security teams can make informed decisions for each app, ensuring data integrity and security.

Download the full report, “Uncovering the Risks & Realities of Third-Party Connected Apps,” for more insights and observations on the dangers of connected SaaS apps. 

Group Created with Sketch.
TNS owner Insight Partners is an investor in: Pragma, Adaptive Shield.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.