Surprising Results in the 2023 Third-Party App Access Report
Employees are always looking for ways to improve efficiency and reduce complexity in their day-to-day lives. One of the ways they do this is by connecting numerous third-party apps to their Microsoft 365 or Google Workspace. For instance, they may use Automagical Forms to enhance Google Docs’ form-building capabilities or Pixabay Free Images to import images. This SaaS-to-SaaS access has become common practice; the problem is that its security implications are typically overlooked.
Adaptive Shield’s latest report, “Uncovering the Risks & Realities of Third-Party Connected Apps,” dives into the risks of using third-party apps. This report helps security teams better understand the extent and severity of this issue, as it answers three central questions:
- How many third-party apps are linked to a company’s Software as a Service stack?
- What types of permissions do these apps request?
- How genuine is the risk that connected apps pose?
A Significant Amount of Connectivity Occurs
According to the research, companies with 10,000 SaaS users average 2,033 applications connected to Microsoft 365 and 6,710 connected to Google workspace. The report illustrates, as seen in figure 1, that as companies grow their number of connected apps does as well.
Figure 1. Average number of apps integrated with Google Workspace by users.
Understanding the risk of third-party apps goes beyond the sum of how many there are to what level of permissions these apps are granted. When an app is integrated, it requests specific permissions that the user must grant.
Users Grant Significant Permissions to Their Apps
App permissions can be divided into three categories: low, medium and high risk. Based on the permission scopes granted, applications can exert considerable control.
As seen in Figure 2, nearly 80% of all apps that connect to Google Workspace are classified as medium risk. Meanwhile 39% of Microsoft 365-connected apps are high risk.
Figure 2. Risk level for apps connected to Microsoft 365 and Google Workspace.
These permissions pose a significant risk to the company, as apps can be taken over by threat actors, who can steal, sell, encrypt or publish the data that they find.
What Can Third-Party Apps Actually Do?
In Microsoft 365, 27% of apps with high scopes can read, update, create and delete content. Many apps are given full access to mailboxes, including the ability to send emails as the user.
Google Workspace’s high-risk app permissions are equally concerning. Forty percent of high-risk scopes provided the app with permission to view, edit, create and delete any or all Google Drive files, while 24% allowed the app to delete all email from a Gmail account.
Figure 3. Top high-risk permissions requested by apps connected to Microsoft 365 and Google Workspace.
These permissions provide threat actors with everything they need to access and steal or encrypt company data. Even without a threat actor, a bug in the software can have disastrous consequences for a company’s data.
Takeaways and Insights into SaaS-to-SaaS
The large magnitude of connected apps pose a significant risk for organizations, making it evident that security teams need deeper visibility into both the amount of connected SaaS apps and their permissions
SaaS security solutions, like Adaptive Shield, secure this attack surface by providing full visibility into connected apps and permission scopes. With this data, security teams can make informed decisions for each app, ensuring data integrity and security.
Download the full report, “Uncovering the Risks & Realities of Third-Party Connected Apps,” for more insights and observations on the dangers of connected SaaS apps.
