Apps are an integral part of our everyday lives. We use apps to check weather forecast, order takeout or delivery from local restaurants, and follow our favorite sports teams. While many apps we use are first-party applications, others come from third parties like DocuSign, LumApps, and Mailmeteor, among others¹. They serve a variety of functions, from quick eSignature integration to sending thousands of personalized emails simultaneously¹. However, installing and using third-party apps brings its fair share of risks.
Consider General Electric’s 2020 data breach, for example. ISACA outlines that with security measures lacking for both GE and Canon Business Process Services, its third-party partner, the breach exposed 200,000 current and former employees’ personal and health benefits records². This is not a favorable outcome for any business, let alone a global powerhouse.
Of course, the dangers of using third-party apps are not just limited to multinational corporations like GE. They can be hazardous to your business as well, particularly regarding the level of access your employees have to corporate data³. For example, suppose you work for a company with a bring-your-own-device (BYOD) policy³. You extensively use your iPhone to access your Gmail account and Google Drive documents, but then you decide to install a third-party app requesting permission to access your Google account during the installation process³. Now, place yourself in the employer’s shoes and ask, “How do I protect my business from falling into the trap of vulnerable third-party apps?”
Enter third-party application auditing. This process allows network administrators to act on multiple third-party applications that users or other admins have installed within their domains, either by revoking or approving access⁴. In this article, we will learn more about third-party app auditing and its benefits for your business.
A third-party apps audit allows administrators to approve or revoke access to certain apps by organizing them into three distinct categories: (1) Block List, (2) Allow List, or (3) Unresolved⁴. The Block List revokes access to applications for all users who install a particular app, even if they uninstall and subsequently reinstall it⁴. However, the Allow List serves the opposite purpose⁴. It enables users on the domain to use and install the application⁴. Meanwhile, if you list apps as Unresolved, you have not yet reviewed them for placement either on the Allow or Block list⁴.
Remember that before auditing, there are several vital steps you must take. First, take note of any installed third-party applications on your domain, then narrow the search to the ones that have requested and/or been granted access to your Gmail or Google Drive account⁵. Those accounts store your sensitive information and important data, so it’s crucial to be sure you can trust any applications that have been granted access. One way to determine if an application has malicious intentions is to consider if the permission request is fitting for the app’s purpose; as an example, games that ask for access to Google Drive may not be trustworthy⁵. You should also evaluate new applications daily and decide whether to whitelist or blacklist each app⁵.
Now that you know how third-party app auditing works, we will now explain some of its advantages for your business. One benefit of third-party app auditing is that it gives you a better idea of the apps your employees install and utilize every day³. By running a daily automated scan of all apps your users install, third-party auditing produces reports you can use as a valuable tool³. Each report lists all the apps with an at-a-glance, color-coded view of their risk level: low, medium, or high³. In short, third-party auditing helps you keep track of your applications and ensure that employees are not installing potentially malicious apps on your computer’s computer systems³.
While third-party app auditing helps you block risky apps quickly and easily, it also has specific benefits for Google G Suite administrators. If you are a G Suite admin, third-party app audits enable you to monitor all applications with access to your corporate data³. Thus, you can discover immediately if any of your employees have violated company policies, such as the data access policy³. For instance, you can find whether any of your employees have downloaded sensitive data to their private accounts³. This shows that regular third-party app auditing is essential for effective application management.
Navitend can help you. Call 973.448.0070 or setup an appointment today.
Sources:
¹Chrome Unboxed. “Google lists their recommended third-party apps for Google Workspace” by Johanna Romero. Retrieved from https://chromeunboxed.com/2022-recommended-workspace-third-party-apps.
²ISACA. “How to Identify Vulnerable Third-Party Software” by Victor Gamra. Retrieved from https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2021/how-to-identify-vulnerable-third-party-software.
³Spin Technology, Inc. “Third-Party Applications Audit: Complete Guide.” Retrieved from https://spinbackup.com/blog/third-party-applications-audit/.
⁴BetterCloud. “Third Party Apps Audit” by Chris Fadell. Retrieved from https://support.bettercloud.com/s/article/Third-Party-Apps-Audit-bc60076.
⁵BetterCloud. “Third-Party Apps Auditing & Compliance Out of Beta, Suggested Policies.” Retrieved from https://www.bettercloud.com/monitor/third-party-apps-auditing-compliance-beta-suggested-policies.
Contact us at 973.448.0070