Paint point #3: Why Google Enterprise isn't enough for Shadow Apps

This is a 7 part series that will be released in segments - this third section focuses on why Google Enterprise is not enough to properly protect your organization from risky third party applications. The background sections are the same across all the blogs.

Background

Google Workspace has completely revolutionized the way organizations do business, resulting in increased collaboration, productivity and efficiency. Sounds great, right? The only drawback is that all this collaboration comes with a price: an organization’s security is compromised, overexposed data leads to data loss and financial cost, and an organization’s reputation might suffer irreversible damage.

Google Workspace is NOT a Security Solution

Yes, Google Workspace is a super-productive collaboration platform. But it has critical gaps when it comes to security, especially protecting and accessing your data, authenticating identities, and monitoring compliance. Learn more about strengthening your Google Drive security to mitigate these risks.

Let’s take a closer look at 7 pain points that pose a critical threat to an organization’s security posture: 

1. Sensitive company data is overexposed on Google Drive - Google Workspace is susceptible to attacks that potentially compromise sensitive information: a staggering 94% of organizations reported phishing attacks in 2024 (Egress Email Security Risk Report). There’s limited visibility into data access, and it’s impossible to know the exact locations of all sensitive assets across Google Drive, and how they’re exposed. Overexposure of sensitive data opens the door to data exfiltration and even malicious data breaches. 

2. Google Workspace DLP capabilities are limited - They cannot prevent your employees from exfiltrating data through their personal accounts, sharing with external collaborators, or downloading data to endpoints. File sharing permissions are view or edit only, and Google Workspace lacks native tools to prevent sensitive data loss, resulting in unauthorized sharing and potential leakage. It’s difficult, if not impossible, to remediate overexposure of large volumes of data.

3. Malicious or unsanctioned 3rd party shadow apps - The average organization uses over 1200 apps, increasing the potential attack surface. If not properly managed, the proliferation of shadow apps installed in your Google Workspace increases the probability of unauthorized access.‍

4. Google labels alone don’t prevent data loss - On the one hand, Google labels help to organize, find, and apply policies to files in your Drive. But the more Google labels your organization has, the harder it is to search for specific assets. Google labels don’t provide granular access control. Your organization still needs robust permission settings to ensure sensitive documents aren't accidentally exposed or shared with unauthorized parties.

5. Insider threats and identity challenges - Employees are said to be the weak link in an organization’s security chain, and leaving or disgruntled employees can pose the biggest threat. It’s relatively easy for about-to-leave employees to download large volumes of assets, or worse, delete files. A Google Workspace vulnerability recently allowed hackers to bypass the email verification step when creating accounts, and impersonate legitimate account owners. Even more threatening is that Google’s domain-wide delegation can unintentionally give users unauthorized access to an entire Workspace domain.

6. Challenge of meeting compliance requirements across Google Workspace - Google Workspace’s default settings don’t necessarily meet strict regulation requirements, such as GDPR, CCPA and HIPAA. To ensure compliance,  organizations need to invest in manual effort or third-party tools.‍

7. Difficulty in pinpointing your riskiest use cases and security threats across the organization - With so much data at our fingertips, it becomes a challenge to differentiate high-risk user behavior from medium- or low-risk. We need to know clearly what use cases and anomalies we’re looking for before we can actually see it.

There is a solution. You can bridge your Google Workspace security gaps seamlessly with DoControl, an agentless automated solution that remedies each pain point with ease, without impacting your productivity.

Most security solutions on the market will protect your organization’s endpoint - be it a laptop or mobile device - from being attacked and infecting the entire organization. But these solutions don’t take into account, or even correlate, the user’s behavior across SaaS apps. DoControl connects the data dots between Google Workspace and all your SaaS apps, including Slack, HRIS and IdPs, to provide your organization with a robust security solution based uniquely on enriched data context.

Paint point #3: Why Google Enterprise isn't enough for shadow apps

Challenge: 

Shadow apps are our biggest pain point. Google Workspace has revolutionized productivity at my organization, but it’s brought a proliferation of third-party apps, from work tools to social media platforms. Out of 650 third-party apps, many are risky or unsanctioned. We use Google Workspace to manage shadow apps, but it’s rigid. There are no approval processes or automated workflows to allow or disallow apps. It doesn’t categorize shadow apps according to risk, so we can’t tell what apps are really malicious. And then there’s huge overhead, since we can’t even remove the risky ones in bulk.

Without a way to manage and remediate hundreds of shadow apps, our business is constantly threatened by the looming risk of data breaches and cyber threats.

Solution: 

DoControl’s Shadow App solution secures your Google Workspace by automatically monitoring and remediating any risky third-party apps, including over-permissioned and unsanctioned shadow apps. With DoControl, it’s easy to discover all third-party apps connected to your Workspace and get a risk snapshot for each. With data-rich context in hand, you can easily make and implement intelligent decisions: sanction specific third-party apps, prevent future installations, or remove app tokens in bulk.

How are shadow apps risky?

Third-party apps are convenient and help to streamline work processes, but 61% of organizations experience third-party breaches every year due to excessive permissions.

Google Workspace integrates with thousands of third-party apps and services, many of which require access to your organization’s data. These apps usually ask for a set of permissions, such as “See and download your contacts.” Some permissions are necessary, some are not. 23% of Google Marketplace apps request high-risk scopes like drive.write without justification. Excessive permissions make your Google Workspace less secure and increase your threat surface without any material gain.

Not all third-party add-ons are safe. They contain vulnerabilities or malicious code that can be exploited by attackers, leading to data breaches or malware infections. 

Many third-party apps bypass traditional security controls. If not properly vetted, these apps can inadvertently access or expose your sensitive data, or worse, hijack your Google Workspace and disrupt business, causing financial and reputational damage.

Blind spots in Google Workspace security

Google Workspace provides some native controls for managing third-party apps, but significant security gaps and limitations remain: 

Google measure #1 - Track third-party apps in Google Admin console 

For each installed app in your Google Workspace, you can see how many other organizations use the app, its requested scopes, and whether your organization allows or blocks it. 

Limitations: There’s no risk scoring for third-party apps. Google doesn't rank apps by risk level, number of excessive permissions, app company data, or access frequency, so you can’t tell if an app is malicious or harmless! 

Google measure #2 - Allow only trusted Google Marketplace apps

Using native Google Workspace settings, you can globally block all OAuth connections to external apps, while allowing only trusted Marketplace apps to run in your organization. 

Limitations: But with more than 5000 third-party apps in Google Cloud Marketplace, can you assume all apps are trusted? Only 34% of Marketplace apps completed the Tier 3 Cloud Application Security Assessment (CASA) assessment in 2024, and one quarter of all apps fail the annual revalidation test. Behind every third-party app is a potential attack surface.

Google measure #3 - Add approved apps to a whitelist

You can add trusted third-party apps to a whitelist, allowing users to install them easily, and access Google Workspace data and APIs. Users are prevented from installing Google Marketplace apps that are not on the whitelist.

Limitations: Whitelisting apps not only requires your security team to constantly investigate on an app-by-app basis, but it slows down productivity since no third-party app can be used without explicit admin approval. And did I mention that the whitelist is limited to Google Cloud Marketplace apps? Users can still install non-Marketplace apps freely, increasing the risk surface without scrutiny.

Google measure #4 - Block or allow third-party apps

Using Google Workspace settings, you can classify the access level for each third-party app in your organization:

• Trusted - Full access is given to Google services
• Limited - Access is given to unrestricted Google services only
• Blocked - No access is given to any Google data or services

Limitations: Unfortunately these permission categories are pretty rigid, and it takes time and resources to classify each app. There are no automated processes for approving new installations.

Just how risky is a specific app? Without data context or a risk score, it’s difficult to know if an app should be allowed or blocked. 

Trusted apps can also be over-permissioned, with the ability to read, write, and delete data. When apps ask for unnecessary permissions, it expands your attack surface, making your Google Workspace less secure.

Google measure #5 -  Change access levels 

For multiple risky apps, you can change their access category in bulk via a CSV file, and enter multiple fields manually. This is incredibly time-consuming and cumbersome, and only allows you to define if a specific app is trusted, limited or blocked.

Limitations: When it comes to classifying third-party apps across an organization, it’s a huge overhead. In the average organization, 4-5 new shadow apps are added every week, making it challenging to maintain visibility and control with a static CSV file.

Google measure #6 - Manually review app activity logs 

You can view activity logs of timestamps and IP addresses that accessed Google Workspace services for a lookback period of 6 months.

Limitations: Any anomalous access patterns in Google Workspace are not automatically flagged, so trying to detect a suspicious access pattern is like looking for a needle in a haystack! The activity logs are not specifically tied to third-party app usage, and there’s no automated baselining of normal app activity patterns.

What’s more, Google can only track third-party apps that use login via Google for authentication. If an app doesn't use this method, Google won’t know about its usage or access patterns.

Introducing DoControl’s Shadow App module

With DoControl’s Shadow App module, you can be confident that all third-party apps in your Google Workspace are automatically monitored and remediated.

Every app connected to Google Workspace, including vulnerable, abandoned and over-privileged apps, can potentially access your organization’s data. Google Workspace might have some access policies for managing third-party apps, but there are critical holes in risk analytics and compliance automation that open the door to exploitation. Unless you patch those gaps with DoControl.

With DoControl, it’s easy to manage your shadow apps with these easy steps:

1. Filter all your third-party apps having a high risk score.
2. Evaluate if an app should be allowed or banned, based on DoControl’s data-enriched risk snapshot.
3. Classify your third-party apps (sanctioned, unsanctioned, or banned) either surgically or in bulk.
4. Remediate in bulk any unsanctioned or banned apps by removing specific user tokens or the entire app.
5. Automate granular workflows to prevent future installations of risky third-party apps.

Shadow app discovery 

The first step to securing your Google Workspace apps is to know exactly which third-party apps are connected to your Google Workspace. DoControl provides instant visibility into every connected third-party app, including:

• Over-privileged and untrusted apps
• Used and abandoned third-party apps
• Removed and reinstalled apps
• Users with the most risky apps installed

With advanced filtering capabilities, you can easily pinpoint all shadow apps installed by a specific user, detect all shadow apps published by private domains, detect non-compliant risky apps, and more.

Once filtered, it’s easy to remediate your risky apps with a single click, for example, by removing all user tokens from abandoned apps.

New app installations are detected almost immediately, so you can respond more quickly to unauthorized app usage. 

Comprehensive risk snapshot

How can you decide if a third-party app should operate in your organization or not? While Google gives scant details about the apps installed in your Workspace, DoControl provides a comprehensive and reliable risk snapshot for each app, including: 

• App activity - Insights into IP access patterns to detect anomalous behavior.
• App and company data - Enriched data about the company's business reputation, compliance, and Marketplace rating.
• App usage - A high app usage might imply a higher risk, while no usage suggests an abandoned app, which increases the attack surface.
• Category - Type of app according to Google Workspace Marketplace categories, such as Office Apps or Marketing & Analytics.
• Origin - Third-party apps originating from a private domain such as gmail could indicate a risky app.
• Permissions and scopes- Extent of app permissions and scopes for each shadow app installed in your organization. The permission level indicates to what extent these permissions are intrusive (low, medium, or high).
• Type - Application client type for which the app was developed, such as Android or iOS.

DoControl fuses these multiple risk elements into a single cohesive exposure risk score for each third-party app. In this way, you can swiftly decide which third-party apps follow organizational policies, classify apps as sanctioned, unsanctioned or banned, and define automated workflows to run on future app installations.

Shadow app categorization in bulk

DoControl gives you all the data you need to decide whether a third-party app is risky or not.

After you assess the potential risk of each app, you can classify apps as allowed (sanctioned), disallowed (unsanctioned), or banned (risky and unsanctioned). 

With DoControl, you can also classify your apps in bulk, taking care of all your over-permissioned, malicious or dormant apps in a single click. 

Once apps are classified as sanctioned or unsanctioned, it's easy to manage and filter them, see at a glance which apps follow organizational governance policies, and boost your overall Google compliance posture.

Historic and future remediation of shadow apps

Only with DoControl workflows, can you mitigate your shadow app risk at scale for both historic and future installations, either surgically or in bulk:

Historic remediation in a click

One-time remediation at scale saves your security and IT teams weeks to months of manual work. With DoControl, perform on-demand historical cleanup of banned or unsanctioned shadow apps. Remove up to a maximum of 10,000 user tokens for the entire organization or specific users, saving tremendous time and effort.

Automated remediation for future enforcement

With DoControl you can set up granular, automated workflows triggered by the installation of risky apps in your Google Workspace.

If an installed app is found to have excessive permissions or suspicious activity, DoControl will automatically remediate the risk. Depending on your workflow, DoControl will revoke user permissions, or remove the app altogether.

Only DoControl automatically remediates overprivileged, vulnerable, abandoned, and potentially malicious applications, reducing your attack surface with minimal effort.

Take-away

DoControl discovers all interconnected third-party apps within your SaaS estate, and exposes a full mapping and inventory of internal, first-party and third-party applications. By providing your organization with instant visibility into shadow app usage and risk, DoControl gives you the full business context to effectively manage and mitigate shadow app risks.

Only with DoControl can you get data-enriched risk snapshots for each and every third-party app, classify your apps in bulk, remove unsanctioned or banned apps in bulk, and set up automated workflows to remediate any future installations of shadow apps.

FREE Google Workspace Risk Assessment

The first step in securing your Google Workspace is to assess and understand your risks. That's why we offer a free Google Workspace risk assessment that provides the insights you need to identify existing risks and determine the actions required to mitigate them.

If you are interested, feel free to reach out to our team - click here.