CISOs, Come Enjoy Drinks & Hors D'oeuvres With Us At RSA 2022!
Valence security- SaaS-to-SaaS-supply-chain-security-Google

SaaS-to-SaaS Third-party Integrations in Google Workspace

As organizations migrate to Google Workspace (formally G Suite) as their chosen SaaS-based productivity suite, they are looking to use pre-built and custom integrations to maximize their Google Workspace benefits. Employees can connect their Gmail, Google Calendar, Google Drive, etc. with third-party vendors by consenting to 3rd party apps with OAuth tokens and/or Google Workspace Marketplace apps. These apps can be used to improve business productivity,  from scheduling meetings, to optimizing their inbox, to integrating analysis tools with Google Docs and Google Sheets. 

In addition, administrators can configure organization-wide access tokens leveraging the Domain Wide Delegation functionality that administrators can consent to in order to impersonate any user in the Google Workspace tenant. Lastly, citizen developers can leverage the built-in low-code development platform - Google App Scripts - to automate business workflows by integrating multiple data sources.

Securing Non-human Third-party Integrations

While Google Workspace is inherently secure, third-party vendors who have access to it through these methods can be a weak link. Inherently risky or over-privileged OAuth tokens, etc. can be exploited to gain the keys to the kingdom, placing Google Workspace customers at risk of data breaches and account exposure. 

Supply chain access attacks against Google Workspace are not properly covered by existing security approaches such as IdP (Identity Providers), CASB (Cloud Access Security Broker) and SSPM (SaaS Security Posture Management) solutions that focus on human-to-SaaS access controls and neglect the critical growing non-human SaaS-to-SaaS third-party integration layer.

Google Workspace Supply Chain Risks

In the past, researchers analyzed the permissions requested by Google Workspace Marketplace apps and found that many apps that have access to sensitive data can communicate with undisclosed external services. Attackers have realized that they can leverage this attack surface and in the famous “Google Defender” consent phishing campaign that tricked millions to consent to a malicious third-party OAuth app. In DefCon 2021, Matthew Bryant showed in his “Hacking G Suite: The Power Of Dark Apps Script Magic” talk how attackers can leverage Google App Scripts to bypass Google Workspace security controls. As the central productivity suite for organizations, Google Workspace is a fertile ground for custom developed integrations, by developers and citizen developers alike. The more custom integrations an organization has developed, the more likely it is to find misconfigurations such as over-privilege, or improper secret storage practices such as poor tokens/secrets handling.

How Can Valence Help?

Valence seamlessly integrates with your Google Workspace environment and helps you discover your SaaS mesh attack surface and manage the risks associated with it:

  • Discover all your third-party integrations that connect to Google Workspace such as OAuth tokens and Domain Wide Delegation
  • Analyze the scope of access and actual usage of SaaS-to-SaaS connections to remove over-privileged and inactive integrations
  • Uncover the third-party vendors that were granted access tokens to ensure alignment with vendor risk management and TPRM programs 
  • Monitor API calls made by 3rd party apps to detect potential abuse, compromise or API takeover attacks against your critical data
  • Automate workflows to ensure effective remediation and communication with end users and business owners in the modern distributed IT environment

Request A Free SaaS-to-SaaS Third-Party Integration Risk Assessment for Google Workspace

Free Assessment