Spoiler Alert: Organizations with 10,000 SaaS customers that use M365 and Google Workspace common over 4,371 further related apps.
SaaS-to-SaaS (third-party) app installations are rising nonstop at organizations around the globe. When an worker wants a further app to extend their effectivity or productiveness, they hardly ever assume twice earlier than putting in. Most workers do not even understand that this SaaS-to-SaaS connectivity, which requires scopes like the power to learn, replace, create, and delete content material, will increase their group’s assault floor in a major method.
Third-party app connections sometimes happen exterior the view of the safety workforce, will not be vetted to grasp the extent of danger they pose.
Adaptive Shield’s newest report, Uncovering the Risks & Realities of Third-Party Connected Apps, dives into the info on this subject. It opinions the common variety of SaaS-to-SaaS apps organizations have, and the extent of danger they current. Here are the highest 5 findings.
Finding #1: Connected Apps Run Deep
The report focuses on Google Workspace and Microsoft 365 (M365), because it paints a transparent image of the scope of purposes which are integrating with the 2 purposes.
On common, an organization with 10,000 SaaS customers utilizing M365 has 2,033 apps related to its suite of purposes. Companies of that dimension utilizing Google Workspace have greater than three-times the quantity, averaging 6,710 related purposes.
Even smaller firms aren’t immune. The report discovered that firms utilizing M365 common 0.2 purposes per person, whereas these utilizing Google Workspace common 0.6 purposes per person.
Finding #2: The More Employees, the More Apps
In distinction to most progress curves, the analysis exhibits that the variety of apps per person does not stage off or plateau as soon as reaching a essential mass of customers. Rather, the variety of purposes continues to develop with the variety of customers.
As seen in determine 1, firms utilizing Google Workspace with 10,000-20,000 workers common practically 14,000 distinctive related purposes. This continued progress is stunning to safety groups, and makes it practically unimaginable for them to manually uncover and handle the excessive quantity of purposes.
 |
| Figure 1: Average variety of apps built-in with Google Workspace by customers |
For the total 2023 SaaS-to-SaaS Access Report, click on right here.
Finding #3: SaaS-to-SaaS App Risk is High
When third-party apps combine with core SaaS apps, they acquire entry utilizing an OAuth course of. As a part of this course of, purposes request particular scopes. These scopes hand over numerous energy to the apps.
Among high-risk scopes, 15% of M365 purposes request the authority to delete all information that the person can entry. It will get even scarier in Google Workspace purposes, the place 40% of high-risk scopes obtain the power to delete all Google Drive information.
As proven on this permission tab, the applying explicitly requests permission to see, edit, create, and delete all Google Docs paperwork, Google Drive information, Google Slides shows, and Google Sheets spreadsheets.
For safety groups accustomed to controlling the info, permission units like these are unsettling. Considering that many purposes are created by particular person builders who could not have prioritized safety of their software program improvement, these permissions present menace actors with the whole lot they should entry and steal or encrypt firm knowledge. Even with out a menace actor, a bug within the software program can have disastrous penalties for a corporation’s knowledge.
Figure 2: High-Risk Permission Request from a third-party software
Finding #4: Connected Apps Also Have Tremendous Breadth
While the report deep dives into the large two SaaS apps, it does additionally launch analysis into Salesforce (and Slack). Salesforce averages 41 built-in apps per occasion. The implication of that is noteworthy.
Salesforce is primarily utilized by a small subset of the corporate. In that regard, it is much like Workday, Github, and ServiceNow, that are utilized by HR, builders, and finance groups. A typical firm with 10,000 workers has over 350 SaaS purposes in its stack, a lot of that are utilized by smaller departments just like the apps mentioned right here.
Assuming Salesforce is typical of comparable purposes, these 350 apps integrating with 40 apps every provides a further 14,000 third-party purposes into the equation.
Finding #5: M365 and Google Workspace Have Similar Number of High-Risk Apps
One of the extra attention-grabbing takeaways was the excessive quantity of high-risk apps connecting to Microsoft in comparison with Google Workspace. Apps request high-risk permissions from M365 39% of the time; Google Workspace apps solely request high-risk permissions 11% of the time. In phrases of actual numbers, a median set up in an organization with 10,000 SaaS customers utilizing M365 could have 813 high-risk apps, whereas Google Workspace could have 738 apps which are thought of high-risk.
In all probability, this disparity is prompted because of the app creation course of. Google requires apps requesting high-risk (it calls them Restrictive) permissions to be reviewed. The evaluation course of is way simpler for these requesting medium, or delicate, permissions. Microsoft does not label requested scopes with severity ranges. This lack of oversight makes it a lot simpler for apps that join with M365 to request high-risk scopes.
SaaS Security is Far More Complex than Most Recognize
The total takeaway from studying the report is the immense problem of securing SaaS software program. It’s clear that safety groups want visibility into the 1000’s of apps being related to the SaaS stack, and make a cost-benefit evaluation for every high-risk related app.
SaaS safety options, like Adaptive Shield, present safety groups with the visibility wanted to see related purposes and their scopes, amongst different necessary SaaS safety capabilities. Armed with this info, safety groups will probably be in a much better place to harden their purposes’ safety posture and stop knowledge from falling into the incorrect palms.
Schedule a demo to see what number of SaaS-to-SaaS apps are related to your SaaS Stack