Analysing and managing risk from third-party OAuth application access

Abstract

Modern cloud application architectures allow users to dynamically grant third-party apps access to their cloud resources. When looking at a large, anonymised dataset of over 600,000 users and their approvals of over 43,000 applications, we found that organisations often are unaware of the magnitude of the access problems: on average, an organisation will grant 440 unique third-party apps access to Google data and resources; one organisation’s users approved 12,330 unique applications; out of all the approved applications, over 44 per cent have been granted access to either sensitive data or all data on the user’s Google Drive. The use of OAuth 2.0 has resulted in users creating numerous, unknown access paths from external third-party apps to organisations’ data and resources, in a way that is often hidden and unmanaged by organisations’ IT or security departments. In addition, the credentials granted to access users’ cloud data and resources often can be refreshed indefinitely. Security operations face challenges such as minimal to no tracking or management of these paths or credentials, along with immature or incomplete technical controls. This paper discusses an approach to understanding, assessing, analysing and managing third-party OAuth application risk, using anonymised real-world data as relevant examples, to provide prescriptive guidance on reducing risk associated with third-party applications.