Third-party Applications and the Impact on Google Drive Security

Interested in learning more? Check out our Introduction to Google Drive Security

By nature, third-party applications pose a significant security risk. Although Google takes great pains to secure Google Drive, this effort can be negated by granting a potentially insecure third party vendor permission to access your Drive data. In order to publish an application on the Google Marketplace or Chrome Web Store, vendors need to meet specific requirements, but Google cannot verify the safety of every application. Therefore, it is important to review each application carefully, with particular emphasis on what data it has access to, as well as the privacy and security policies of the vendor. If the application has access to Google Drive data, it is important to understand whether the vendor is storing copies of the data and if so what steps are in place to secure it. A structured vetting process should be standard procedure before approving the use of a new application.

Mitigation Strategies

There are four primary marketplaces where end users can browse and install third-party applications: the Google Apps Marketplace, Chrome Web Store, Google Drive Add-Ons, and mobile apps. Let’s look at how to secure each marketplace.

Google Apps Marketplace

The Google Apps Marketplace can be secured using the Google Apps admin console’s “Apps” controls. Navigate to “Marketplace apps,” then “Settings for Marketplace apps.” The default setting allows users to install any application from the Google Apps Marketplace.

Chrome Web Store

The Chrome Web Store can be secured using the “Device Management” controls in the Google Apps admin console. Navigate to “Chrome Management,” then “User Settings” to find these controls. By default, end users are able to install any app or extension. Administrator controls over Chrome settings are extensive, and include the ability to force-install, pin, allow, or block specific applications. It’s particularly important to have a well-planned Chrome strategy if your organization uses Chromebooks, but these settings will apply to the Chrome browser as well and should not be overlooked.

In addition to the Chrome management settings, there is a Google Drive-specific restriction located under “Data Access” in the Google Drive settings. The “Drive SDK” checkbox allows admins to allow or forbid the installation of apps from the Chrome Web Store which require access to Google Drive data.

Google Drive Add-Ons

By default, users are able to install Google Docs add-ons. Google Docs add-ons are developed by third parties to add specific functionality to Google Docs (e.g., mail merge, granular track changes, etc.). The option to disable add-ons is located in the Google Drive settings under “Data Access.” It is also important to note that because these apps can be installed through the Google Apps Marketplace, users will be able to use the Marketplace as a workaround to get add-ons unless they are prevented from doing so by Marketplace restrictions (see above).

Mobile Apps

Some mobile applications use a user’s Google Apps credentials to access data on their device. As discussed above, endpoint devices pose a serious risk if they are lost or stolen, and it’s strongly recommend that policies are enforced on mobile devices so that they can be remote wiped in the event they are compromised. However, administrators can also gain additional insight into the applications being used by Android users by enabling the “Application Auditing” feature. When viewing an activated Android device, you will be able to review the applications installed on the device, as well as whether the application has access to the user’s account, contacts, or calendar.

Application Auditing

Google for Work admins who have not previously paid close attention to the use of third-party applications are strongly encouraged to conduct an audit of applications currently in use. There are several ways to aggregate such information. Google does not provide a convenient mechanism within the Admin control panel for generating a granular report on third party apps. However, you can check under “Apps > Third Party Apps” to view which Marketplace apps have been installed. Additionally, if your organization does not contain a large number of users, you can easily view applications with authorized access as well as installed Marketplace apps by viewing the “Security” and “Marketplace applications enabled” sections for each account in the “Users” section of the admin control panel.

If you manage a large organization or just want more visibility, BetterCloud’s Third Party Apps Audit feature allows you to quickly view all third-party apps installed on your Google for Work environment. BetterCloud allows you to whitelist or blacklist apps, as well as determine whether the app has been installed by an admin or end-user. The Apps Audit also provides a convenient “Permission Score,” which allows you as the admin to quickly visualize the amount of access a given app has to your environment.

If your organization is using a large number of apps, you can also create filters to view apps based on whitelist/blacklist status, permissions, access, etc. We recommend using BetterCloud to help take inventory of the applications in use at your organization, review the permissions granted to each one, and make a whitelist/blacklist decision. Blacklisted apps will remain installed, but users will no longer be able to access them.