Skip to content

Third-Party Apps Auditing & Compliance Out of Beta, Suggested Policies

BetterCloud

October 14, 2014

3 minute read

featurecover-123esarfasdf

The Problem

Using their Google credentials, users are able to install and authenticate third-party applications–from scheduling aids to productivity tools to games–granting access to your domain’s data. Though users can choose from thousands of apps to install, IT lacks the tools to review them.

The Solution

Since it’s ultimately up to IT to determine acceptable use of third-party apps, we built Apps Explorer as a solution designed to give IT the granular insights, reporting, and compliance tools they need to audit applications. From there, admins can make informed decisions about which applications are appropriate and take action to whitelist, blacklist, or revoke third-party apps.

Taking it one step further, you can set policies to ensure ongoing compliance and third-party app usage. But before doing so, it’s important to think through your organization’s stance on third-party apps–we’ve put together a list of things to consider in evaluating and classifying apps.

Apps Explorer Data GridView all third-party applications users have installed on your domain

Step 1: Monitor and Review

First, look at the Apps Explorer grid to take stock of all of the third-party applications installed on your domain. Going through the list of apps, use filters to find those that request access to Drive or Gmail, potentially giving access to your most sensitive data. Think about how the permission level is appropriate for the intended purpose of the app–for example, if a game is requesting read/write access to Drive, it may be with malicious intent.

Action Items: Since this step is meant to survey applications and understand what your users are installing, don’t take action quite yet. Instead, alert IT to any third-party applications with extensive access.

Apps Explorer Filters
Filter applications by the permissions they request, paying special attention to read/write access

Step 2: Review and Defend

Now that you have outlined what your organization deems acceptable use when it comes to third-party apps, begin to blacklist applications to revoke them from your domain. From the Apps Explorer grid, select any number of apps then use the dropdown menu to either “Blacklist” or “Blacklist & Notify Users.” Go ahead and whitelist apps, too.

Action Items: Treat the “Unresolved” tab within Apps Explorer like an inbox, processing new applications daily and whitelisting or blacklisting apps as you evaluate them.

Apps Explorer Whitelisting and Blacklisting
Select any number of applications from the grid, then take action to whitelist/blacklist them

Step 3: Defend and Lock Down

Lastly, once you’ve seen patterns in the apps users install and begun to develop criteria for either allowing or revoking them–maybe you blacklist apps requesting Drive access but whitelist any apps installed by administrators–you can set policies to automate the evaluation process. Create one or more Apps Policies, applicable to everyone, a single domain, Org. Unit, or individual user, and set detailed parameters, such as the permissions granted, permission score, or if the app has domain-wide access.

Action Items: Configure policies in order to continuously enforce compliance with your organization’s new third-party apps policy. Determine a course of action if an app is flagged as violating a policy, such as immediately whitelisting or blacklisting the app, or simply sending an email alert.

Apps Explorer Policies
Create policies to approve or revoke third-party apps on an automated basis

Final Thoughts

By gaining visibility into the third-party applications that users are installing on your domain and taking this multi-step approach to evaluating them, you can feel comfortable allowing users to take advantage of the many benefits these applications can provide without risking unauthorized access and compromising overall security.

For more information on BetterCloud’s Apps Explorer feature and how to configure it for your domain, read our Help Center article.

Categories

Sign up for our newsletter