It’s no secret that security is Google’s highest priority. Not only are Google Cloud’s products built with a security-first mindset, but they are constantly working to improve that security as new types of threats and vulnerabilities become reality.
With that said, there are many non-Google applications that users take advantage of to help them get work done in a way that works for them. Take the iOS mail app for example. A user may give that app permission to access their Google Workspace data, specifically work email. While this makes things simple for the user, there’s risk for the organization. This is why Google prefers account access to be provided through OAuth, giving them more details about the login and the ability to validate it the same way they would with any other login to your account. As a result, Google can better identify and prevent suspicious login attempts from happening.
Turning off less secure apps
With Google’s revised announcement to turn off Less Secure Apps (LSA) until further notice, organizations have an extended window to help support their users' transition to the more secure OAuth supported applications. The move to more secure applications is important as LSAs authentication method only requires a username and password (no 2-step verification or additional authentication required) and leaves the users account vulnerable to hijacking.
If developers want to continue to allow Google Workspace users to use their app, they now need to integrate OAuth functionality. Then when users authenticate to their app, the user will be required to supply 2-step verification if it is enforced in the organization's Google Workspace environment.
How does it work?
Apps using OAuth are able to do this by sending a Request Token (often with API Scopes) to the Google OAuth Authorization Server and once the user properly authenticates and authorizes the app, an authorization code is used by the app to obtain an Access Token and Refresh Token. OAuth apps also allow Google Workspace Admins the ability to actively run reports over which applications their users are authorizing to understand what is important to their workflow and if the application is needed.
Watchpoints to look out for
Something important to watch for as apps transition to this new standard is scope authorization by end users. Scopes are a mechanism in OAuth to limit the type of access an app has to a user’s account. This is typically recognized by the consent screen during the authentication process.
Google Workspace scopes can range from Gmail, Drive, Calendar, and much more. With these scopes some applications may just require read-only access to Gmail but full access to Drive. Users can approve requests that allow the app to act on behalf of a user and have full control over their Drive to add, trash, modify metadata which in turn could cause data exfiltration.
Google Workspace Admins can now take the reports generated from the Token OAuth audit and unearth any applications that are using sensitive scopes that their users are authorizing. Cloudbakers has assisted clients in bringing these overlooked vulnerabilities to light.
As a Google Cloud Premier Partner, we have been certified in security best practices such as the one explained in this post, plus hundreds of others. Based on your organization’s unique workflows and setup, we can help you tailor your environment to mitigate as much risk as possible.
The above example is just a small tip of an ever changing iceberg of security controls within Google Workspace. With Cloudbakers’ Security Review, we can bring more common and overlooked security holes in your Google Workspace environment to light. Our engineers enable your Admins to implement these best practices by providing detailed documentation over where settings are against best practices and what vulnerabilities your organization is open to. With remote working being the new norm, ensuring security best practices within your Google Workspace is important now more than ever. Reach out to us today to sign up for a Security Review with Cloudbakers.Originally published on November 20, 2020