ManagedMethods Makes Managing Vendor Application Security in Google/Microsoft Fast & Easy
The concept of “shadow IT” isn’t new in IT circles. But, how “shadow IT” gains access to your district’s data has fundamentally changed just in the last few years. So fast and so foreign is this change, that many district technology teams simply don’t even realize that they have a problem.
Incidents like the Illuminate Education data breach and research published by Doug Levin at K12 SIX have gone a long way in raising our collective awareness of how vulnerable districts are to data breaches. Not through their own cybersecurity protections or mistakes, but through those of their vendors.
Vendor security is a huge topic. Here we’re going to focus specifically on how you can make your district’s data more secure by managing the OAuth risks that today’s “shadow IT” is creating in every school district (yes, EVERY school district) that we’ve done a free cloud security audit with.
How To Gain Visibility Into Your District’s “Shadow” OAuth Apps, Extensions, etc.
When your users use their school account to “single sign-on” to a new application, their effectively allowing that app whatever permissions it requires on its end. Often, this will include permissions like accessing the device camera, account contacts, files, email accounts, and more.
Most apps are not malicious. They built with the best of intentions, but as we’ve seen in many cases they can be compromised by malicious actors. The result is that criminals are able to use any permissions that have already been granted to the app–without ever needing to guess your user’s password, flag a suspicious account login, etc. They’re effectively able to act within your radar.
The ManagedMethods Apps Tab will give you visibility into all the applications that have been granted permissions into your domain by users. You can see information such as:
- App name
- App category (education, lifestyle, tools, shopping, etc)
- Risk level (low, medium, high, critical)
- Users and OUs that have enabled the app
- Access levels (a.k.a. permissions)
- and more!
How To Automatically Manage & Control Vendor Application Security
Using apps policies in ManagedMethods, you can also automate controlling 3rd party apps that have been granted permissions into your Google and/or Microsoft domain.
For example, if students (and teachers/staff… we all know it happens…) keep trying to authorize TikTok using their school-provided Google account, you don’t want to hang out and play whack-a-mole all day with it. Not to mention that you definitely don’t have time for it. You can simply set up a policy that will automatically kick the app out every time it’s detected.
Now, you might be thinking at this point: why can’t I just “unsanction” it in Google Admin Console? You certainly can. And probably should. And if the issue was just TikTok and maybe one or two other apps, then that would probably be good enough.
But if you’re like me, you’re definitely not on the up-and-up with all the latest gaming and anonymous messaging apps that are popping up all the time. Google’s apps management tools are a bit, shall we say, blunt and not exactly user-friendly when it comes to managing an actual domain that has actual users that are doing all kinds of weird things all of the time.
We’ve seen it time and time again. A district admin definitely thinks they have their vendor apps management under control. Then, they sign up for an audit. And wouldn’t you know it, we have OnlyFans and Chaturbate and all kinds of weird stuff in there.
I’m no expert in school-parent relations, but I definitely don’t want to be the person explaining to a parent how their kid got to sexting online with some adult dude the next town over using their school Google account. But, I think we can already assume that you’re a much braver soul than I.