Spoiler alert: Organizations with 10,000 SaaS users using M365 and Google Workspace added, on average, over 4,371 connected apps.
SaaS-to-SaaS (third-party) app installs increased Nonstop in organizations around the world. When employees need additional apps to improve their efficiency and productivity, they rarely think twice before installing them. Most employees are unaware that this SaaS-to-SaaS connectivity, which requires the ability to read, update, create, and delete content, significantly increases the organization’s attack surface.
Third-party app connections are typically out of the sight of security teams and not scrutinized to understand the level of risk they pose.
Adaptive Shield’s latest report, Uncovering the Risks & Realities of Third-Party Connected Apps, delves into data on this topic. Find out the average number of SaaS-to-SaaS apps your organization has and the level of risk they pose. Here are the top five survey results:
Finding #1: Connected Apps Run Deeper
This report focuses on Google Workspace and Microsoft 365 (M365), clearly showing the range of applications that are integrated with the two.
On average, a company with 10,000 SaaS users using M365 has 2,033 apps connected to its application suite. Companies of that size using Google Workspace have an average of 6,710 connected applications, more than three times as many.
Even small businesses are unaffected. The report found that companies using M365 averaged 0.2 applications per user, while companies using Google Workspace averaged 0.6 applications per user.
Finding #2: More Employees, More Apps
In contrast to most growth curves, this study shows that the number of apps per user does not plateau or plateau once it hits a certain number of users. Rather, the number of applications continues to grow along with the number of users.
As shown in Figure 1, companies with 10,000 to 20,000 employees using Google Workspace average about 14,000 unique connected applications. This continued growth has been devastating to security teams, making manually discovering and managing large numbers of applications nearly impossible.
 |
| Figure 1: Average number of apps users have integrated with Google Workspace |
For the full 2023 SaaS-to-SaaS Access Report, click here.
Finding #3: SaaS-to-SaaS Apps Are Higher Risk
Once a third-party app is integrated with the core SaaS app, it can be accessed using the OAuth process. As part of this process, the application requests certain scopes. These scopes pass many permissions to the app.
Among high-risk scopes, 15% of M365 applications request the permission to delete all files a user has access to. It gets even scarier in the Google Workspace application, as 40% of the high-risk scopes receive the ability to delete all Google Drive files.
As indicated in this permissions tab, the application explicitly requests permission to view, edit, create, and delete all Google Docs documents, Google Drive files, Google Slides presentations, and Google Sheets .
For security teams accustomed to managing data, such permission sets are unsettling. Given that many applications are written by individual developers who may not have prioritized security in their software development, these permissions could be used by attackers to gain access to corporate data to steal or encrypt. Software bugs can have devastating consequences for a company’s data, even without an attacker.
Figure 2: Risky permission requests from third-party applications
Finding #4: Connected apps are also very diverse
While this report delves deeper into two SaaS apps, it also publishes research on Salesforce (and Slack). Salesforce has an average of 41 integrated apps per instance. This implication is worth noting.
Salesforce is primarily used by a small part of the company. In that respect, it’s similar to Workday, Github, and ServiceNow used by HR, developers, and finance teams. A typical company with 10,000 employees will have over 350 SaaS applications in their stack, many of which are used by smaller departments like the one described here.
Assuming Salesforce typifies similar applications, each of these 350 apps integrates with 40 apps, adding 14,000 third-party applications to the equation.
Finding 5: M365 and Google Workspace have roughly the same number of high-risk apps
One of the more interesting points is the large amount of high-risk apps connecting to Microsoft compared to Google Workspace. Apps request risky permissions from M365 39% of the time. Google Workspace app only requests high-risk permissions 11% of the time. In real terms, the average installation of a company with 10,000 SaaS users using M365 has 813 high-risk apps, while Google Workspace has 738 apps considered high-risk. I have.
Perhaps this discrepancy is caused by the app creation process. Google must review apps that request high-risk (known as restricted) permissions. The review process is much easier when requesting moderate or sensitive permissions. Microsoft does not label the requested scope with a severity level. This lack of oversight makes it much easier for apps connecting to M365 to request risky scopes.
SaaS security is much more complex than people realize
The overall takeaway from reading this report is the huge challenge of securing SaaS software. Clearly, security teams need visibility into the thousands of apps connected to their SaaS stack and a cost-benefit analysis for each high-risk connected app.
A SaaS security solution like Adaptive Shield, among other important SaaS security features, gives security teams the visibility they need to see connected applications and their reach. With this information, security teams are in a much better position to strengthen the application’s security posture and prevent data from falling into the wrong hands.
Schedule a demo to see how many SaaS-to-SaaS apps are connected to your SaaS stack
