Taming the Wild West of 3 rd Party

Taming the Wild West of 3 rd Party Apps in G Suite Tornado Talks in Ten Sarah Noell, NC State University

G Suite @ NC State G Suite campus since 2010 148, 104 active accounts Includes alumni but plans to move them to an alumni domain Core & consumer services available ~8, 900 external apps Wallet not enabled in use in our domain

Top Apps with API scope into: Core service # apps installed # users impacted Gmail 441 45, 038 Drive 2, 487 24, 319 Calendar 439 49, 674 Contacts 327 46, 862 • No real sense of who is using (faculty, staff, or student) • Some apps have been reviewed, but no easy way to know what remains until review process begins.

Goal of 3 rd-party app review Provide the needed functionality for our users while meeting and adhering to our institutions’ compliance needs. • Understand our comfort level with risk • Understand use cases of our end users • Without these extras, do we increase our risk by users potentially using “shadow IT”?

2017 improved review oversight • Added security review for new requests – Lack of consistency with security reviews • To. S reviews mostly Security reviews for: Use case Transparency with privacy, data use, storage & permissions Confirm no negative security issues found within IS community

Process continued: Continue to use Cloud. Lock for Trust and User ratings Security reviews come back as: Approved Conditional • No real way to monitor; but hoping to “check back in” on use of these apps after a period of time (~1 year) Denied

Getting started in the wild west Summer 2019 • Gather/analyze use data and use to determine priority of review for apps • Start with top 25 apps with highest # of users • Expect some reviews to be very straightforward since app is widely used and vetted already

Based on findings. . . • Work with Security unit for mitigation options for less secure apps in domain: – Remove completely and when possible, – Consider alternatives for end user • Use review process as opportunity to educate our campus on risks of 3 rd party apps. – Side benefit: carry over to personal use

Google’s upcoming changes Security Assessment Program for Marketplace Apps • developers able to submit an app for a third-party security assessment • Security assessment badge for passed apps

Upcoming changes cont’d Add-ons moving to Marketplace • Docs, Sheets, Slides, Forms – Admins can install for users or whitelist specific add-ons to better control what users install. – Gmail and Calendar already work this way. • Will provide a more sustainable model for management of these add-on extras.

Google’s changes / NC State’s process • Google’s new assessment should help fast track reviews for our security unit. • While Security believes it is a good start, they will still review the data handling process for apps – IT driven vs business driven – Understanding data being accessed, use case, and how data is being handled.

Summary / next steps We will begin a review of 3 rd party apps this summer. Plan to follow closely Google’s recommended steps: • Step 1: Review 3 rd party apps access to API scopes • Step 2: Create whitelist of trusted apps • Step 3: Block specific API scopes • Step 4: Review conditional approval process

Questions? Sarah Noell sarah@ncsu. edu