Third-party cloud apps are essential to many users, and their number is increasing rapidly — to nearly 157,000 this year, from 5,500 in 2014, according to CloudLock, a Waltham, Mass. security firm. But 27 percent of apps connected to corporate environments pose a high security risk, possibly exposing corporate data to outsiders, CloudLock says in its new cloud cybersecurity report.
A large part of the threat comes from apps’ use of OAuth, a popular open protocol that lets users allow an app to act on their behalf without sharing their password. Some third-party apps using OAuth “have extensive, and at times excessive, access scopes,” CloudLock warned in the free, 18-page report. “Because they can view, delete, externalize and store corporate data, and even act on behalf of users, they must be managed carefully.”
The seven most risky apps? Clash Royale, Goobric Web App, My Talking Tom, Evermusic, Music Player, Pingboard and 8 Ball Pool.
The 10 apps most often banned as security risks: WhatsApp Messenger, SoundCloud, Power Tools, Free Rider HD, Madden NFL Mobile, Zoho Accounts, Sunrise Calendar, Pinterest, Airbnb and CodeCombat.
The top 10 trusted apps: Slack, Asana, Turnitin, Lucidchart, Smartsheet, LinkedIn, Zoom, Zendesk, Hubspot and Quizlet.
CloudLock offers a tool, the Cloud Application Risk Index, for assessing whether third-party applications pose a threat. It suggested organizations create a classification hierarchy for such apps and a procedure for deciding which should be allowed, reviewed or automatically revoked. Whitelisting based on the risk index is also a good idea, it said.
The survey examined 10 million users, one billion files and more than 150,000 apps, CloudLock said.