In 2021, Google added third-party app access controls to the Admin console. Before this setting was in place, administrators could block third-party apps, but it was time-consuming to manage an ever-growing block list. Depending on the size of your institution, IT departments simply do not have the hours to manage a high volume of apps with a high level of confidence in security. With this setting, if you want to Block all third-party API access, then your users cannot authorize third-party apps to call Google APIs on their behalf to access portions of their Google Workspace services such as Google Drive, Gmail, Calendar, Contacts, etc.
We certainly live in an app-filled world. If previous decades were the age of infrastructure, we are now in the age of applications. Applications are key to business processes and productivity today. Most organizations run on top of an application stack that allows carrying out many key business functions. Software-as-a-Service (SaaS) environments like G Suite is extremely popular among organizations to host business collaboration, file sharing, email and other services. Cloud SaaS environments today contain a large number of third-party apps that can easily be integrated into your environment.
In order for your company to choose what apps you allow, you do have the option to turn off all API access to the core Google Workspace services and run solely from an allow list. Once a whitelist is in place and your Block all third-party API access setting is on, this alternative method will take less time to maintain and offer greater confidence in security. However, this method has its own challenges as well.
Choosing Your Third-Party App List
- A major challenge that needs to be faced is how to review existing apps used on the domain and determine which to allow API app access. App access control settings are domain-wide settings. Who and how many people you need to help in vetting applications and the criteria by which you vet apps will vary depending on your institution’s size and learning environment. However, the greatest success you can have is to make the best of the systems and information you already have in place. The process involves all the key stakeholders; the staff, IT, risk, and contract teams. Any staff member should be invited to submit an application or web service for review. That request is then submitted for IT system, risk, and contractual reviews. Each department assesses the application based on its specific responsibilities and expertise. If any review fails the entire process is stopped and the application is not approved for use. Staff can track the progress of the reviews or identify approved apps via an online application reporting website.
Communicate Phased Out Apps With Staff
- Keeping the communication open, this is a tricky one. Staff may not understand the need behind restricting app access and may not react well to not having access to their favorite app. For staff to understand the need for change, communication is critical. A way to target you communications is to use Google Apps Manager (GAM) to determine which staff use specific apps. Having that list on hand, you can notify users only if an ap they used was going away instead of an all staff email. Letting your staff know ahead of time that an app is being phased out is an important part of the communication factor.
Ongoing Evaluation Process
- The last challenge in place after all the time and effort you've invested, is to be sure there is a process in place for evaluating new apps in the future. It is better to be more restrictive and then decide how and when to let the water flow from the tap. Putting a plan in place for managing future apps and training incoming staff on the app policy can help administrators not to get overwhelmed with request for the return of certain apps or new apps. The process you used to originally vet apps can likely be transitioned to a maintenance process to evaluate new apps. You have the advantage of knowing what worked and what didn't work in the first place while you vetted the apps. This is a great chance to integrate process improvements into your ongoing process.
Admittedly there will be challenges that are more specific to your business as your journey through this process comes along. These are a few of our main challenges that we feel most of our customers will connect with. It may seem like a simple process, but there is a lot of change built-in and you may need to take it slow. Happy Vetting!