Dive Brief:
- Google is limiting G Suite access for less secure apps (LSAs), or "non-Google apps," beginning on June 15, 2020, according to a company announcement Monday. By February 2021, all G Suite accounts will lose access to LSAs.
- LSAs are linked to G Suite with a password and username but Google recommends OAuth-supported apps for authentication and authorization. LSAs increase the chances of a "hijacking," according to Google. Stolen passwords or usernames could be used for a data breach.
- Third-party LSAs include apps with access to a G Suite account's calendar, contacts, and email "via protocols such as CalDAV, CardDav and IMAP," according to Google. Mobile device management (MDM) configurations won't work for existing users by the 2021 deadline.
Dive Insight:
Google's LSA limits coincide with Google Cloud's security partner integrations McAfee, Palto Alto Networks and Qualys. Each vendor is playing a role in deeper push toward threat prevention, data security and governance.
Google is extending data control as privacy regulation and breach-related fines are spurring change. Non-Google apps grant users access to G Suite data — data Google wants to further protect.
For example, users often link their iOS mail application to see work email. But by 2021 iOS email users will have to "remove and re-add" accounts, according to the announcement. Administrators have to "push a Google Account using their MDM provider, which will re-add their Google accounts to iOS devices using OAuth."
Companies trust their cloud providers with data, their "crown jewels," but there's only so much vendors can do before customers have to take the reigns. Google already has existing limits on LSAs. In October, the company eliminated the "enforce access to less secure apps for all users" admin control.
Each step Google takes in limiting LSAs supports a shared responsibility model.
Sometimes the cloud fails customers, spurring CISO skepticism of software as a service adoption. Cloud customers are supported by their providers but access management is a responsibility that falls squarely to customers.
CISOs want more encryption and key management, identity and access management, security monitoring, and incident response from their SaaS vendors.
In an incident outside the purview of CISOs, in May Google disclosed that since 2005, a subset of G Suite business customers' passwords were unhashed, or in plain text. There was also a similar two-week-long incident in January.
Unhashed passwords was a security mishap out of the control of customers. More than one-third of CISOs believe the chances of a breach are higher in the cloud, according to a Nominet survey. CISOs see on-premise technologies are more secure because of indirect risk, like unhashed passwords, SaaS solutions present.