Thanks to the omnipresent “Sign in with” buttons that make creating new SaaS accounts fast and simple, employees regularly use OAuth grants to sign up for new tools and services. Unfortunately for security and IT teams, managing OAuth security risks at scale is far less straightforward, especially when it comes to SaaS-to-SaaS integrations that can grant more access than a user might understand. It can be difficult to even discover all of your organization’s OAuth grants, let alone evaluate the risk each new grant might pose or establish enforceable policies using the limited controls available at the app level.
But it’s not like security and IT teams have anything else going on, right?
To manage your organization’s OAuth grants more effectively and establish scalable policies, we recommend taking a more holistic approach to OAuth risk management.
Nudge Security offers a variety of features to help you discover, evaluate, and manage OAuth grants and the risks they pose to your organization. Within Nudge Security, you can view an inventory of your employees’ grants, be alerted to new grants with risky or overly-permissive scopes, and quickly investigate suspicious grants with relevant security context. To help you manage access to those grants, Nudge Security also includes automated revocation capabilities for Google and Microsoft grants, along with an employee offboarding playbook that makes it easy to clean up a departing user’s access.
Most recently, we’ve made it even easier to manage OAuth risks at scale with the addition of new OAuth filters and bulk management capabilities. Now, you can filter through your employees’ grants to find exactly what you’re looking for, such as high-risk grants or grants from a particular authorizing application. You can also revoke multiple OAuth grants at once with bulk selection, or audit usage of your organization’s grants by nudging multiple employees at once about whether their grants are still needed (and if not, revoke them automatically).
Take a look for yourself by exploring the interactive demo below, or read on for a more detailed breakdown.
In addition to discovering your organization’s SaaS sprawl, Nudge Security inventories the OAuth grants your employees have created through providers such as Google Workspace, Microsoft 365, GitHub, Zoom, and Slack. We’re able to show you both active grants and those that have been revoked.
Our new OAuth filters can help you make sense of your organization’s OAuth inventory, enabling you to filter and sort based on what you’re hoping to discover. For example, you can use filters to quickly distinguish between sign-in OAuth grants, which are often fairly benign from a data access standpoint, and app-to-app integrations with more extensive scopes that pose OAuth security risks.
Nudge Security helps you identify and prioritize grants with risky or expansive scopes by assigning an OAuth risk score to each grant in your environment.
OAuth risk scores are based on factors such as the number of scopes associated with a grant, the specific scopes they contain, and the level of data access they provide. For example, we would consider a scope “High Risk” if it permits an app to modify and delete Google Drive files. On the other hand, a scope that simply provides an app with permission to view a user’s email address is relatively low risk. You can filter and sort your organization’s OAuth grants by score to surface high-risk grants for investigation.
When a grant is new to your environment or ties into an ongoing security incident, you may need to investigate. Without Nudge Security, that might involve logging into providers like Google Workspace or Microsoft and manually searching for answers, lengthening your response time.
Nudge Security helps you bypass those manual steps and speed up OAuth reviews by providing an overview of each grant in your environment with relevant security context. Each profile includes information such as the name of each application, the grant provider’s email address, the client ID, the description, and the first and last times the grant was seen. You can also see how many other users within the organizations have enabled OAuth grants for the same application and whether the permissions they’ve granted are the same or different.
Nudge Security helps you respond quickly when you discover a grant that presents more risk than your organization can tolerate.
You can quickly and easily revoke OAuth grants for Microsoft 365 and Google Workspace from each grant’s overview page. You can also revoke grants in bulk (new!) by selecting multiple grants from the OAuth overview page.
Given the ease of granting new OAuth integrations, it’s natural for employees to amass unused, obsolete grants that they’ve experimented with and long forgotten. (A few weeks ago, I used an OAuth-enabled tool for a one-time project and haven’t touched it since. Luckily, I saw it in our corporate Nudge Security instance and revoked it right away.)
On one hand, it’s prudent to eliminate unused grants regularly. On the other hand, no one wants to disrupt business by wiping out grants that employees are still using.
With Nudge Security’s OAuth filters and bulk selection, you can automatically nudge users to find out if they still need their OAuth grants from Microsoft 365 and Google Workspace. Each user will receive an email or Slack message asking whether they’re still using a particular integration. If users respond that they still need access, nothing will change. On the other hand, if a user responds that they no longer need access, their OAuth grant will be revoked automatically as soon as they click “Revoke the grant now.” (You can also send this nudge from a specific app’s overview page.)
When an employee leaves your organization, it can take hours to manually track down every account and integration the user ever created—especially if the user had especially sensitive access that requires extra attention and care. Unfortunately, there’s a common misconception that suspending a user’s Google Workspace account automatically revokes their OAuth access. In reality, suspending their account simply leaves the departing user’s OAuth grants in limbo, resulting in lingering access. It’s important to revoke those grants explicitly—but doing so in Google Workspace requires multiple clicks for each grant you want to revoke.
Fortunately, Nudge Security’s offboarding playbook helps you clean up your employee’s OAuth-managed access automatically, along with their SSO-managed and unmanaged accounts.
First, the offboarding playbook flags any OAuth integrations owned by the departing user that you might need to recreate. For example, perhaps that user connected CircleCI with Github and something critical might break if that integration goes away. Next, the playbook shows you the user’s OAuth-managed accounts and provides you the option to revoke all of those grants with the click of a button, or to revoke or ignore each one manually.
Want to be alerted to new or risky grants in your environment? Nudge Security provides granular controls to help you determine the notifications you’d like to receive. You can also use automated rules to send nudges to your employees through email or Slack to gather additional context on new or risky OAuth grants.
Learn more about how Nudge Security can help your team manage OAuth grants at scale.