This post was originally published on May 24, 2023 and updated on July 20, 2023 with the release of new capabilities to nudge users to remove unnecessary OAuth grants.
I have a confession to make: Sometimes, when I’m trying to fuse two SaaS applications together for some productivity hack at work, I breeze through the ubiquitous OAuth request screen without much thought. This app wants permission to read all of my Slack messages? Whatever. This calendar widget wants permission to delete files on my Google Drive? Cool. This one wants permission to record all of my Zoom calls? Go for it.
To be fair, I’m hardly alone. OAuth grant requests have become another version of the terms and conditions we all scroll past to get what we wanted, fast. (Well, everyone except our privacy lawyer friend, Bradley Gold.) But, as it so often goes, what’s a dream for productivity is a nightmare for the IT security team. Managing OAuth risk is quickly becoming a top priority for cybersecurity practitioners, and we’re here to help.
Earlier this year, we introduced OAuth risk scoring capabilities to Nudge Security to help IT security teams track all of the SaaS-to-SaaS integrations across their organizations, and to immediately surface risky and overly permissive grants. In today’s release, we improved upon this functionality with the addition of a handy “revoke” button. With it, Nudge Security administrators have the option of revoking risky and overly permissive OAuth grants for Microsoft 365 and Google Workspace directly from within Nudge Security.
Now, Nudge Security users can see all app-to-app integrations granted through OAuth, surface OAuth risks, review details, and take response action—all without having to bounce around multiple environments to piece it together. This is especially useful alongside Nudge Security’s third-party vendor risk insights and SaaS supply chain breach data. For example, if you receive an alert that Bill in operations just started using a new SaaS application hosted in a country on your "no" list, you can immediately revoke any OAuth grants he gave. Or, if you receive a SaaS supply chain breach notification from Nudge Security and want to quarantine a breached SaaS provider, you now have an incredibly streamlined way to see everything it’s connected to and quickly pull the plug.
Pretty cool, huh? Of course, with great power comes great responsibility. Beyond break-glass situations, revoking OAuth grants that are used by your workforce without any context or warning can be disruptive and break automation workflows. That’s why we’ve also introduced the ability to nudge employees to review potentially risky and unnecessary Oauth grants.
When you nudge a user about an OAuth grant you hope to revoke, your user will receive an email or Slack message asking them to confirm whether they’re still using the integration. Once the user confirms that the integration is no longer in use, the OAuth grant will be revoked automatically. With notification rules, you can build your own workflow to automatically nudge employees whenever risky OAuth grants are given.
Give it a try and let us know what you think! You can start a zero-commitment 14-day free trial here!