The ability to control 3rd party apps access is a hot issue for K-12 IT admins planning for hybrid learning this year
Vendors flooded the K-12 market with remote learning resources such as free or reduced-price 3rd party apps when COVID-19 first shut down school buildings. Most of these Education Technology (EdTech) apps are offered on cloud-based SaaS architecture. If the SaaS isn’t engineered with security in mind, it can cause real security headaches. And, there are a variety of other security issues that make it necessary for school districts to control 3rd party apps.
What are 3rd Party Apps?
PCMag.com defines 3rd party apps as “An application that is provided by a vendor other than the manufacturer of the device.”
In education environments, most 3rd party apps are cloud apps that are connected to a Google or Microsoft domain using Open Authorization (OAuth). OAuth is popular because it saves users time when they login to their apps. For example, an app can let you log in using the credentials you use to login to Google. It cuts down on the number of logins a user needs to keep track of. It also allows the app access to different permissions, such as view, read, write, and/or send emails through Gmail.
There are tens of millions of apps available on Google and Apple app stores. The volume is undoubtedly one reason why even these two giants deal with malicious apps. For example, early in 2020, Google found fraudulent apps in their store that could cause significant problems for the owners of the 1.7 million devices that already had the apps installed.
3rd party apps are also available on many private websites. While most people know not to download apps that haven’t at least been vetted by Google and/or Apple, less tech-savvy adults and younger students who don’t know better could create real problems for IT admins. It’s important to include a warning against those types of apps during internet education for students, staff, and teachers. Better yet is to have a formal 3rd party app policy that includes a list of approved apps and a process for vetting new apps.
“Shadow” 3rd Party Apps
One of the biggest challenges district IT admins have is finding ways to control 3rd party apps that are part of the tidal wave of EdTech being connected to their district domains. This has always been a problem, but it particularly ballooned out of control since remote learning began last spring. Those admins understand first-hand the meaning of “shadow” 3rd party apps.
TechTarget defines a shadow app as “a software program that is not supported by an employee’s information technology department.” IT teams have an even bigger challenge because not only are teachers using shadow apps for EdTech, but students are busy connecting shadow apps to district systems as well.
OAuth risks were an issue long before COVID-19 required schools to switch to remote learning almost overnight. EdTech security risks include ransomware vulnerabilities, account takeover risks, and data security threats for school districts that aren’t monitoring and controlling app risk levels and activities.
Hybrid learning security increases the complexity of securing district data and information systems. IT teams need to start planning to monitor and control 3rd party apps that are creating these security risks in their environment.
How to Control 3rd Party Apps for Hybrid Learning
Our recent poll found that just over 60% of K-12 districts are planning for hybrid learning for the 2020/21 school year due to continued COVID-19 concerns. This means that students, teachers, and staff will be relying on cloud apps more than ever before. Controlling 3rd party apps, along with the variety of other K-12 cloud risks, is going to continue to be a challenge for many districts.
It’s true that Google and Microsoft provide some type of native support to control 3rd party apps. The problem is that these native solutions require expensive upgrades to get close to real control and they aren’t very user-friendly. Neither native solution provides an easy way to find and control 3rd party apps that shouldn’t be connected to your district’s domain. Nor do they allow you to automate 3rd party app management on a granular level. Controlling 3rd party apps is still a time-consuming and frustrating process.
Controlling 3rd Party Apps in Google Admin Console
Using Google’s App Access Control feature, you can:
- restrict access to most G Suite services
- leave G Suite services unrestricted
- trust specified apps to access restricted G Suite services
- trust all domain-owned apps
Using this tool, you can review the apps that your users have authorized. You can see the number of users accessing the app, which G Suite services each app is using, and whether the app is verified to access certain restricted data. You can then assign each app to a category, including Unrestricted, Restricted, and Restricted – High-Risk. You can also add and delete apps from a “trusted” list.
When an app is trusted, it can access all Google services, but you can also make a trusted app limited, which means it can only access unrestricted Google services. Any internal apps that you build for your district can be trusted as a group, or you can assign them to a “trust internal, domain owned apps” category individually.
Building a trusted app list is time-consuming and difficult to manage. And, once you enable the restricted function in Admin Console, the policy is applied globally to your entire domain. There is no flexibility to allow certain apps for different OUs.
> Learn how to control 3rd party apps in Google Admin Console
Controlling 3rd Party Apps in Office 365 Advanced Security Management
When a user tries to connect an app to Office 365, a prompt will appear asking them to approve the permissions for that app. However, since many users don’t read the permissions closely or don’t know which apps should be allowed access, Microsoft also provides an App Permissions feature that District IT can use to manage the apps’ access.
Using App Permissions, you can see which apps have access to Office 365 data, and the level of permission assigned. You can also see which users approved access to their accounts for each app. You can then approve the app or reverse its permissions, which will restrict its access to any users’ data. If you do deny an app permission to access Office 365 data, you can send a notice to the users who approved the app to notify them that the app is no longer available.
Again, accomplishing these tasks in your console is “clunky” at best. It doesn’t provide you granular control over approving, removing, sanctioning, and unsanctioning apps without the need for advanced coding and configurations.
> Learn how to control 3rd party apps in Office 365 Advanced Security Management
Isn’t It Ironic? You Can Use a 3rd Party App to Control Your 3rd Party Apps!
ManagedMethods is a platform developed specifically for K-12 cloud security and student safety. We help school districts remain compliant with federal regulations such as FERPA, COPPA, and CIPA. We also help districts comply with the litany of state laws that have passed in recent years (learn how we helped Hillsboro-Deering School District comply with NIST requirements).
ManagedMethods will help your IT department quickly and easily identify and control 3rd party apps in your domain.
> Learn how to control 3rd party apps in ManagedMethods by requesting a demo
*** This is a Security Bloggers Network syndicated blog from ManagedMethods authored by Katie Fritchen. Read the original post at: https://managedmethods.com/blog/k12-control-3rd-party-apps/