In the perpetual race for greater productivity and agility, employees increasingly connect third-party applications to their organization’s core systems, to automate and streamline their work processes (using API keys, OAuth tokens, service accounts, webhooks, SSH keys and more).
New third-party applications (whether it’s a calendar sync app connecting to Google Workspace or a CI/CD productivity cloud service connecting to GitHub), are given access to core systems and business data on a daily basis, often without the security team’s knowledge. These unmonitored, improperly-secured app-to-app connections expose organizations to supply chain attacks, data breaches and compliance violations – and the attack surface is bigger than you might think.
Researchers at Astrix analyzed customer data over the past twelve months and discovered alarming numbers. From hundreds of unused connections with non-marketplace apps to thousands of access tokens that have access to core systems, here are our top six findings about organization’s app-to-app connectivity and security.
1. Thousands of access tokens
According to our findings, a typical organization has 10 tokens (OAuth tokens, personal access tokens, SSH keys, service accounts and others) per employee on average, across all monitored core systems. This means that each new employee creates 10 tokens that can access their company’s resources. While the number of tokens per employee varies depending on their role, the average remains high – a company with 1000 employees has roughly 10,000 tokens granting different applications access to its core systems.2. Hundreds of newly added tokens and apps weekly
Employees in mid-size organizations create every week on average around 35 new OAuth tokens for Salesforce apps, 40 new OAuth tokens for Slack apps, and 130 new OAuth tokens for Google Workspace apps. In addition to that, 20-30 new personal access tokens and SSH keys are generated in GitHub organizations every week.3. Hundreds of unused access tokens
Unused open connections needlessly expand your attack surface. According to our findings, in a typical GitHub organization of a mid-sized company (1000 – 10,000 employees), approximately one of four tokens (PAT and SSH keys) is not in use and can be safely removed without impacting the business. Similarly, around 23% of connections in Google Workspace environments are not in use, while in Salesforce environments the numbers are as high as 30% on average.4. Unstructured connections
While in some platforms the predominant way to connect to third party services is by using OAuth applications, in other platforms the large majority of connections are unstructured connections – service accounts, API keys, SSH keys, webhooks etc. These unstructured connections tend to go under the radar of security teams far more than applications, since they are more difficult to discover, monitor and secure. This poses a huge threat to organizations, as Astrix found that these unstructured connections account for about 96% of all connections in a typical GitHub organization, while “classic” apps only account for about 4% of the integrations.5. Majority of non-marketplace apps
Platform marketplaces usually have strict security and privacy standards that app developers must adhere to. However, apps that are not published to the marketplace don’t necessarily live up to these standards. While it’s commonly thought that the majority of third-party connections originate in different platforms’ marketplaces, the findings teach us otherwise. For example, 60% of Slack apps in a typical mid-sized company are non-marketplace apps, reaching as high as 85% in some organizations. In Google Workspace environments non-marketplace integrations are even more prevalent, averaging at 88% of integrations.6. Service accounts
Service accounts are becoming increasingly common as means of connecting between applications, especially in databases such as Snowflake and BigQuery. Astrix has found that approximately 1 in 5 users in a Snowflake production environment is in fact a service account. This means that it is an identity used by an application or automated service, as opposed to a user account, which is an identity used by a human. Service accounts are more vulnerable to attacks than user accounts, since they can’t be secured by tools like MFA, for example.The Astrix approach to securing app-to-app connections
By automatically creating an inventory of all app-to-app connections that exist within your IT assets, and detecting over-privileged, unnecessary or malicious connections, Astrix helps you find and mitigate supply chain risks related to the way apps are integrated, without impacting productivity. Using an agentless approach, Astrix provides comprehensive visibility into all app-to-app connections across all SaaS, PaaS and IaaS environments. This allows businesses to identify their integrations, detect risks, remediate gaps and manage the complete lifecycle of every connection to prevent new risks from arising. With Astrix, businesses can take full advantage of the power of app-to-app automation and integration without compromising on security. Contact Us
