Ah, January! The month of fresh starts, new resolutions, and doubling down on our best behaviors. This is the perfect time for Google Workspace Super Admins to do a check to ensure they’re following best practices when it comes to identity and access management.
Unsure where to start? Here are three things you can do today.
1. Audit all apps and limit scopes where needed
OAuth is a widely used protocol for granting access to resources. OAuth also represents one of the largest surface areas for data to be unknowingly leaked is through an unmanaged application through OAuth in Google Workspace.
When a user grants an application access to their Google Workspace data through OAuth, they may not be fully aware of the scope of access they are giving to the application, and the application may have access to more data than the user intended. This issue becomes particularly critical when applications with extensive permissions retain this access for prolonged periods.
To mitigate risks like unauthorized access, data exposure, and account takeover, it’s essential for leaders to proactively manage and monitor these OAuth grants. Regular reviews and audits of the grant validity periods are key practices in ensuring these permissions are necessary and relevant, and in maintaining the overall security and integrity of your organization’s data.
One way to do this is by using your Google Workspace console and navigating the following path: Security > Access and Data > API Controls > Manage third party app access > View list. There, you can view apps with access, revoke access if needed, and just get a general view of what’s going on in your app environment. Check out the video below, where I walk you through it.
On the other hand, you can also easily track this information with YeshID. Our intuitive dashboards present a comprehensive overview of app licenses, showcasing the interconnected web of permissions across different applications. This helps leaders easily identify which apps or services have broad access to sensitive data and understand the potential risks associated with each OAuth grant.
2. Review your authentication settings
Reviewing your authentication settings to ensure they align with internal policies is paramount. We recommend you use one of these two approaches:
The traditional 2FA and strong password approach
First, enforce strong passwords that contain a combination of uppercase and lowercase letters, numbers, and special characters, and are at least 12 characters long. Using a unique password for each account is important because if a hacker gains access to one password, they will not be able to use it to access your other accounts. You can do this through Google Workspace Admin console here.
Second, turn on two-factor authentication (2FA) to add an extra layer of security to your online accounts by requiring a second form of verification in addition to your password (usually a code sent to your phone, a biometric scan, or a physical token). 2FA makes it much harder for someone to gain unauthorized access to your accounts: Even if they have your password, they also need to have access to your second form of authentication in order to log in. You can do this through Google Workspace Admin console here.
The more modern passwordless approach
A more secure (and easier to use) choice is to adopt the passwordless setting. It has several benefits:
- You stop using the vulnerable password
- You handle the two-factor requirement with a simpler user experience
3. Streamline your onboarding/offboarding process
If you’re still onboarding new users manually in Google Workspace the old way, it might be time to think about updating your process. Fortunately, that doesn’t have to mean putting weeks into procuring a tool or hiring an employee.
By augmenting Workspace’s hard-to-navigate console with a user-friendly dashboard and enhanced controls, YeshID makes streamlining onboarding and offboarding a breeze. Scheduled workflows, flexible controls, and customizable templates help automate onboarding/offboarding and provisioning tasks, ensuring the right users have the right access at the right time.
- Schedule onboarding: YeshID allows you to schedule onboarding tasks. An email is automatically sent to the user on their start date, and their account is provisioned immediately to kickstart the application license process.
- Create templates for departments: Create templates for different departments to automate the assignment of groups and orgs, reducing manual work.
- Manage application provisioning: Manage the application provisioning process through YeshID’s task management system. Assign administrators for each application, and they’ll receive notifications for when to provision access.
- Compliance management: YeshID serves as a central source of truth for access management, making it easy to demonstrate compliance when needed.
It’s your year!
Let YeshID be your partner in keeping your identity and access management realm simple, effective, and secure. Get YeshID Onboard for free and start today.