3rd Party App Security with App Access Control

The longer a district has been using Google Workspace for Education, the larger becomes the looming elephant of 3rd party application use. How do you know what apps on the internet your staff and students are using via their Google Workspace accounts? The amount of applications and sites out there is staggering, and by default, your staff and students can sign-in using their Google Workspace accounts to any of them. 

  • Are they using safe applications? 
  • What data do these companies gain access to about your students and teachers? 
  • What do these companies do with that data?

Some of these questions can be tough to answer, but our Admin console gives us a way to not only view what is happening but control this type of access in many ways.

Let’s set the stage first: 

When you visit a website or online application and it offers you a big shiny button or link to sign-in with your Google account the game is afoot! This is the first stage of API Control called Authentication. At a minimum, these 3rd party applications will allow Google Workspace to validate that the user is who they say they are and grant them access to the app or web service. During this transaction a few basic and unavoidable pieces of information are given to that 3rd party vendor: your first and last name, your email address, and sometimes your Google Workspace profile pic. If the party stops there we are not in too bad of shape and this is very common.

Where things get interesting and concerning is when the 3rd party application also prompts the user to allow access to portions of their Google Workspace services ie: Google Drive access, Gmail, Calendar, Contacts etc.

This second stage:

This stage is called Authorization as it involves authorizing the 3rd party app to call Google APIs on your behalf to access this data.  

So now that we know how this happens, what can we do about it? Thankfully there is a tool available in the Admin console called App Access Control. It can be found under the Security Menu on the side-bar, nested under API Controls.

App Access Control allows you first off to view all the 3rd party apps in your entire domain that any of your staff and students have authenticated to or also authorized API access to. This list can be invaluable as a starting point to understand the scope and severity of this issue in your environment. Some districts have also used this list to determine if teachers and students are using the recommended and promoted apps at a district, or perhaps not using an application that has been purchased for use and can show a lack of adoption of said programs.

Download the top Google for Education domain configuration errors that are found during audits

The next step is a big one, but with careful planning can be accomplished:

You can do two things to manage and mitigate this issue: Block certain unwanted 3rd party Apps from being used, allowing all other apps in the world, or turn off all API access to the core Google Workspace services and run solely from an Allowed List only.

Both these choices are global, domain-wide approaches that take some time and preparation but when the effort is made, create a safer more secure environment at your district. Thought and planning should also be put towards what your ongoing process will look like to add Apps to the Block or Allow lists, and how your teachers and staff will request these changes to be made.  

App Access Control and many other security-related challenges and solutions are part of our new Amplified Admin Security Specialist certification being offered by the Amplified IT Training team later this fall to Google Workspace Admins who have already completed the foundational training prerequisite, Amplified Admin Certification. For more information on this new and groundbreaking certification course please visit events.amplifiedit.com

  • Tom Woods
    Google for Education Training Lead

  • About the Author:

    Tom Woods is a Google Cloud Certified Administrator, Certified Deployment Specialist and Amplified Admin with over 24 years in IT and 17 years in K-12 education. Tom brings unique insights into the planning, implementation, and support of Google for Education in the K-12 space. His experience includes 14 years in a large Ontario K-12 district where Google Workspace and Google for Education was introduced in 2009 and has since grown into one of the largest installations in the province by Tom and his team. Joining Amplified IT 4 years ago, he now assists schools across North America and leads our Consultancy team of experts.