Google today unveiled a new G Suite security feature to improve data access controls and enhance phishing prevention: OAuth apps whitelisting. The feature is designed to help companies control how third-party applications are using enterprise user data.
OAuth apps whitelisting is likely a response to the widespread “Google Docs” phishing email that affected many Google users in May. At the time, Google disabled the accounts responsible for abusing the OAuth authorization, and then a week later tightened the review process for web apps that request user data. Having taken care of the original attack and locked down the process on the developer side, Google is now turning its attention to enterprises and their employees, although the company isn’t positioning it like that.
“We are constantly evolving and always looking for ways to help our users protect their data,” a Google spokesperson told VentureBeat. “This is just another example of the innovations we are bringing to the table to ensure our customers’ data is secure and protected and can combat new threats as they arise.”
As the name implies, OAuth apps whitelisting lets admins select which third-party apps are allowed to access users’ G Suite data. More specifically, the feature allows administrators to:
- Get fine-grained visibility into the third-party apps that are accessing G Suite data.
- Allow access to only trusted and vetted third-party OAuth apps.
- Guard OAuth access to core G Suite apps data by preventing unauthorized app installs, thus limiting the problems caused by shadow IT.
Once an app is part of a whitelist, users can grant access to their G Suite apps data. Third-party app access is enforced based on the policy set by admins, and employees are automatically protected against unauthorized apps.
In this way, Google is making it significantly less likely that users will accidentally grant access to corporate data — assuming administrators turn the feature on.