Since its launch in 2006, Google has marketed G Suite as a place where you get everything done. In fact, if you go to the G Suite website the banner across the top of the page still reads: "All you need to do your best work, together in one package that works seamlessly from your computer, phone or tablet.” But it’s very nature implies integration — and not just with Google apps.
However, that seems to be changing. According to a statement from Google, the company will start limiting G Suite access for less secure apps (LSAs), or non-Google apps in June of this year. The statement reads: “Starting in June 2020, we’ll limit the ability for LSAs to access G Suite account data. LSAs are non-Google apps that can access your Google account with only a username and password.”
G Suite and LSAs
What's the reasoning behind this move? LSAs, the blog explains, make accounts more vulnerable to hijacking attempts. But there is a way out, which will impact how third-party apps are accessing Google’s main digital workplace offering. Instead of LSAs, you can use apps that support OAuth — a modern and secure access method.
The move will likely impact users of legacy email, calendar and contacts apps. There are two important dates to keep in mind in this respect:
- June 15, 2020: Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts and email via protocols such as CalDAV, CardDAV, IMAP and Exchange ActiveSync (Google Sync).
- February 15, 2021: Access to LSAs will be turned off for all G Suite accounts.
This is not just an attempt by Google to limit the use of third-party apps in G Suite. As it stands, many workers using G Suite as part of their digital workplace are using non-Google apps and giving those apps permission to access G Suite data.
The problem is that when users give access to G Suite through an LSA using just a username and password, without any other authentication factor then that account is at risk. However, when account access is provided through OAuth then the account is as safe as it is could possibly be.
Related Article: Forget Slack vs. Email: Think Slack Plus Email
LSA vs. OAuth
LSA describes the parts of the Local Security Authority (LSA) that applications can use to authenticate and log users on to the local system. It also describes how to create and call authentication packages and security packages. Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system.
OAuth is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites but without giving them the passwords This mechanism is used by companies such as Amazon, Google, Facebook, Microsoft and Twitter to permit the users to share information about their accounts with third-party applications or websites.
Related Article: 12 Productivity Tools Baked Into Office 365
Securing G Suite
So, is this a good thing or a bad thing? Obviously it is too soon to say how this will effect enterprises using G Suite for productivity, but so far the response to the move has been positive, said Paul Bischoff, a privacy advocate with Comparitech.com.
Bischoff believes that digital workers and organizations that use LSAs will have to start phasing them out in favor of alternatives that use OAuth. Some apps might offer LSA authentication and OAuth, in which case you would just need to re-authenticate your account using OAuth. In light of this news, it is likely that many LSAs will add OAuth in the coming weeks. So if OAuth is not an option yet, contact the developer and ask if they have plans to add it. “In the end, this will make G Suite users safer by making it much harder for an attacker to hijack an account.” said Bischoff.
“Many believe that this is a good move, even if it means initially restricting third-party apps. Although this may impact digital workers at first, humans are an adaptable species and will find their ways to ensure things will move on as per usual (or as close to that as possible),” said Will Ellis, founder of Privacy Australia and IT security consultant. “The digital work-space is a fast-paced environment, and I don’t doubt that those working in it are used to abrupt changes. If companies are prepared, they have more than likely already put plans in place for the G Suite shift and will therefore manage it with ease,” he said.
In the long run, this shift is a benefit for digital workers, as their data is less likely to be leaked and they will be operating in a much more secure space. “We need to remember that the race for securer technology brings with it malicious individuals trying to breach that security,” he added.
Banning LSAs is just another step in making G Suite a walled garden, and increasing Google’s dominance in the cloud storage space, said Blake Sutton, senior electrical and software engineer. Yes, there is an increased security risk when connecting G Suite to third-party apps — but that is a poor excuse for banning it altogether. “Users are not as ignorant as this blanket ban implies; if a digital worker wants to allow an LSA to connect to G Suite, they should have the option to do so. Many understand the risks and are happy that the LSA’s usefulness outweighs them,” he said.
The solution is to educate users of the added risk they are exposing themselves to when they attempt to connect an LSA, but do not treat users as buffoons by banning it altogether, according to Ellis. “I suspect Google knows this, and are just using 'security' as a convenient excuse to turn G Suite into a closed platform,” he said. “If Google wants to help enforce good security practices, then they should focus on education as opposed to restriction.”