Skip to content

Integration with Google: A security tale

#Google Workspace

Connected data increases productivity

Data is everywhere. Our CRM has our customer data, our billing tool has our invoices and yet another tool collects our expenses. Instead of working in silos where you are constantly duplicating and correcting your data over and over again, there is an alternative approach where you allow all those tools to communicate with each other, keeping them in sync at all times, and giving you more time to focus on what needs to get done. But this story is not about how to do that. This story is about how you can do this in a secure way: protecting your data, while still allowing other applications access to a limited subset thereof.

One of the great advantages of Google for Work is that it’s an open platform with APIs for almost everything. Providing access to your data to a third party client calls for a secure environment and protocol. Last decade, you needed to pass your login credentials to the third party app, who would login in your name, exposing your password and risking your complete account integrity. Google, Facebook, Twitter and other big online companies, solve this using OAuth.

OA-What?

One of the best descriptions of OAuth that can be found on the internet is the following:

OAuth is a security protocol that enables users to grant third-party access to their web resources without sharing their passwords.

With OAuth, you allow a third party app access to your Google for Work account. The good part is, that the third party app explicitly needs to tell you which part of your account it will access, and which rights (read or write) it wants on that specific data. An app can ask your permission to only read contact details, and you must explicitly grant that permission. This way, you are certain that the app will have no access to any other data like Drive documents, emails or Calendar events. It keeps all your other data, and more importantly your password, out of reach for the third party application.

Screen Shot 2014-12-03 at 15.43.03

requesting access to read the user’s contacts with the scope ‘contacts_readonly’

By explicitly stating the requested permissions, it gives each user a very clear understanding of what part of her data she is granting access to. An app that has malicious intentions, will have a hard time getting user consent. Google puts it this way:

There is an inverse relationship between the number of permissions requested and the likelihood of obtaining user consent.

Screen Shot 2014-12-03 at 15.51.46

Unless you really trust the creator of “shut up and hack my account”, be sure to click ‘Cancel’ here

 

Power to the people

By using OAuth as a security protocol for both authentication (proving that you are who you say you are) and authorization (allow access to the data you have just verified that you own), web applications can securely integrate with your Google for Work account, leaving you in full control of what data that app can access. Discarding a specific application from your workflow? No need to change your password for the 10th time this month, you can review all applications, and revoke the access you previously gave from your Google Security Settings.

Screen Shot 2014-12-03 at 16.39.14

Revoking previously granted access

Reference: http://hueniverse.com/2010/05/15/introducing-oauth-2-0/)