Google is barring companies from accessing its enterprise productivity tools through apps that share passwords. Could its effort to standardize data governance also drive firms to the Google Cloud platform?
We’ll know in June. That’s when the Alphabet subsidiary will begin restricting first-time logins from non-Google applications for users of its proprietary G-Suite offeringsOpens a new window , a package of products for mail, calendars and contacts hosted in the cloud.
By February of next year, legacy logins via so-called less secure apps, or LSAs, will be shut off, too.
Google says its goal is to strengthen protection of the information stored in databases used by millions of workers. The login information that gives LSAs access to the G Suite offers hijackers a gateway into its cloud should they breach the safeguards in third-party applications.
Given that many apps don’t ascribe to the OAuth (open authentication) standardOpens a new window the company is pushing for password-free permission, the move also opens a door to increasing monthly subscription ratesOpens a new window that can reach north of $25 per G Suite user at companies seeking more robust data security.
Looming deadlines for API access
Systems administrators at G Suite customers are being informed in greater detailOpens a new window of the changes outlined in a pair of blog posts. Google in July turned domain-level control of LSA access over to users, which it said minimizes disruption associated with the impending restrictions on preferred apps.
Last month, it set the timeline for the changeover. This includes a June 15 cutoff for first-time access via LSAs and a Feb. 15, 2021, date for the final day of access for LSAs registered before then, after which only Google and OAuth-compliant apps will be allowed in.
Coinciding with the December announcement, Google launched an initiative to improve cloud security. Among the projects and partners are a Citrix workspace in G SuiteOpens a new window and a centralization of end-to-end API access monitoring with the specialist provider Arctic Wolf.
A token solution
Google says the OAuth standard provides more details on validation, including information about login attempts that can indicate suspicious activity. It also helps administrators to enforce the parameters they set around employee access to G Suite databases.
Built to an open standard, the OAuth protocol uses tokens instead of passwords to validate requests and grant access to Google APIs. The authorization server that issues the token can be configured to grant selective access to the third-party application of information contained in underlying databases.
OAuth creators liken the tokens to an automobile’s valet keyOpens a new window , which allows parking attendants to move vehicles around a lot but bars entry to trunks and glove boxes. Administrators can build user consent into OAuth tokens, which feature a limited lifespan that Google says adds a further layer of security.
The initiative began life in 2007 and with the help of Google employees issued a first iteration three years later. While researchers exposed vulnerabilities in the 2.0 protocolOpens a new window  currently in use, Google in 2017 locked down a minor breach that allowed scammers to access the account information of around one million Gmail users within an hour.
Action and uptake
Amazon, Microsoft and Twitter also use the standard. But because OAuth isn’t universal, the change will force users who prefer accessing G Suite data with third-party applications to take action.
One of the affected platforms is Microsoft’s competing Outlook API, which only began supporting the standard in its 2019 iteration and will require a G Suite synch for earlier versions. Outlook for Mac and MacOS users will need to re-add accounts when they are banned next year and users of Apple’s IoS mail will require pushes from their mobile device management vendors to restore lost access.
While those headaches loom, the desire among systems administrators to prevent them works to Google’s advantage.
Google trails both Amazon Web Services and Microsoft in global league tables, and boosting applications security offers an avenue for Google to increase its income as more companies place more of their data into the cloud.