Google Workspace Marketplace applications enhance your users experience and help them get more done, however as a Google Workspace Administrator you should first assess security of these 3rd party applications before letting your users install them.
Google Workspace Marketplace applications security should be considered as “Shared Responsibility Model”, where Google and you both take care of security assessment at some level.
After publishing a few applications in Google Workspace marketplace, following is my understanding in terms of what security measures are taken by Google, and what should be your responsibility.
Whats covered by Google?
(i) To ensure developer has accepted Google’s terms of service.
(ii) To ensure developer has registered their application with Google.
(iii) To ensure developer has clearly listed the API scopes that their application would be accessing along with providing justification for the usage of each of the API scopes.
Note : Based on my experience going through OAuth review process multiple times, Google only grants OAuth scopes which are really required by your application to provide its functionality.
For e.g : Google initially rejected my application ‘Labels Manager for Gmail’ because I applied to get mail.google.com as OAuth scope which was very broad.
I was suggested to use https://www.googleapis.com/auth/gmail.labels which is good enough to provide Gmail labels management functionality.
My application was approved, once I narrowed the API scope to least required.
(iv) Developer has an OAuth consent clearly defined.
(iv) Developer has provided support channel details.
Now, Google does its part of ensuring that developers have followed above best practices, however Google does NOT control the relationship between you and the app developer.
For e.g -: During the application installation, Google makes sure that application should ask for OAuth consent showing which API scopes / data will this app be able to access, however it is your responsibility to decide whether you want to provide consent to this application for it or not.
I recommend you to evaluate the security of each application you either install or add to your company approved apps list.
You can do this by following (please take following as reference points only, and use your company’s security policies for such evaluation).
What should be assessed by you?
(i) Understand which API scopes /data would be accessed by this Google Workspace marketplace application, and if these scopes are “must” required to provide you the desired functionality.
(iii) Pay attention to the application reviews, and read the comments by other users of this application in Google Workspace marketplace.
(iv) If you are into regulated industry and have certain compliances to meet (e.g HIPAA, FINRA etc), then check if the marketplace application can help you stay compliant (e.g if they can sign BAA for HIPAA compliance etc).
(v) Reach out to the application developer via provided support channel if you have additional questions.
(vi) Only install application for the required scope (e.g if CRM application is only used by your sales team, do not install it for all users, rather do it just for the sales org unit, I have this in details in the installation best practices).