We were setting up some automation flows for a client using Zapier. The tasks this client had were nothing too critical, but involved handling of some messaging or content that is intented to be private. Any of you who have worked with Zapier know how the general workflow is with the platform but for the benefit of others let’s explain it very briefly.
On Zapier or any of the workflow automation and integration tools there is usually an account that anyone can setup simply registering and perhaps enabling premium features with credit card. To this account user can then integrate countless services, tools, APIs etc. that they want to move data from one to other (or multiple but lets keep this simple). Now, when you integrate with those services that are all outside Zapier (or other similar tool), you need to authorize the access to that particular service. Authorization can be done various ways but common practice is to reques that authentication by connecting the service that is being integrated and follow their authorization flow (usually there is Oauth authentication occuring behind the UI).
Now, imagine following pretty common scenario. User has some collaboration groups for the business run in Slack while there are some other groups plus internal communication in Microsoft Teams. To make daily tasks easier the user wants to connect Slack and Teams using Zapier. There is pre-built connectors for this so it won’t too long to build up the integration, howerver with these particular tools there is quite a lot configurable options so someone might give it up before finishing. Once the configurations and authorizations are, there should be messages flying between chosen chats, channels, users or whatever combination it was user needed.
Imagine the amount of authorizations held inside Zapier platform. I would not want to be their security director thinking of the day that all this leaks out (or someone figures out a way to misuse the authorizations directly on their platform). We did not do too deep investigation on all the security mechanisms Zapier must have enabled so this is not to make anyone worried about their setup there but more to focus on potential other ways to implement the functionality of their service by other means. And this other means is about de-centralizing the access keys (authorizations) or consuming those only from users storage (executed by external scheduler).
This is causing some concepts internally but it would be interesting to hear if anyone out there knows about something similar already being developed or other ways to address this concern of cricital security information ending up to third party platforms with ease. There was worrying about shadow-IT in corporations a decade or so ago but business users being able to buy e.g. martech services with their credits cards was nothing compared to this “shadown ETL” that anyone can end up setting without even thinking of the consequences.