One Google Drive configuration error.
One MILLION people’s data exposed for six years.
It happened to software and entertainment content company Ateam last year, and it could happen to any company, at any time. Yes, including yours.
What can prevent Google Drive data exposure and the resulting technical, financial and legal consequences?
Effective Google Workspace security assessments.
What is a Google Workspace Security Assessment?
A Google Workspace security assessment is the process of making sure all aspects of your organization’s Google Workspace deployment are secure enough to defend against threats, both internal and external.
Key Components of a Google Workspace Security Assessment
What do you need to evaluate for an effective Google Workspace security assessment? It stands to reason that the key components of a Google Workspace deployment would all need to be checked.
The key areas (and therefore, attack surfaces) of Google Workspace include:
- Configurations
- Identities
- Data
- Connected Apps
Let’s take a closer look at each of those.
Configurations
The high-level settings that are under the control of Google Workspace admins. An insecurity on this level can open up wide swaths of your Google Workspace instance to data exposure.
It was Configurations that were to blame in the Ateam incident described at the beginning of this post. One of Ateam’s corporate Google Drives was set to allow public sharing, meaning anyone with a direct link to any of the assets in that Drive could view it, no sign-in required.
Identities
In SaaS systems like Google Workspace, you are your SaaS account’s access credentials. Anyone who has somehow gained access to your account by entering your access credentials can act as you, with all the privileges you have.
Securing identities means knowing that your Google Workspace users are who they say they are, and also that they are acting the way that Google Workspace user is supposed to act.
Data
This is the heart of your SaaS system: your data assets, including documents, spreadsheets, presentations and other files; emails, chat and other messages; audio and video recordings and much more. Accessing your data is usually the end goal of an attacker.
Securing Google Workspace data means that all files and other assets are only accessible by the people who are intended to access them, for the purposes they are intended to be used.
Connected Apps
“There’s a Google Workspace app for that” is pretty close to the truth. With thousands of apps in Google Marketplace, there are thousands of ways that your SaaS data and systems can be accessed. And just like human users can be risky, so can these non-human users.
Securing Google Workspace connected apps means that all the apps that have access to your Google Workspace are trusted AND have only the permissions they need to fulfill their function. Inactive app? Remove it. Permissions that the app doesn’t (and shouldn’t) use? Remove them. Only what’s trusted; only what’s necessary.
Why Does Your Business Need Regular Google Workspace Security Assessments?
Life happens.
And life means change.
And change means that things don’t stay the way you set them. Ever straightened up your kitchen only to find a few hours later that it was somehow, mysteriously, messy again? It’s a feature of life.
So even if you did a security assessment and “straightened up” your Google Workspace, you will need to repeat those assessment on a regular basis. Because life - and change - happen.
What are likely causes of change in your Google Workspace?
- Updates.
- User turnover. (Employees leave; contractors end projects.)
- Apps.
- Human error.
Because those events happen all the time, security assessment of your Google Workspace should be regular, if not continuous.
Common Security Vulnerabilities in Google Workspace
When you’re performing an assessment of Google Workspace, here are some of the security vulnerabilities you may run across:
Assets exposed through user oversharing
“Sharing is caring” doesn’t apply to SaaS. Sharing a Google Drive asset more widely than you need to expands your organization’s attack surface. That’s even when it’s an innocuous document, and much more so when it contains sensitive data.
Why would someone overshare sensitive data? It’s usually convenience. Google Drive asset owners don’t want to be bothered every time someone new needs access to the file, so they set the file to “anyone with the link can access.” But that leads to a situation where the average company in an analysis we did had 35K sensitive assets exposed publicly.
When it comes to “anyone in the organization can access”, users are even less careful. The average company has 2.1M sensitive assets exposed company-wide.
And when company users use GenAI apps to analyze and summarize data, it dramatically increases the chances of overshared data being directly exposed.
Outdated user accounts still active
Imagine letting an employee retain the keys to your company vault once they no longer work for the company. Sounds ridiculous, but we see parallel situations all the time.
In a recent study we did, the average company had 200 former employees and contractors able to access company data.
If a user has finished their role in your organization, they should no longer have access to anything in your organization’s Google Workspace. And if they still have a role in your system, but they’ve finished the use of specific assets, remove the user permissions from those assets.
Misconfigurations
Insecure configurations of Google Workspace security settings are a common vulnerability that can have far-reaching effects, as we saw in the Ateam example mentioned at the beginning of this post.
In the Ateam example, the issue was configuration of a corporate Google Drive to be publicly accessible. Other common potential misconfigurations include:
- Setting default folder/file permissions to "Editor" instead of "Viewer"
- Setting Google Groups to "Everyone can join" when the group may contain access to sensitive discussions or resources
- Allowing users to set Gmail auto-forwarding rules without monitoring
- Setting Google Calendars to be publicly shared
- Not enforcing 2-step verification and/or strong password policies
How do you conduct a Google Workspace Security Assessment?
When you conduct a Google Workspace security assessment, you should go through the following steps:
Check data assets for:
- Public sharing: does the asset need to be publicly shared?
- External sharing: does the asset need to be shared with external parties?
- Sharing with fourth parties: where your external collaborators gave their contractors access
- Organization-wide sharing: does the asset need to be available to everyone in the organization?
- Outdated user permissions: when specific users don’t need to have access anymore
Any over-exposed asset expands your organization’s attack surface, but over-exposed sensitive data assets are obviously a higher priority to find and remediate.
Check identities for:
- Status in your systems (i.e. active/inactive): a terminated employee or contractor who finished their project should no longer have an active user account
- Risky behavior: are users interacting with assets in a way that suggests malicious or negligent action (note: to be truly effective, this kind of behavioral analysis should be based on benchmarks for those users, and so it is hard to do as a one-off assessment)
Check apps for:
- Overpermissions: apps should only have the access to your Google Workspace that they need for their function
- Suspicious actions: is the app’s API interacting with your Google Workspace in an unusual way? (note: like assessing risky behavior for a human user, this is harder to do as a one-off assessment)
Check configurations for:
- Non-compliance with required or recommended standards
Best Practices to Improve Security Post-Assessment
The specific best practices you should implement depend on the findings of your Google Workspace security assessment. Some common conclusions are:
Reduce incidence of oversharing
If your Google Workspace risk surface can be decreased by removing unnecessary external asset shares, especially public shares, go ahead and do that. If you have thousands or millions of assets, doing this manually can be prohibitive. That’s why we developed a bulk remediation tool for DoControl customers, so you can remove all your excessive asset permissions in minutes, not days.
Increase DLP accuracy
In order to reduce the incidence of oversharing sensitive data assets (your highest priority when it comes to oversharing), you need to be able to accurately identify sensitive data. Some sensitive data can be identified by even simple regular expressions (e.g. credit card numbers) whereas other data can much trickier to pinpoint (e.g. communication about a potential acquisition deal).
If your Data Loss Prevention tool is turning up too many false negatives or false positives, a better DLP tool may be necessary. Advanced tools combine multiple methods of data discovery and classification, including NLP-based tools, metadata and business user context.
Improve offboarding process
If user identities are persistent in your systems even when they should be long gone, it’s likely there is something wrong with your offboarding process. It might be a lack of synchronization between SaaS systems - something we’ve seen with a good number of DoControl customers who use Google Workspace, Okta and an HRIS like Workday or Bamboo HR.
If this is the case for your organization, you may need to use another tool to sync all the systems and make sure that a terminated user in Workday translates directly to a deprovisioned user in Okta and an inactive user in Google Workspace. DoControl accomplishes that through granular workflows that directly connect the systems and spell out exactly what needs to be done.
FAQs:
How often should I perform a Google Workspace security assessment?
Google Workspace, like most SaaS systems, moves and changes at a very fast pace. Ideally Google Workspace security assessments should be continuous, because if you only do assessments on, say, a monthly basis, almost a whole month could go by before you discover an app leaking data, an over-exposed sensitive asset, or the like. Continuous assessments are impractical to conduct manually, but you can use automated SaaS security monitoring and remediation solutions.
What should I do after completing a security assessment?
After completing a security assessment, prioritize your discoveries of security gaps by most risky to least risky. Then start remediating the security gaps.
How can I monitor suspicious activity in Google Workspace?
You can conduct basic monitoring of suspicious activity in Google Workspace by enabling Admin Audit and Security Investigation Tool to track logins, file sharing and third-party app access. Set up alerts for unusual behavior, like failed logins or mass file deletions. Regularly review Activity Reports and use advanced rules to flag anomalies. For advanced monitoring and remediation of suspicious application and asset interaction by users and apps, set up a third-party SaaS security posture management (SSPM) solution like DoControl.
How does multi-factor authentication (MFA) improve Google Workspace security?
MFA enhances Google Workspace security by requiring users to verify their identity through a second factor, such as a mobile app, SMS or security key. This extra layer protects accounts from unauthorized access, even if passwords are compromised, reducing the risk of data breaches and enhancing overall security.
Meet DoControl SaaS Data Protection for Google Workspace
DoControl was designed expressly for the multiple layers and attack surfaces of Google Workspace: data, identities, configurations and connected apps. The DoControl platform and solutions can help your organization easily conduct continuous Google Workspace security assessments - and swiftly remediate risks with automated workflows.
DoControl’s Data Access Governance and Data Loss Prevention secure your data all across your Google Workspace ecosystem. Advanced data classification methods mean that no sensitive data goes undiscovered, and automated workflows mean that any detected threat can be mitigated in near real-time.
DoControl’s Identity Threat Detection & Response (ITDR) and Insider Risk Management secure your Google Workspace user identities, protecting you from external threat actors or insider threats. Data from multiple business-critical SaaS applications and behavior benchmarking for individuals and groups, along with important contextual information from HRIS, EDR and IdP systems enable smart differentiation between normal business activity and suspicious actions.
DoControl’s Shadow App Discovery & Remediation secure your third-party OAuth connected apps by monitoring app behavior and removing unnecessary apps and app permissions.
DoControl’s SaaS Misconfiguration Management secures your Google Workspace admin configurations, checking them against industry standards like CIS and offering remediation guidance.
Always be assessing
A Google Workspace security assessment is not a one-off - or even a one-hundred-off. The assessment and establishment of your Google Workspace security is a 24/7 process, part of which only humans can do, and part of which must be supplemented and supported by automated processes.
Is your current method of Google Workspace security assessment enough to protect all your corporate data?
You might need to go assess that.
.png)