What Google Apps Manager (GAM) Can (and Can’t) Do for Your Google Workspace Security

If you’re a tech-savvy Google Workspace admin, you’ve probably heard of (or use!) GAM: Google Apps Manager. 

GAM was developed by Jay Lee as a command line tool for administrative management of Google Workspace. It was subsequently rewritten and extended by Ross Scroggs to become Advanced GAM. Both versions are used by tens of thousands of Google Workspace admins to manage client and service account access functionalities. 

How is GAM Connected to Google Workspace Security?

The primary reason that admins manage access to Google Workspace is for information and application security. Otherwise, they would just let anyone who wanted freely access their Google Workspace instance and assets. (Even though it would obviously be much less work, no admin seems to take that approach. ;)

The GitHub GAM support threads often feature questions about how to run security-related commands, such as this one about the best way to get a report of every file or folder in a Shared Drive that is shared with "Anyone with a link” or this one about how to remove departing users from all the Shared Drives they have access to. 

There are ways to perform many security-related actions via GAM (as the answers in the above support threads attest). And yet, if you try to really get a handle on your Google Workspace security using GAM, you’ll find that it falls short in multiple critical areas. 

The following post highlights what GAM is good at, security-wise, and where GAM can’t keep up with the security risks that threaten the typical Google Workspace instance. From there, we’ll discuss what functions you would need to address those security vulnerabilities, and how DoControl can provide those functions.

Where GAM Shines

GAM is an ideal tool for running large administrative actions that are one-time or periodic - and that are not time sensitive. 

For example, let’s say you need to add 300 new users to your Google Workspace instance. Or you’re taking 50 employees to a 2-day team-building retreat and you want to seamlessly set up an identical out-of-office responder for all of them. Or you need to copy all the shared Drive files that were last modified in December 2024 to a new Shared Drive. 

In these cases, GAM shines. 

As soon as you figure out the right command (and Ross Scroggs on the GAM support threads is very responsive when it comes to help with formulating commands), just input and go get yourself a coffee. Tasks that involve an extensive amount of data scanning or modification may take a while, but that’s no problem if you’re not in a rush.

GAM’s big plus, of course, is that these management capabilities come with no upfront costs. GAM and Advanced GAM are open-source, frequently updated, and well-supported.

So if GAM really did everything an enterprise Google Workspace admin could want security-wise, it would be a dream. 

Unfortunately, from a dream one must wake up. Let’s make sure this overview of GAM for Google Workspace is balanced by taking a look at the security areas in which GAM doesn’t quite do the job.

Where GAM Falls Short

Shortcoming #1: Requires Technical Expertise

The first point - which can be a real non-starter - is that effective use of GAM requires technical expertise. If you are a Google Workspace admin but not a techie, GAM support thread discussions are likely to make your head spin.

After this technical issue come a number of functional issues with GAM when trying to use it for Google Workspace security.

Shortcoming #2: Requires Manual Directive to Perform Action

The primary functional issue is that GAM can only perform actions when an admin manually directs it to do so. This is fine, as mentioned above, for non-time sensitive actions that need to be performed only once or periodically. But effective Google Workspace security requires a security solution that can perform actions continuously and respond to them in real-time. 

Why? Because Google Workspace - like any SaaS system - moves FAST.

Two minutes from when you click “Share” on a Google Drive file, the users you shared it with could ostensibly have copied it, downloaded it or shared it further. If so, the data within is now beyond your reach and ability to control it. So too when any of your enterprise users share corporate data. If it’s sensitive, confidential or regulated data, it could open up a Pandora’s Box of problems. 

The above-mentioned GAM support thread about reporting on any file or folder in a Shared Drive that is shared with “Anyone with a link” is a prime example. If this is “part of a security effort,” as the asker says, then using GAM to generate one-time or periodic reports will be relatively ineffective. A sensitive file that has been publicly available for a week or a month - or whatever time elapses until the periodic GAM report discovers it - has been a potential data leak for way too long. 

This is why preventing data exposure and loss in SaaS systems like Google Workspace requires real-time, continuous detection, analysis and remediation. And real-time, continuous actions are not what GAM was designed for. 

Shortcoming #3: Can’t Evaluate Risk 

With the right commands, GAM can tell you whatever you want to know about what’s happening in your Google Workspace ecosystem. 

But it will only answer the question you ask. 

So if you don’t ask the right questions, and then put the answers together to get the correct picture, the security breach of the century could be going on right under your nose and you wouldn’t realize.

Smart, fast risk assessment is critical for Google Workspace security. This is both because of the above-mentioned speed at which SaaS data moves, and because a primary method of attack is via user credentials and identities, meaning that bad actors are masquerading as insiders. (And in a non-negligible percentage of cases, they ARE insiders.)

In this environment, identification of risk before it causes actual harm requires solutions that:

• know what risk markers to look for without you specifying them each time
• can evaluate risk markers based on their broader context
• can assess risk based on multiple risk markers and how they interact
• can respond intelligently to detected risk in a way that will further security without disrupting productivity (or it won’t last very long in the enterprise environment)

Unfortunately, GAM can’t do any of that. It has no context about the user outside of their Google Workspace account, and no ability to connect to HRIS or IdP systems to gain additional context.

Shortcoming #4: Does not have ability to scale

Even as you read this, your Google Workspace assets are increasing in number. 

If your company is anything like the companies we evaluated for our 2024 State of SaaS Data Security Report, then your SaaS assets are growing at the rate of 189% YoY. 

GAM queries that need to scan a Google Workspace environment with tens or hundreds of millions of assets can take days. 

And even once those days have elapsed, the results that GAM delivers are not granular enough to properly segment data in order to build remediation policies.

Shortcoming #5: Unable to impact user security awareness and behavior in the long run

There’s an ancient(-ish) saying that says:

Remediate a user’s risky actions, and your organization will be secure for a day. 

Teach a user how to remediate their own risky actions, and your organization will be safe for a lifetime (or at least for that employee’s time with your company).

GAM can give you information (when asked) that can help you detect data security issues. It can also (when asked) take action to correct many of those issues. 

But correcting a Google Workspace security hole opened by a user who shared a Drive file too broadly will not prevent that user from sharing Drive files too broadly in the future. 

What will (or at least has the potential to)?

Engaging that user in real time and asking them to close the security hole themselves.

When an enterprise end user gets immediate, specific feedback on why what they did was a problem, the security education connects to real life. And when they are actually involved in remediating the issue (when possible, depending on the problem’s severity), an even stronger connection is formed. 

This is the kind of security education that lasts.

But GAM only has capabilities to affect the impact of how users acted in the past, not to impact how they will act in the future. 

DoControl: Filling in the Security Gaps in GAM

When we designed DoControl, our vision was of a COMPLETE Google Workspace (and any other SaaS system) security solution.

This necessitated a solution that (among other things):

• Acts continuously, not sporadically or periodically
• Does not require manual direction
• Conducts smart assessment of risk based on multiple factors (including contextual factors)
• Detects and responds to threats in real time
• Engages users for current remediation and future education
• Can be understood and administered by anyone, not only technical experts

Let’s take a look at each of those aspects of DoControl.

DoControl acts continuously, not sporadically or periodically

DoControl provides continuous, real-time threat detection. DoControl does not need to initiate scans or queries of Google Workspace in order to become aware of changes in the environment; Google Workspace sends event notifications to DoControl as soon as events happen. 

DoControl’s threat response capabilities are similarly continuous and real-time, carried out through automated workflows. As soon as a received event triggers an automated workflow, the threat is addressed. 

The importance of continuous, real-time action is illustrated by this GAM support thread, where the Google Workspace admin asks:

“Is there a way to remove users from all the Team drives they have access to? Ideally I would like to run this command against an OU (organizational unit). We place all our leavers in an OU so it would be good to periodically run a command to remove these users from all the Shared Drives they have access to.”

If departing users are only removed “periodically” from the Shared Drives they have access to, they will inevitably have the opportunity - both before and after they actually leave the company - to take important data with them as they depart. 

In contrast, DoControl’s fully automated threat detection and response goes into action the moment a user is marked as “departing” in the corporate HRIS. Automated workflows remove the user from Shared Drives promptly at the relevant time, and monitor their actions more carefully during the period leading up to actual departure. Any indications that the user is attempting to exfiltrate data are detected and mitigated immediately.

DoControl does not require manual direction

Due to these automated threat detection and response capabilities, DoControl does not rely on your manual directives in order to protect your data. 

Google Workspace admins can certainly run manual directives for reports or remediation on DoControl, but it is not necessary for data protection and threat mitigation. 

DoControl conducts smart assessment of risk based on multiple factors (including contextual factors)

DoControl was designed to be context-aware, and to use that context in evaluating risk and deciding on the appropriate response. 

One prominent example of context that DoControl leverages in its risk assessment is end-user and business context. When a user interacts with a sensitive asset, for example, DoControl will check if the user involved is:

• Designated as a departing employee in HRIS
• A user that has a high risk profile ranking
• A third-party that is currently involved with the company in a relevant capacity

An affirmative on either of the first two contextual factors would lead to a more stringent remediative approach. An affirmative on the last factor would indicate that - even though they are an external party - they should be given access for relevant interaction with the asset.

DoControl uses this complex, multi-factor risk assessment in all aspects of its Google Workspace protection, from DLP (Data Loss Prevention) to ITDR (Identity Threat Detection and Response) to third-party app remediation.

DoControl detects and responds to threats in real time

As mentioned above, DoControl’s threat detection and remediation capabilities are continuous, real-time and automated. In the GAM support thread where the admin asked:

“As part of a security effort, we need a report of every file or folder in a Share Drive that is shared with "Anyone with a link".  Is there an easier way to do this without having to crawl every share drive in minutia and then filter in a spreadsheet?” 

The answer from one of the primary GAM developers was:

“There's no shortcut.”

He then explained how to structure the command that would make GAM crawl every Shared Drive in minutia and put it into a spreadsheet that could be filtered.

With DoControl, in contrast, this security-minded admin would have an easier way. So easy, in fact, that they could set up an automated workflow one time and then never have to deal with it again. In the future, whenever a user shares a file with “Anyone with a link”, Google Workspace would immediately notify DoControl, which would register the event and respond to it as instructed to by the workflow. Responses could involve direct remediation, alerts to the security team, or both. 

DoControl engages users for current remediation and future education

The ROI of effective information security education is immense. Fewer problems to remediate. Fewer user support tickets with questions about “why can’t I share this file?” Fewer potential data breaches to contain.  

While GAM is a reactive application that is not designed for proactive interaction with users, DoControl is set up for real-time interaction and education. If a user’s action violates a security policy, automated workflows will not only remediate the security hole, but will inform the user of the issue (and why it is an issue, and what was done to correct it). 

If the security risk is low enough that mitigation can wait until the user is called upon to remediate their own action, DoControl offers that as an automated workflow option. Users are notified via Slackbot and asked to correct the issue, providing them with real-time, hands-on security education.  

DoControl can be understood and administered by anyone, not only technical experts

DoControl is a no-code platform. Automated workflows are simple to understand and set up, even by users with no technical expertise. 

Unlike the highly-technical, script-requiring GAM, DoControl enables even less technical Workspace admins to take control of their Google Workspace security. 

Use GAM Where It Excels - But Not Where It Fumbles

GAM is good for what it is good at: large administrative actions that are one-time or periodic - and that are not time sensitive.

For anything else, and especially time-sensitive security for sensitive Google Workspace assets - use a solution that was designed for the job. 

Want to Learn More?‍

See a demo - click here

Get a FREE Google workspace risk assessment - click here

See our product in action - click here

‍