Skip to main content

Audit all apps, determine which are trusted and then limit scopes for all other applications.

Why?

One of the largest surface areas for data to be unknowingly leaked is through an unmanaged application through OAuth in Google Workspace. OAuth is a widely used protocol for granting access to resources. When a user grants an application access to their Google Workspace data through OAuth, they may not be fully aware of the scope of access they are giving to the application, and the application may have access to more data than the user intended. Additionally, if the application is not properly secured or is malicious, it may misuse the access it has been granted and potentially leak the user’s data.

Guidance

You will first want to audit all connected apps, determine which ones are still needed, mark them as trusted, and prevent all other applications from accessing any high-risk/restricted scopes. Before restricting scopes, communicate with your employees about the change and provide a documented path for having new connections approved.

Reviewing Apps

Head to Security > Access and Data Control > API Controls and review your third-party API app access list. This will allow you to view every app in your organization in addition to what scopes have been granted.

Set Apps As Trusted

Look to see if there is an internal list of applications that have been approved. If they are allowed to access data from Google, mark them as Trusted. This will prevent them from being blocked if and when you move to block access for untrusted apps.

Set Access Levels for APIs

Note: Setting access levels will start restricting access. This will prevent employees (including yourself!) from connecting apps to Google that request any scopes you restrict.

Under Security > Access and Data Control > API Controls > Google Services – View List, set the access levels that you want to use for each application. For example, if you store proprietary data in Google Drive, set Drive to be a Restricted App so that only trusted apps can authenticate with Drive scopes.

We recommend restricting the following:

  • Drive
  • Mail
  • Calendar
  • Google Workspace Admin
  • Vault
  • Groups

Once complete, add a custom message under Settings to give users a meaningful error and path forward – include a link to your IT helpdesk contact information.

On the main API Controls page you can optionally restrict all third-party API access, but this will also block sign-in scopes. If you would prefer to have awareness of all apps using Google to sign in, this may be the best path.

In Conclusion

We hope that these tips have helped to demystify where to start with securing your Google Workspace environment! Remember, Rome was not built in a day. Start with an initial audit, explore your environment, and do the appropriate amount of testing and planning to make these changes a success. While some hurdles may be a challenge, it is far easier to lay the groundwork for security best practices when you are a smaller company versus when you reach hundreds, or even thousands, of employees. There is no time like the present to gift yourself some peace of mind.

Here’s to a year of good health, good company, and an even better Google Workspace setup than the year before!