Google Workspace

The Google Workspace integration detects a variety of data loss prevention, account misconfiguration, and user security risks in an integrated Google Workspace account that could leave you and your organization vulnerable.

This integration covers the following Google Workspace products:

Integration prerequisites

  • A Google Workspace account with a Business Starter, Business Standard, Business Plus or Enterprise plan
  • A Google Workspace user with Super Admin privileges and Owner permissions in the Google Cloud Platform (GCP) project used

Integration permissions

For the Google Workspace integration to function, Cloudflare CASB requires the following Google API permissions:

  • https://www.googleapis.com/auth/admin.directory.domain.readonly
  • https://www.googleapis.com/auth/admin.directory.user.readonly
  • https://www.googleapis.com/auth/admin.directory.user.security
  • https://www.googleapis.com/auth/calendar
  • https://www.googleapis.com/auth/cloud-platform.read-only
  • https://www.googleapis.com/auth/drive.readonly
  • https://www.googleapis.com/auth/gmail.settings.basic

These permissions follow the principle of least privilege to ensure that only the minimum required access is granted. To learn more about each permission, refer to the Google Workspace Admin SDK Directory API.

Security findings

The Google Workspace integration currently scans for the following findings, or security risks. Findings are grouped by category and then ordered by severity level.

To stay up-to-date with new CASB findings as they are added, bookmark this page or subscribe to its RSS feed.

User account settings

Finding typeFindingTypeIDSeverityDescription
Google Workspace: Admin user with two-factor authentication disabled5f7c1f62-0ac6-4422-b3d3-d0566dd4e3f2CriticalAn administrator in Google Workspace does not have two-factor authentication enabled.
Google Workspace: User with two-factor authentication disabled739e1965-2ab4-4946-8a56-73fd75154efaHighA user in Google Workspace does not have two-factor authentication enabled.
Google Workspace: User without recovery email2e2383bb-51e8-47fc-8ba7-2dd255c2545fLowA user in Google Workspace does not have a recovery email set.
Google Workspace: User without recovery phone numberec326c68-f331-4597-9ec4-43dc197c86f4LowA user in Google Workspace does not have a recovery phone number set.

Inactive or suspended users

Finding typeFindingTypeIDSeverityDescription
Google Workspace: Inactive admin user391ee66d-10e0-4b26-91b3-741a2a4c39d0MediumAn administrator account in Google Workspace has not logged in for 30 days.
Google Workspace: Suspended admin user31e02a11-aa3b-4278-97d3-9c0f7e8fd2c7MediumAn administrator account in Google Workspace is suspended.
Google Workspace: Inactive user7c098546-2e67-4f01-9fb7-bd48412bd178LowA user account in Google Workspace has not logged in for 30 days.
Google Workspace: Suspended user84f514e3-f12d-49e5-bdfe-9073e336d89eLowA user account in Google Workspace is suspended.

File sharing

Finding typeFindingTypeIDSeverityDescription
Google Workspace: File publicly accessible with edit access29b01269-025f-4249-b5c1-0b9ec39823e0CriticalA Google Drive file is publicly accessible on the Internet that anyone can read or write.
Google Workspace: File publicly accessible with view accessd5132bc7-4c41-4824-b879-3918bf7f6ee7HighA Google Drive file is publicly accessible on the Internet that anyone can read.
Google Workspace: File shared outside company with edit access71ec135e-3d4c-4d35-a2b7-4fd1e5b65b99HighA Google Drive file is shared with another organization or outside party with read and write permissions.
Google Workspace: File shared outside company with view accessd4b231ad-9a8c-40d3-8654-5bd5bb86bf1aMediumA Google Drive file is shared with another organization or outside party with read permissions.
Google Workspace: File shared company-wide with edit access0ed79f27-32fd-415a-a919-ea4af3bd25fdMediumA Google Drive file is shared with the entire company with read and write permissions.
Google Workspace: File shared company-wide with view accessa34753f3-aec7-4134-a30b-2ebb1d7e47deMediumA Google Drive file is shared with the entire company with read permissions.

Calendar sharing

Finding typeFindingTypeIDSeverityDescription
Google Workspace: Calendar is publicly accessibleec68bf68-b0c0-47b3-ad48-fcb3d7eaf8b6MediumA user's Google Calendar is publicly accessible on the Internet that anyone can read.

Data Loss Prevention (optional)

These findings will only appear if you added DLP profiles to your CASB integration.

Finding typeFindingTypeIDSeverityDescription
Google Workspace: File publicly accessible with edit access with DLP Profile match868a21e9-62b2-4e4a-8150-92cf9eb0c2e3CriticalA Google Drive file contains sensitive data that anyone on the Internet can read or write.
Google Workspace: File publicly accessible with view access with DLP Profile matchbfe54b22-5ee5-4ccc-b62b-ea822b34c164HighA Google Drive file contains sensitive data that anyone on the Internet can read.
Google Workspace: File shared outside company with edit access with DLP Profile match124cfac5-12c6-4b55-8691-9c11776b365aHighA Google Drive file contains sensitive data that anyone the file is shared to can read.
Google Workspace: File shared company-wide with edit access with DLP Profile match5b2ad0d2-f35f-47a3-96cb-6e8fbb1fcb36MediumA Google Drive file contains sensitive data that anyone in your organization can read or write.
Google Workspace: File shared company-wide with view access with DLP Profile matchb9fa5fef-c1d0-44da-8364-2c0887be0820MediumA Google Drive file contains sensitive data that anyone in your organization can read.
Google Workspace: File shared outside company with view access with DLP Profile matchaebdda6d-ab48-4408-9941-881683972d83MediumA Google Drive file contains sensitive data that anyone the file is shared to can read.

Third-party apps

Finding typeFindingTypeIDSeverityDescription
Google Workspace: Installed 3rd-party app with Drive access191f0751-7087-4588-9e99-93c5dd834b5bHighA third-party application has been granted permissions to a user's Google Drive.
Google Workspace: Installed 3rd-party app with Gmail access431aecad-20e5-4a20-80ba-4b66eaaa1be4HighA third-party application has been granted permissions to a user's Gmail.
Google Workspace: Installed 3rd-party app with Google Docs accessfe41d53b-3bc3-45ef-95d2-75ba159ce60dMediumA third-party application has been granted permissions to a user's Google Documents.
Google Workspace: Installed 3rd-party app with Google Calendar access80102f46-43d4-437e-b694-e8ee2c077adeMediumA third-party application has been granted permissions to a user's Google Calendar.
Google Workspace: Installed 3rd-party app with Google Slides accessd88e106c-1f2e-4b63-acae-5cee19ded9ecMediumA third-party application has been granted permissions to a user's Google Slides.
Google Workspace: Installed 3rd-party app with Google Sheets accessece9a2fd-4248-4f11-bc45-8b4189eedb54MediumA third-party application has been granted permissions to a user's Google Sheets.
Google Workspace: Installed 3rd-party app with Google Sign In access26b938ea-8d24-4ea5-8e81-2eae26830061LowA user has used their Google Workspace account to sign up for a third party service.

Gmail administrator settings

Finding typeFindingTypeIDSeverityDescription
Google Workspace: Domain SPF record allows any IP addressf28dcc8d-1f0c-4b5a-b254-4169095c16e5HighA Google Workspace Domain SPF record allows any email to be sent from any IP address on your behalf.
Google Workspace: Domain SPF record not present2e13e5dd-88ed-4d65-8d0a-d3fdff9ee7bbMediumAn SPF record does not exist for a Google Workspace Domain.
Google Workspace: Domain DMARC record not presentec39eabf-3536-4005-940b-22d815c628ecMediumA DMARC record does not exist for a Google Workspace Domain.
Google Workspace: Domain DMARC not enforced8971666d-c049-436d-b4d1-6816a70650efMediumA DMARC record for a Google Workspace Domain is not enforced.
Google Workspace: Domain DMARC not enforced for subdomainsfe485f42-b158-4187-85fe-79acdd92055bMediumA DMARC record for a Google Workspace Subdomain is not configured to quarantine or reject messages that fail authentication.
Google Workspace: Domain DMARC only partially enforcedb682c603-9bc6-485e-be8c-a6e58a989407MediumA DMARC record for a Google Workspace Domain is not configured to quarantine or reject messages that fail authentication.

Email forwarding

Finding typeFindingTypeIDSeverityDescription
Google Workspace: User delegates email access66897c22-29a5-4f55-b39a-1bfcdd3c12c5HighA user has delegated access to their inbox to another party. Delegates can read, send, and delete messages on the user's behalf.
