Google Workspace
You can find this module at the Company level only.
This module appears only for tenants on the Silver Plan
Setting up Google Workspace scanning requires configuration in the Google Workspace Console, the Admin portal, and the ConnectSecure integration.
Google Workspace - Table of Contents
Visit our YouTube Channel for more video content: https://www.youtube.com/@connectsecure
Google Workspace - Overview
Access the Google Workspace from the company-level module, Premium Features.
Google Workspace Checks
The Google Workspace Admin Console Security Checklist closely aligns to the ConnectSecure checks you will get from the dashboard view. In total, there are 27 checks that include the following:
# | Finding Name | Description |
|---|---|---|
1 | Admin 2StepVerification Required | Enforce 2-Step Verification (Multi-Factor Authentication) for all users assigned administrative roles. These include roles such as: Help Desk Admin, Groups Admin, Super Admin, Services Admin, User Management Admin, Mobile Admin, Android Admin, Custom Admin Roles... |
2 | Conflicting Admin Roles | Super admins should sign in as needed to do specific tasks and then sign out. Leaving super admin accounts sign-in can increase exposure to phishing attacks. |
3 | Ensure Access Checker is configured to limit file access | When a user shares a file via a Google product other than Docs or Drive (e.g. by pasting a link in Gmail), Google can check that the recipients have access. If not, when possible, Google will ask the user to pick how they want to share the file. |
4 | Ensure accessing groups from outside this organization is set to private | Choose whether people outside your organization can access your groups. Group owners can further restrict access as needed. |
5 | Ensure calendar web offline is disabled | Limit who is allowed offline calendar access. |
6 | Ensure creating groups is restricted | Control who is allowed to create Groups in your organization and if they can have external members. |
7 | Ensure default for permission to view conversations is restricted | By default, only allow group members to view group conversations. |
8 | Ensure external incoming email is restricted in groups | Restrict the ability for external users to email groups unless authorized. |
9 | Ensure external invitation warnings for Google Calendar are configured | Configure Google Calendar to warn users when inviting guest outside your domain. |
10 | Ensure external members are restricted in groups | Ensure groups restrict external member access except as explicitly allowed. |
11 | Ensure external sharing options for primary calendars are configured | Control how much calendar information users in your organization can share externally. |
12 | Ensure external sharing options for secondary calendars are configured | Control how much calendar information users in your organization can share externally. |
13 | Ensure file sharing outside organization is properly configured | Ensure organization-wide file-sharing settings are properly configured to prevent unauthorized external sharing. |
14 | Ensure internal sharing options for primary calendars are configured | Control how much calendar information users in your organization can share internally. |
15 | Ensure internal sharing options for secondary calendars are configured | Control how much calendar information users in your organization can share internally. |
16 | Ensure manager access members cannot modify shared drive settings | Only administrators should be able to modify shared drive settings. |
17 | Ensure only users inside your organization can distribute content externally | You should control who is allowed to distribute organizational content to shared drives owned by another organization. |
18 | Ensure protection from anomalous attachment types is enabled | Protect users from potentially harmful anomalous attachment types in email. |
19 | Ensure protection from scripts in untrusted attachments is enabled | Enable protection from harmful scripts in untrusted attachments to prevent malware. |
20 | Ensure protection from untrusted attachments is enabled | Enable safeguards against untrusted attachments that may compromise security. |
21 | Ensure shared drive file access is restricted to members only | Shared drive file access should be restricted to that shared drive's members. |
22 | Ensure users are warned when they share a file outside their domain | Warn the user when they try and share a file and/or shared drive externally. |
23 | Ensure users can create new shared drives | All users should have the ability to create new shared drives. |
24 | Ensure users cannot publish files to the web or make visible to the world as public or unlisted | You should control the publishing of documents to the web or making them visible to the world as public or unlisted. |
25 | Excessive Super Admins | Having more than one Super Admin account is needed primarily so that a single point of failure can be avoided, but having too many should be avoided. |
26 | Min Super Admins | Having more than one Super Admin account is needed primarily so that a single point of failure can be avoided. Also, for larger organizations, having multiple Super Admins can be useful for workload balancing purposes. |
27 | User 2StepVerification Required | Enforce 2-Step Verification (Multi-Factor Authentication) for all users. |
Google Workspace Setup
Log in to your Google Workspace account using an account with super admin permissions.
https://cloud.google.com
Tap on the Console option
Navigate to IAM & Admin and select Create a Project.
Create a new project. Enter a project name. By default, the Organization and Location should auto-populate. Your project name is your choice; you can use something like ConnectSecure.
Once the new project is created, navigate to API & Services > Library from the left navigation menus.
Use the search box and query for Google Workspace Events API and Admin SDK API. You will need to tap into each of these selections and tap the Enable button.
Repeat these steps for the Admin SDK API
Next, we will create service accounts for the project. Tap on the left menu and choose IAM. If you do not see this option, you can search for it at the top, as shown below.
Near the top, top on the + Create service account button.
Enter the service account details and click the Create and continue button. You only need to set up the name, which is a name of your choice. The service account ID will fill itself in based on your service account name.
Assign the Owner role to the project service account.
The Principal Name in this step is NOT the principal name of the service account that the partner creates, but instead the principal name of the Super Admin that created the service account.
Tap on Continue.
The following section is optional; tap on Done.
Service Account Key Creation Block
Use these steps if you're trying to integrate Google Workspace and encounter an error when creating a service account key, even though your admin account has all available permissions.
1: Check the correct policy
Go to your Google Cloud Console and review the organization-level policies. Look specifically for the policy named iam.disableServiceAccountKeyCreation. This policy blocks service account key creation across the organization, even if your account has full roles or permissions at the project level.
2: Disable the policy
If iam.disableServiceAccountKeyCreation is active, disable it at the organization level. This will allow you to generate the service account key needed for integration. Note that disabling iam.managed.disableServiceAccountKeyCreation alone will not resolve the issue if iam.disableServiceAccountKeyCreation is still active.
Select the created Service Account and navigate to Keys, where you will need to Add Key.
Use the Add key > Create new key option menu.
Select JSON as the Key Type and click on Create.
This will download the credentials JSON. Keep a copy of the JSON. This is required in the ConnectSecure portal for the integration setup.
Once the credential.json is downloaded, go back to the Service Account, and you can see the OAuth2 Client ID; please copy this for the next steps.
Browse to admin.google.com
Navigate to Security > Access and Data Control > API Controls
Tap on Domain Wide Delegations.
Add New Client ID.
Copy/paste the OAuth2 Client ID from the steps above.
We must assign the five permissions scopes below to this new Client ID. You can add them with a single copy/paste using the box below. The individual URLs are also available below.
https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/admin.directory.user.security, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.rolemanagementhttps://www.googleapis.com/auth/admin.reports.audit.readonly
https://www.googleapis.com/auth/admin.directory.user.security
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.user
https://www.googleapis.com/auth/admin.directory.rolemanagement
Tap on the Authorize to complete the setup
Proceed to the ConnectSecure Portal to continue the setup
ConnectSecure Setup
Log in to the ConnectSecure portal and navigate to Global > Settings > Integrations > Google Workspace.
Credentials
Enter a name to the integration, use the super credential username, and upload the credentials.json downloaded from the Google Workspace account from the steps above.
Once the credentials are saved, please finish the company mapping, navigate to Company > Cloud Assessments > Google Workspace, and click SYNC.
Google Workspace - Webscraper Installation
How does the web scraper work on the backend? What exactly is it doing on the client’s device after installation?
The web scraper is designed to automate compliance scans for Google Workspace. After installation, it leverages the user’s existing session token to perform compliance checks, similar to how a web crawler navigates and verifies data. Importantly, it does not make any changes to the client’s system—it only reads the required compliance information to generate scan results.Does the web scraper need to be uninstalled for any reason, as the documentation suggests, if we are doing continuous scanning?
The regular Google Workspace setup already provides 5 core compliance scans. The web scraper extends this capability by adding additional compliance scans. If a user is satisfied with the standard 5 compliance scans, they can simply use the regular Google Workspace setup without installing the scraper. However, if broader compliance coverage is desired, the scraper can remain installed for continuous scanning. Uninstallation is not necessary unless you no longer need those extended scans.
From the Google Workspace dashboard, tap on the Install button found on the header toolbar.
Select macOS or Windows to obtain the installation steps and commands.
macOS uses Terminal
Windows uses PowerShell
Follow the instructions on the screen and run each of the commands one step at a time.
Here is a walk-through using Windows PowerShell.
After the 3 commands are executed, you should see the following.
Tap on Yes, Proceed to continue.
Provide the Google Workspace admin credentials.
Assessment should be active and running.
If your Google Account has MFA enabled, please use the preferred method and resync if the automated login attempts fail.
Tap the SYNC button on the main toolbar to initiate a new scan once you have completed the webscraper installation steps.
To run a successful Google Workspace Sync in ConnectSecure, you must log into the ConnectSecure portal from the same machine where the Google Webscraper application is installed.
On the machine where the Google Webscraper is installed, open a browser.
Log into the ConnectSecure portal.
Navigate to the Google Workspace Sync section.
Initiate the sync from that system.
The dashboard data can be refreshed manually using the refresh button.
Upon successful installation and sync, you should see the total count of checks increase from the initial base of 5 to 27.
Webscraper Uninstallation
To remove the Google Webscraper, tap on the Install option from the toolbar.
Tap on the operating system first, then the Uninstall option.
Company Mapping
Once the Google workspace setup is completed; you need to use the Company Mapping section of the integration in ConnectSecure to enable it.
Navigate to Global > Integrations > Google Workspace
Tap on the Google Workspace tile
Tap on the Company Mapping
Select the credentials
Tap on the Add and select the company to map
Select Add then Finish to complete
Google Workspace - Action Toolbar Overview
Sync
Tap here to start the Google Workspace Assessment scan manually.
Install
Tap here to begin the Google Webscraper installation; steps outlined above.
Jobs
Tap to view the Google Workspace-related jobs data.
Alerts
Tap to view the timeline style of System Events with filtering options.
Info
Tap to view the Getting Started info; see the link below for additional information.
https://cybercns.atlassian.net/wiki/x/MIDKfw