News & Blog

Secure your Google Workspace without sacrificing collaboration

We’ve all been there: a quick share for a colleague, a link sent to a vendor, a document shared with broad "editor" permissions that are no longer necessary. The speed and simplicity of these file-sharing actions is a big part of the value of Google Workspace. But the platform's ease of use, while a boon for productivity and collaboration, often leads to unintentional oversharing and misconfigurations. And when it comes to sharing with external users, there is no easy way for security teams to see which external users have access to their documents.

It's not about bad actors — and it’s not really a unique Google Workspace flaw (it’s a problem shared by all enterprise collaboration tools); it’s about the human element, the "oops" factor, and the reality that visibility and control often lag behind the speed of information sharing.

The crux of the problem securing Google Workspace: Once a file is shared, either directly or via a link, tracking and controlling its subsequent use becomes incredibly difficult. Some organizations must control file-sharing to comply with data privacy standards like HIPAA. But completely prohibiting file-sharing is not an option, and in most businesses, significantly limiting file-sharing is too damaging from a productivity and collaboration standpoint. Instead, organizations need solutions that provide visibility and control — allowing them to mitigate risk and ensure compliance — without hindering collaboration.

Four key gaps in Google Workspace security

Every security team that uses Google Workspace has experienced the urgent, needle-in-a-haystack search to find a sensitive file that has potentially been over-shared. This challenge is amplified within Google Workspace due to several factors:

• Access path obscurity: Google Workspace shows that a user has access to a file, but often not how they gained that access. This lack of visibility makes it difficult to understand the full scope of permissions and complicates remediation efforts. For instance, if a user has access to a file because they were added to a parent folder or through a group, Google Workspace doesn't readily provide that crucial context.
• Shared drives vs. “My Drive”: Administrators lack necessary visibility and control over files within a user's "My Drive" in Google Workspace. Google does not give administrators the ability to scan across a user’s My Drive to see what has been shared with whom. Furthermore, if an employee shares files from their My Drive with external users, Google Workspace provides limited means for administrators to manage or revoke that access.
• Limited visibility into external access: Gaining a clear, centralized view of all external access to Google Drive files is a significant challenge. This lack of visibility amplifies security risks such as susceptibility to unintentional oversharing with external parties, incomplete offboarding of employees or contractors who retain access, and unauthorized access by anonymous users via public links.
• Manual revocation: Directly revoking access in Google Workspace is a cumbersome and time-consuming process. Security teams must first locate every individual instance where a file has been shared and then manually revoke access for each user or group. There is no efficient, centralized way to manage and revoke access at scale.

Misconfigurations and the risk of anonymous sharing

Beyond general visibility, specific Google Workspace configurations pose significant security risks. The most prominent example is the "Anyone with a link" sharing setting.

This anonymous link sharing feature allows anyone with the link to access a file, regardless of their identity. In essence, this is an open public link to access the file. It poses a severe risk, as the link could be shared with unauthorized individuals, potentially granting access to sensitive data. And if not switched off, this open public link remains available in perpetuity.

Moreover, unlike some other platforms (like Microsoft, which often prompts for a Microsoft account), Google Workspace's "Anyone with a link" can provide direct access, making it harder to track and control.

Oleria: Centralized visibility and granular control for Google Workspace

Oleria addresses these unique Google Workspace identity security and access risks, providing centralized visibility and granular control across your IT estate. Here's how Oleria helps:

• Access path visibility: Oleria provides detailed insights into how access was provisioned, unraveling the often-complex layers of inherited permissions within Google Workspace. Instead of simply showing that a user has access, Oleria reveals the precise chain of permissions that granted that access. This level of clarity is essential for security teams to understand the true scope of permissions and effectively manage access risks.
• Comprehensive visibility across drives: Oleria provides an overarching view of file access across all files and folders, including those within a user's "My Drive." This visibility enables administrators to identify and manage risks associated with file sharing from My Drive, including scenarios where employees share sensitive data from My Drive with external parties.
• External sharing visibility: Oleria also shines a light on files shared externally and external users who have access to the organization’s documents. Purpose-built functionality lets security teams filter to see all external users from a specific vendor company, all Gmail users, etc.
• Dormant user identification and management: Oleria makes it easy to identify dormant users within Google Workspace and take appropriate action to disable access. This capability helps to minimize risk of unauthorized access through these inactive accounts.
• Activity analysis integration: Oleria combines access visibility with activity analysis. This integration enables security teams to see who has access to what  — and what they are doing with that access. This fine-grained visibility — including details on file access, edits, downloads, and other actions like creating, deleting or sharing files — helps security teams understand user behavior and potential risks.
• Granular revocation capabilities: Oleria empowers administrators to revoke access with precision. This includes revoking access for external users and any anonymous shares through the “anyone with a link” mechanism. Oleria's revocation capabilities extend to files shared from "My Drives," addressing a significant gap in Google Workspace's native functionality. Oleria also provides complete logs of all revocation actions — and allows security teams to cancel a revoke action easily.

Focusing security teams on the access risks that matter most

Blind spots are one recurring problem for security teams — but alert fatigue is another major issue. Oleria helps security teams see and understand high-risk areas by giving them a focused lens to pinpoint and address the most prevalent and critical identity and access risks within Google Workspace — with purpose-built functionality to surface risks like:

• Inadvertent over-sharing
• “Anyone with a link” shares
• Data exfiltration by departing employees
• Dormant shares with offboarded vendors
• Self-sharing among vendors and contractors

Visibility that empowers secure collaboration

Let's be real: security teams know Google Workspace's file-sharing is a double-edged sword. But they also know that halting or limiting sharing would bring the business to a standstill.

Oleria gives security teams what they’re missing: the visibility into the gray areas of Google Workspace, so they can better understand where their real file-sharing risks are — and unique controls that help them address those file-sharing risks with precision, rather than blunt policies. With that kind of clarity and control, you can keep the business moving — and keep it secure.