Activating Google Workspace (Gmail and Google Drive)

Prerequisites

To activate Google Workspace, you must have these:

• You have the Administrator access to activate Google Workspace.

• Additional Google Workspace license to integrate with Avanan. (Integration is not supported for clients on the free G-Suite license tiers.)

• You have the minimum supported SaaS license. See Minimum License Requirements to Activate SaaS Applications.

• If you use GCDS (Google Cloud Directory Sync) to synchronize your user groups on-premises and in the cloud, before activating Google Workspace, you must create exclusion rules for these user groups.

  • avanan_inline_policy

  • avanan_inline_outgoing_policy

  • avanan_monitor_policy

  • avanan_monitor_outgoing_policy

  For more information, see User Groups.

By default, the Google Chrome browser authenticates the signed-in Chrome user in Google Workspace instead of a selected account. To see if you are signed in to Google Chrome, look for the user name in the browser's top-right corner.

While onboarding Google Workspace (Gmail / Google Drive), Avanan creates a service user (cloud-sec-av@[domain]) in the root organizational unit.

Before onboarding, make sure that these settings are selected in your Google Admin Console.

• Go to Authentication Settings of the root organizational unit and check these settings.

  • The Allow users to turn on 2-Step Verification check-box is selected.

  • If the Only security key option is selected, do not select the Don’t allow users to generate security codes option.

Notes: If the Authentication Settings are not supported, onboarding fails. To resolve this issue, do one of these. If you want to keep the unsupported Authentication Settings of your root organizational unit, move the service user (cloud-sec-av@[domain]) to an organizational unit with the supported Authentication Settings. Then, start onboarding Gmail or Google Drive again. Create a new dedicated organizational unit with the supported Authentication Settings and move the service user (cloud-sec-av@[domain]) to the organizational unit. Then, start onboarding Gmail or Google Drive again.

Gmail and Google Drive - Required Permissions

Avanan requires the following permissions from Gmail and Google Drive.

Type	Permissions required	OAuth Scope	Purpose
Google Drive	View, edit, create, and delete all Google Drive files.	https://www.googleapis.com/auth/drive	Used to read files across protected drives and remediate found threats (for example, malware and DLP).
Google Drive	View your Google Drive applications.	https://www.googleapis.com/auth/drive.apps.readonly	Used during the application installation to track application entities.
Google Drive	View information about your Google Drive files.	https://www.googleapis.com/auth/drive.metadata.readonly	Used to scan files and enforce policy rules.
Google Drive	View and download all your Google Drive files.	https://www.googleapis.com/auth/drive.readonly	Used to scan the files for malware.
Gmail	Read, compose, send, and permanently delete all your Gmail emails.	https://mail.google.com/	Used to enforce policy rules and modify the email content.
Gmail	Add emails to your Gmail mailbox.	https://www.googleapis.com/auth/gmail.insert	Used for user notifications, password-protected attachments, and threat extraction by inserting emails in the user's mailbox.
Gmail	View and edit your email labels.	https://www.googleapis.com/auth/gmail.labels	Supports moving emails to Spam as part of the Threat Detection policy.
Gmail	Read, compose, and send emails from your Gmail account.	https://www.googleapis.com/auth/gmail.modify	Required for future feature enhancements.
Gmail	View your email messages and settings.	https://www.googleapis.com/auth/gmail.readonly	Used to scan email messages for threats.
Gmail	View, edit, create, or change your email settings and filters in Gmail.	https://www.googleapis.com/auth/gmail.settings.basic	Used to check mailbox settings and detect compromised accounts.
Admin Console	View your Google Chrome OS devices' metadata.	https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly	Used to identify abnormalities that may indicate Business Email Compromise (BEC).
Admin Console	View your mobile devices' metadata.	https://www.googleapis.com/auth/admin.directory.device.mobile.readonly	Used to identify abnormalities that may indicate Business Email Compromise (BEC).
Admin Console	View and manage the provisioning of domains for your customers.	https://www.googleapis.com/auth/admin.directory.domain	Used to determine the protected domains associated with the Google account.
Admin Console	View and manage the provisioning of groups on your domain.	https://www.googleapis.com/auth/admin.directory.group	Used to map groups for proper policy assignment.
Admin Console	View and manage the provisioning of users on your domain.	https://www.googleapis.com/auth/admin.directory.user	Used to create the service user required for policy configuration.
Admin Console	View information about users on your domain.	https://www.googleapis.com/auth/admin.directory.user.readonly	Used to map users for proper policy assignment and to build the social graph.
Admin Console	Manage data access permissions for users on your domain.	https://www.googleapis.com/auth/admin.directory.user.security	Used during onboarding to configure Google parameters and create the service user.
Admin Console	View audit reports for your G Suite domain.	https://www.googleapis.com/auth/admin.reports.audit.readonly	Used to identify compromised accounts (BEC activity).
Admin Console	Upload messages to any Google group in your domain info.	https://www.googleapis.com/auth/apps.groups.migration	Required for future feature enhancements.
Admin Console	View usage reports for your G Suite domain.	https://www.googleapis.com/auth/admin.reports.usage.readonly	Used to: Detect compromised accounts. Detect Google Drive file changes that require rescanning.
Admin Console	View and manage the settings of a G Suite group.	https://www.googleapis.com/auth/apps.groups.settings	Used to create and maintain groups that determine how emails are handled (for example, Inline vs. Monitoring modes).
Admin Console	View and manage G Suite licenses for your domain.	https://www.googleapis.com/auth/apps.licensing	Used to determine which license should be assigned to each user.
Payments and Subscriptions	View and manage Pub/Sub topics and subscriptions.	https://www.googleapis.com/auth/pubsub	Required for future feature enhancements.
Google Account	View your primary Google Account email address	https://www.googleapis.com/auth/userinfo.email	Used to support end user authentication through Google (for example, End User Portal).
Google Account	View your personal information, including any personal information you've made publicly available.	https://www.googleapis.com/auth/userinfo.profile	Used to support end user authentication through Google (for example, End User Portal).
Google Activity API	View and add to the activity record of your Google applications.	https://www.googleapis.com/auth/activity	Required for future feature enhancements.
Google Calendar	View and edit events on all your calendars.	https://www.googleapis.com/auth/calendar.events	Used to identify and remove malicious calendar events and meeting invitations.

Activating Gmail

To activate Gmail:

1. Navigate to Security Settings > SaaS Applications.

2. Click Start for Gmail.

   

3. Select the mode of operation:

   • Automatic mode

     Avanan performs the necessary configurations to your Google Workspace environment and operates in Monitor only mode.

   • Manual mode

     You must manually configure the necessary settings in the Google Admin Console before linking the application to your Gmail account and every time you add or edit the security policy associated with emails.

   Note - Avanan recommends using Automatic mode for better maintenance and management and a smoother user experience. Before using the Manual mode, contact Avanan Support to help resolve any issues raised with the Automatic mode for onboarding.

4. Enable the I Accept Terms Of Service checkbox and click OK.

5. In the Google Workspace window that appears, sign in with Google administrator credentials.

   

6. After successful authentication, you will be redirected to the Avanan application installation page.

   Click Admin Install.

7. In the Admin install pop-up that appears, click Continue.

8. Review the permissions requested by Avanan application. Select Everyone at your organization, accept the terms of services, and click Finish.

9. In the confirmation pop-up that appears after the Avanan application completes the installation, click Done.

   Gmail - Group Selection pop-up that appears.

10. To protect all users in your organization, select All Organization and click OK.

    

11. To protect specific users in your organization, select Specific group, enter the group name and click OK.

    Note - The group name must have an associated email address.

    If you selected Automatic mode of operation, Avanan enables the Gmail SaaS application and starts monitoring for security events.

    If you selected Manual mode of operation, you need to make additional changes to integrate Google Gmail with Avanan.

Activating Google Drive

To activate Google Drive:

1. Navigate to Security Settings > SaaS Applications.

2. Click Start for Google Drive.

   

3. Log in to the Google Workspace Marketplace using your Google administrator credentials.

4. If the Avanan Cloud Security app is already installed from Google Workspace Marketplace, after successful authentication, Avanan starts scanning the Google Drive of users.

   If not, continue from steps 3 in Activating Gmail.

Note - After activating Google Drive, Avanan performs retroactive scan of its content. For more information, see Onboarding Next Steps.

For more details about automatic configuration on Google Workspace, see Google Workspace Footprint.

Google Workspace Footprint

After Activating Google Workspace (Gmail and Google Drive), Avanan automatically creates a Super Admin, host (mail route), inbound gateway, SMTP relay service, two user groups, and four content compliance rules.

Super Admin

While installing the Avanan Cloud Security app, a new Super Admin user account is created in your Google Admin Console.

The Super Admin user has an email address in the cloud-sec-av@[domain] format and is sometimes referred to as the Avanan Service User.

This user requires a Gmail license. For more details about the Super Admin role, see Pre-built administrator roles.

What is the Super Admin User Used For?

Avanan uses Super Admin user to perform tasks that cannot be accomplished with the Google APIs.

Avanan uses Super Admin user to do these tasks:

• To connect with Google Workspace and create User Groups, Host, Inbound Gateway, SMTP Relay Service, and Content Compliance Rules.

• To enable different artifacts that allow DLP inspection of outgoing emails in Protect (Inline) policy mode.

• To do maintenance activities from time to time, primarily to optimize support case handling.

• To take actions on files uploaded to Google Drive that do not have an owner. For more information, see Google Drive Permissions Changes.

• To support new features in the future.

Super Admin Security

The password of the Super Admin contains 43 random characters, a mix of lower case letters, upper case letters, and digits. The password is safely stored in AWS Key Management Service (AWS KMS).

Also, Avanan recommends to enable Multi-Factor Authentication (MFA) to enhance security for this account.

Changing the Google Application Role

After successfully onboarding the Google Workspace SaaS application to Avanan, the administrator can change the role assigned to the Avanan application. To do that:

1. Sign in to your Google Admin Console with an account with super administrator privileges.

2. Create a custom admin role. For more information, see Google Documentation.

3. Assign these privileges to the role:

   1. In the Admin console privileges:

      1. Assign Settings privilege to Gmail.

      2. Assign Groups privilege.

   2. In the Admin API privilege, assign Groups privilege.

4. Search for the Cloud-Sec-AV Service Admin role and do these:

   1. Unassign the Super Admin role. For more information, see Google Documentation.

   2. Assign the custom admin role created in step 2. For more information, see Google Documentation.

Performing Actions on Behalf of Users

According to Google best practices, the Avanan application uses delegation to perform certain actions (for example, quarantining emails) on behalf of users.

By default, some of these actions are performed on behalf of the user using the account that authorized the application during the onboarding process. If this account is deleted, user no longer exists, or no longer has the required permissions, the Avanan application automatically starts delegating these actions to the service account.

User Groups

After activating Google Workspace, Avanan automatically creates these user groups.

• avanan_inline_policy

• avanan_monitor_policy

Host

Avanan automatically creates a host (aka mail route) in your Google Admin Console. You can see the host from the Google Admin Console under Apps > G Suite > Settings for Gmail > Hosts.

Note - By default, the Required mail to be transmitted via a secure (TLS) connection (Recommended) checkbox is selected. To disable it, contact Avanan Support.

Inbound Gateway

Avanan automatically creates an Inbound gateway. You can see the inbound gateway from the Google Admin Console under Apps > G Suite > Settings for Gmail > Advanced Settings.

SMTP Relay Service

Avanan automatically creates an SMTP relay service. You can see the SMTP relay service from your Google Admin Console under Apps > G Suite > Settings for Gmail > Advanced Settings.

Content Compliance Rules

Avanan automatically creates three Content Compliance Rules. You can review the content compliance rules from your Google Admin Console under Apps > G Suite > Settings for Gmail > Advanced Settings. The rules are called:

• [tenantname]_monitor_ei

• [tenantname]_monitor_ii

• [tenantname]_monitor_eo

• [tenantname]_inline_ei

where ei stands for incoming traffic, ii stands for internal traffic, and eo stands for outgoing traffic.

Note - The [tenantname]_inline_ei rule gets created when the Protect (Inline) mode is enabled. If you remove the Protect (Inline) mode for users in Avanan, the Content Compliance Rule remains in the Google Admin Console but the content of the user group avanan_inline_rule gets updated to reflect that no users are protected in this mode.

Google Drive Permissions Changes

Depending on the Google Drive policy configured by the administrator, Avanan takes action (quarantine, remove permissions) on the files uploaded to Google Drive.

Avanan uses different users to take these actions depending on whether the Drive containing the file has an owner.

• If Google Drive has an owner, Avanan takes the action on behalf of the owner.

• If Google Drive does not have an owner, Avanan follows this procedure:

  1. Avanan adds the Super Admin user as an owner of the Drive.

  2. Avanan uses the Super Admin user to take the necessary action on the file.

  3. Avanan removes the Super Admin user from being the owner of the Drive.