File Storage Protection - Google Drive

Overview

Google Drive is a cloud storage system that allows file sharing and collaboration. Avanan adds security, privacy, and compliance to Google Drive by scanning files shared in Google Drive for malicious content and data loss prevention (DLP) and generates actionable events on malicious content.

How it works

Avanan adds a layer of security that provides these security features for Google Drive:

• Data Leak Prevention (DLP): Protecting uploaded files containing sensitive data
• Anti-Malware: Scanning of files for malicious content
• Remediation: Quarantine malicious files and files containing sensitive data.

Required Permissions

The cloud state for Google Drive used by Avanan is composed of the following entities:

• Users
• Groups and Memberships
• Tokens
• Apps
• Files and Folders
• Permissions

Once the cloud state is saved, Avanan starts monitoring the changes for each user. To track changes for each user in the cloud, Avanan uses the following channels:

• Subscribe each user to Google Push Notifications for changes (https://developers.google.com/drive/v3/web/push).
• Fallback to polling each user every minute if push notifications fails (https://developers.google.com/drive/v3/web/manage-changes)
• Subscribe each user to Google Reports API to get its activities related to permissions, authorization to external apps, and tokens. ( https://developers.google.com/admin-sdk/reports/v1/get-start/getting-started)

Avanan uses the following resources for Google Drive from the APIs:

• Files and Folders metadata (not include file contents)
• Users and Groups metadata
• Permissions
• Changes (not including the content of files changed)
• Channels
• Tokens
• Applications

Activating Google Drive

To activate Google Drive:

1. Navigate to Security Settings > Cloud App Store.
2. Click Start for Google Drive.
3. Log in to the Google Workspace Marketplace using your Google administrator credentials.
   
4. After successful authentication, you will be redirected to the Avanan Cloud Security app installation page.
   Click Admin Install.
5. In the Admin install pop up that opens, click Continue.
6. Avanan Cloud Security app requests permissions to access your data.
   Select Everyone at you organization, accept the terms of service and click Finish.
   Wait until the Avanan Cloud Security app is installed.
7. Click the menu icon at the top-right corner in the Google Workspace Marketplace. Scroll down and select the Avanan Cloud Security app.
   If prompted, enter the Google administrator credentials, and you are redirected to the Avanan portal.
   Note - After installing the Avanan Cloud Security app, a new Super Admin account is created in
   your Google Admin console.
8. Navigate to Configuration > Cloud App Store and click Start for Google Drive.
   After successful authentication, Avanan starts scanning the Google Drive users.

Note - After activating Gmail, Avanan performs retroactive scan of its content. For more information, see Backward Scanning.

Deactivating Google Drive

To deactivate Google Drive:

1. Navigate to Security Settings > SaaS Applications.
2. Click Stop for Google Drive.
   

Google Drive Security Settings

Customizing Quarantine

Administrators can customize the quarantine folder and location (email address).

Quarantine folder

The quarantine folder is used to quarantine malware-infected files and files containing sensitive information that does not comply with the organization's data-sharing policies. All these files will be quarantined to a single predefined quarantine folder.

Notes:

• The quarantine folder is created in the root directory of the given email address. End users will not have access to this folder.
• Only Google stores these quarantined files.

To customize the quarantine folder:

1. Navigate to Security Settings > SaaS Applications.
2. Click Configure for Google Drive.
   
3. Under Quarantine Email Address, enter the required email address.
   Note - Google Drive must exist for the email address you entered here.
4. Click Save.

Configuring Google Drive Policy

Malware Policy

By default, the Google Drive malware policy scans the uploaded files for malicious content.

Supported Actions

Google Drive malware policy supports these actions:

• Quarantine malware-infected files.
• Alert owner: Sends an email notification to the user who uploaded a file that contains malicious content.
• Alert admin(s): Sends an email notification to the admin(s) about the malicious files.

Configuring Malware Policy

To configure Malware policy:

1. Click Policy on the left panel of the Avanan portal.
2. Click Add a New Policy Rule.
3. From the Choose SaaS drop-down list, select Google Drive.
4. From the Choose Security drop-down list, select Malware and click Next.
5. Select the desired protection mode (Detect and Remediate or Detect).
   If required, you can change the Rule Name.
6. Choose the Scope for the policy.
   • To apply the policy to specific users or groups, select the users and groups and click Add to Selected.
   • To apply the policy to all users and groups in your organization, enable All Users and Groups checkbox.
   • To exclude specific users or groups from the policy, select the users/groups and click Add to Excluded.
7. Under Blades, select the threat detection blades required for the policy.
   Note - To select all the blades available for malware detection, enable All running threat detection blades checkbox.
8. Under Suspected malware workflow (Attachment) in Workflows, select the workflow required for the policy.
   • Quarantine. User is alerted and allowed to restore
   • Quarantine. User is alerted, allowed to request a restore (admin must approve)
   • Quarantine. User is not alerted (admin can restore)
   • Do nothing

   Note - The Workflows are available only when Detect and Remediate protection mode is enabled.

9. To quarantine malware-infected files, enable the Quarantine drive files checkbox.

   Note - This option will be available only in Detect and Remediate protection mode.

10. Configure Alerts for the policy.
    1. To send email alerts to the file owner of malware, enable the Alert file owner of malware checkbox.
    2. To send email alerts to admin(s) about malware, enable the Alert admin(s) checkbox.
       

    Notes:

    • Even when the alerts are enabled here in the policy, the administrator only receives email alerts for security events when Receive Alerts role is enabled in the Specific Service Role.
    • To customize the email alert templates, click on the gear icon to the right of the alert.
11. Click Save and Apply.

DLP Policy

By default, the DLP policy scans the uploaded files to Google Drive for potentially leaked information, such as credit card number and Social Security Number (SSN).

Supported Actions

Google Drive DLP policy supports these actions:

• Quarantine potentially leaked information files.
• Alert owner: Sends an email notification to the user who uploaded a file that contains sensitive information.
• Alert admin(s): Sends an email notification to the admin(s) about the files that contain sensitive information.

Configuring DLP Policy

To configure DLP policy:

1. Click Policy on the left panel of the Avanan portal.
2. Click Add a New Policy Rule.
3. From the Choose SaaS drop-down list, select Google Drive.
4. From the Choose Security drop-down list, select DLP and click Next.
5. Select the desired protection mode (Detect and Remediate or Detect).
   If required, you can change the Rule Name.
6. Choose the Scope for the policy.
   • To apply the policy to specific users or groups, select the users and groups and click Add to Selected.
   • To apply the policy to all users and groups in your organization, enable All Users and Groups checkbox.
   • To exclude specific users or groups from the policy, select the users/groups and click Add to Excluded.
7. Under DLP Criteria, select the DLP categories required for the policy.
   For more details about the DLP rules and categories, see DLP Built-in Rules and Categories.
8. Select the sensitivity level required for the policy.
   • Very high (hit count > 0)
   • High (hit count > 2)
   • Medium (hit count > 5)
   • Low (hit count > 10)
   • Very Low (hit count > 20)
9. To exclude DLP policy for the messages and files shared only with the internal users, enable the Skip Internal items checkbox.
10. Configure Actions for the policy.
    • To send files with sensitive data to vault, select the Send files with sensitive data to vault checkbox.
    • To send email alerts to admins about DLP, enable the Alert admin(s) checkbox.
    • To remove permissions for users outside the domain of a detected file with sensitive data, enable the Remove permissions for users outside the domain checkbox.
    • To send email alerts to the file owner about DLP, enable the Alert file owner(s) checkbox.
    • To send a detected file with sensitive data to quarantine (no access for the file owner), enable the Quarantine drive files checkbox.
      
      Notes: 
      Even when the alerts are enabled here in the policy, the administrator only receives email alerts for security events when Receive Alerts role is enabled in the Specific Service Role.
      To customize the email alert templates, click on the gear icon to the right of the alert.
11. Click Save and Apply.

Viewing Google Drive Security Events

Avanan records the Google Drive detections as security events. The event type depends on the type of policy that created the event. You can handle the security events in different ways, whether they are detected/prevented automatically or discovered by the administrators after not being prevented.

The Events screen shows a detailed view of all the security events.