SaaS Security - Google Workspace Footprint

After Activating Google Workspace (Gmail and Google Drive), Avanan automatically creates a Super Admin, host (mail route), inbound gateway, SMTP relay service, two user groups, and four content compliance rules.

Super Admin

While installing the Avanan Cloud Security app, a new Super Admin account is created in your Google Admin console.

The Super Admin has an email address in the cloud-sec-av@[domain] format and is sometimes referred to as the Avanan Service User. This user requires a Gmail license. For more details about the Super Admin role, see Pre-built administrator roles.

Super Admin Security

The password of the Super Admin contains 43 random characters, a mix of lower case letters, upper case letters, and digits.

You cannot change the password after the initial setup.

User Groups

After activating Google Workspace, Avanan automatically creates two user groups. You can review these user groups under Groups in your Google Admin console.

  • avanan_inline_policy
  • avanan_monitor_policy

Note - If you use GCDS (Google Cloud Directory Sync) to synchronize your user groups on-premises and in the cloud, the synchronization triggers the deletion of these two user groups. Though this will not impact the email delivery, Avanan cannot scan the emails, and no security events get generated.

Before activating Google Workspace, create two exclusion rules for the two user groups. Select the exclusion type as Group Email Address, match type as Exact Match, and the group email address should be in the groupname@[domain] format.

For example, the group email addresses should be avanan_inline_policy@mycompany.com and avanan_monitor_policy@mycompany.com, where mycompany is the name of your company.

Host

Avanan automatically creates a host (aka mail route) in your Google Admin console.

You can see the host from the Google Admin Console under Apps > G Suite > Settings for Gmail > Hosts.

gmail-hosts

Inbound Gateway

Avanan automatically creates an Inbound gateway. You can see the inbound gateway from the Google Admin console under Apps > G Suite > Settings for Gmail > Advanced Settings.
Note - In the Inbound gateway settings, you must select the Require TLS for connections from the email gateways listed above check-box.

google-console-inbound-gateways

SMTP Relay Service

Avanan automatically creates an SMTP relay service. You can see the SMTP relay service from your Google Admin console under Apps > G Suite > Settings for Gmail > Advanced Settings.

google-console-smtp-relay-service

Content Compliance Rules

Avanan automatically creates three Content Compliance Rules. You can review the content compliance rules from your Google Admin console under Apps > G Suite > Settings for Gmail > Advanced Settings.

The rules are called:

  • [tenantname]_monitor_ei
  • [tenantname]_monitor_ii
  • [tenantname]_monitor_eo
  • [tenantname]_inline_ei

where ei stands for incoming traffic, ii stands for internal traffic, and eo stands for outgoing traffic.

Note - The [tenantname]_inline_ei rule gets created when the Prevent (Inline) mode is enabled. If you remove the Prevent (Inline) mode for users in Avanan, the Content Compliance Rule remains in the Google Admin console but the content of the user group avanan_inline_rule gets updated to reflect that no users are protected in this mode.