How to Plan a Google Drive Policy Environment [Old UI]

The General Audit Tool recently released its Policy Enforcement Feature set. This has been very well received by our user base but has raised some interesting implementation issues. This post will look at how you should go about setting up a policy enforcement environment for Google Drive

For tight security, the ideal goal is to set up a whitelist and undo sharing to everything else.

For a more liberal working environment maybe you just want to build a blacklist. Either way follow these simple steps.

Step 1 – Assess the size of the problem you are dealing with

Fortunately GAT lets you do this in a click or two. 

In One Click reports, one of the first reports you will see is the ‘External Users – Docs’ report. Clicking on this will show you a list of external people you share documents with. These are listed under 5 columns. When you share a document with a second party you can do so under three circumstances, you own the doc, they own the doc or a third party owns the doc and you are co-sharers.

GAT identifies all external individuals whom users on your domain share documents with and further identifies the type of sharing relationship you have with those individuals.

To begin with, we are initially interested in ‘Our Documents’ and of those, the most interesting is probably our documents that external individuals can edit. Click on that column to sort in descending order. Now, look at the first column.  The important names and domains should be pretty obvious. Work your way down the list, noting domains or users that you think might not be valid business sharing targets.  When you find an external user or domain you wish to check, click on the corresponding number in the ‘Can Edit (Our Docs only)’ column.  This will show you the full list of internal users who share with that external party, it will also show you the docs they share. Review these and then call the local user(s) to see if this is an appropriate domain to have whitelisted.

Next, repeat the process for ‘Can View (Our Docs only)’. Once this is done, you have covered your own document base. This is the material that should be of primary concern to you and company management. For both these categories you can set policy to unshare, whitelist or blacklist.

The next level of concern in terms of security risk are external documents that your users can edit.  For example, these may be personal Gmail docs, shared into the domain into which, local users are writing company information.

The final category of concern is external documents that your users can view. The concern here is that the viewable material is appropriate for the workplace.

In the last two cases, you cannot set policy to remove the shares as you have no authority over documents external to your domain, however, you can issue a warning to local users that it is against company policy to edit or view documents from non-whitelisted domains.

Remember a click shows you who the local users are. Work closely with the user or their manager to determine the white or blacklist.

Step 2 – Clean up the existing situation

Having identified those users or domains that you definitely should not be sharing documents with, you can clean up the bulk of them fairly quickly.

There are two methods in GAT for doing this.

1) If you wish to remove just one or two individuals or domains and you are certain they can be removed, go to the ‘Drive Audit’

Go to the Drive audit section in the GAT+ console

Search for the individuals or domains you wish to remove and pick each target off one by one.  Remember you can only remove them from documents owned by your domain.

2) If you have a large number of external users and domains that you wish to remove from your document shares, or you have prepared a whitelist and want everyone else removed you can do that with the scheduler.

NOTE: For a large number of file access removes it is always better to notify the users of the files that will be affected and to confirm with the users that this is now company policy.

User and management engagement and feedback is essential.

First, let us prepare the rules and confirm with our user base.

  1. a) Blacklist example

Prepare the blacklist and modify this example blacklist to meet your own needs

([^\s]+(\@(?i)(gmail\.com|hotmail\.com|yahoo\.com))$)

Then using the Drive Audit search in GAT, search for ‘Users’ from these domains. Be sure to tick ‘Reg. Ex.’, because it is a regular expression.

search for ‘Users’ in GAT+. Be sure to tick ‘Reg. Ex.’

This will find all documents where users from these domains are the owners, editors or viewers of documents. Next click on ‘Schedule/Save’

Here we will run the job once.

The first time we take no removal action. We warn all the local users and invite them to remove the shares themselves.  We also invite feedback, so we can refine the list. All affected users will get the notice along with a list of their files which are affected.

Example of a message, which you can cut and paste.

Please note, all files shared to or from gmail.com, hotmail.com and yahoo.com are going to have external shares removed if we own the document, or will have warning notices sent to internal users if the document is shared in. You are invited to remove the shares yourself beforehand.

Please check that these files conform with company policy. If you feel a name should not be on the list, please let us know.

This is only a warning message. No action has been taken on this audit.’

After running the job one evening, we log in the morning, disable the job and wait for feedback.  You may need to run over a few weeks, if you feel many users are on vacation.

Having warned all users we need to turn the rule from a warning into an action.

Select ‘Remove Only the Following External Shares’ and add the blacklist of users or domains. Enable to run nightly to ensure policy is complied with.

  1. b) Whitelist example

Prepare the Whitelist of domains or users it is acceptable to share with.

First, lets search for the ‘whitelist’ docs on Drive. Then when we found those, we click on ‘Negate Search’ to find every document not ‘used’ by the whitelist.

After negating the search, select clear filter to start a fresh search.

First click on ‘In’ to find the documents shared in, then click on ‘Out’ to find all the documents shared out. The result of these two clicks will be a list of all documents shared in or out.

We will then combine this result with our non-whitelisted search, to produce a search for all documents not on the whitelist shared in or out.

We can use this search to form the basis of our warning campaign before taking any removal action.

Step 3 – Enforce the Policy

In both the whitelist and blacklist user case, you can now return to the scheduler and turn the warning into action.

Policy enforcement should then proceed in 2 phases. The first phase is to remove all past infringements and the second phase will be to enforce the policy going forward.

For a complete ‘shutdown’ of non-domain access to your domain files we have a single button ‘Remove All External Shares’.

Selecting this will do exactly what it says!

To enforce a ‘Blacklist’ you select ‘Remove only the following shares’ and enter the list of domains or users, separated by commas, which you have determined need to be removed.

To enforce the ‘Whitelist’ you select ‘Remove All External Shares Excluding the following’ and enter the list of domains or users, separated by commas, which you have determined are safe to allow see your domain’s documents.

For phase one of the policy enforcement, you then schedule the job to run once, with the appropriate warning message. In each case, this will clear the past sharing infringements.

For the second phase, scheduling ongoing policy enforcement, you need to introduce a date element into your rule.  This job can then be run daily, weekly or monthly and the date updated.

For many examples of how this is done see here.

Basically, it requires you to enter the rule again, but select it to apply only from today’s date, (if you want to run the job daily). We will then run the policy check for you every day and update the date.