Skip to content

Add Support for Google Workspace admin settings #8266

@AdmiralGold

Description

@AdmiralGold

New feature motivation

Google WorkSpace (GWS) comprises cloud-based productivity tools like Gmail, Drive, Docs, Sheets, and Meet, along with administrative features in the Google Admin Console for user and security management.

Integration with GCP is strong, particularly through Cloud Identity, IAM roles, and Admin SDK APIs, focusing on:
IAM Role Delegation: Set up GCP service accounts as Workspace admins, assigning roles for permission inheritance.

The Admin Console can also access the Admin SDK Directory API for synchronizing user data.
Security Controls: Security settings in the Admin Console include Multi-Factor Authentication, Single Sign-On, and session expiry management.

Google Cloud Identity connects GCP and Workspace for centralized user management, SSO, and MFA enforcement, configurable via the Admin Console or Identity APIs.

The Admin Console allows comprehensive management of Workspace apps, including access control and user governance.

As such, being able to automatically assess the posture of your google workspace settings, whether you are using google cloud, google workspace apps, or both, is of critical importance.

At present, I can't see this capability in CSPM providers. Some SSPM providers do have it (for example Palo Alto and Spin.ai) but they require super admin permissions to do so.

Solution Proposed

Adopt an approach like that which CISA uses in it's assessment tool.

As well as providing a tool, written in GO, to assess the posture of your GCP organisation, they have a provided 2 key capabilities:

  1. A least privilege approach to assessing posture - https://github.com/cisagov/ScubaGoggles/blob/main/docs/prerequisites/Prerequisites.md
  2. A framework with baselines controls for Google Workspace - https://github.com/cisagov/ScubaGoggles/tree/main/scubagoggles/baselines) (Common controls and Groups controls being applicable even if you don't use Google Workspace apps such as Docs, Sheets etc and only use Google Cloud)

Describe alternatives you've considered

Considered:

  1. Palo Alto SaaS Security - https://docs.paloaltonetworks.com/saas-security/sspm/onboard-saas-apps-supported-by-sspm/onboard-a-google-workspace-app-to-sspm
  2. SpinOne - https://spin.ai/help/gworkspace-administration/862389-how-to-resolve-problems-with-insufficient-permissions/

Both of these require that they have super admin privileges.
Neither seems to publicly document what controls frameworks/policies are used.

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions