-
Notifications
You must be signed in to change notification settings - Fork 1.8k
Description
New feature motivation
Google WorkSpace (GWS) comprises cloud-based productivity tools like Gmail, Drive, Docs, Sheets, and Meet, along with administrative features in the Google Admin Console for user and security management.
Integration with GCP is strong, particularly through Cloud Identity, IAM roles, and Admin SDK APIs, focusing on:
IAM Role Delegation: Set up GCP service accounts as Workspace admins, assigning roles for permission inheritance.
The Admin Console can also access the Admin SDK Directory API for synchronizing user data.
Security Controls: Security settings in the Admin Console include Multi-Factor Authentication, Single Sign-On, and session expiry management.
Google Cloud Identity connects GCP and Workspace for centralized user management, SSO, and MFA enforcement, configurable via the Admin Console or Identity APIs.
The Admin Console allows comprehensive management of Workspace apps, including access control and user governance.
As such, being able to automatically assess the posture of your google workspace settings, whether you are using google cloud, google workspace apps, or both, is of critical importance.
At present, I can't see this capability in CSPM providers. Some SSPM providers do have it (for example Palo Alto and Spin.ai) but they require super admin permissions to do so.
Solution Proposed
Adopt an approach like that which CISA uses in it's assessment tool.
As well as providing a tool, written in GO, to assess the posture of your GCP organisation, they have a provided 2 key capabilities:
- A least privilege approach to assessing posture - https://github.com/cisagov/ScubaGoggles/blob/main/docs/prerequisites/Prerequisites.md
- A framework with baselines controls for Google Workspace - https://github.com/cisagov/ScubaGoggles/tree/main/scubagoggles/baselines) (Common controls and Groups controls being applicable even if you don't use Google Workspace apps such as Docs, Sheets etc and only use Google Cloud)
Describe alternatives you've considered
Considered:
- Palo Alto SaaS Security - https://docs.paloaltonetworks.com/saas-security/sspm/onboard-saas-apps-supported-by-sspm/onboard-a-google-workspace-app-to-sspm
- SpinOne - https://spin.ai/help/gworkspace-administration/862389-how-to-resolve-problems-with-insufficient-permissions/
Both of these require that they have super admin privileges.
Neither seems to publicly document what controls frameworks/policies are used.
Additional context
No response