min read
Jun 24, 2024

Google Workspace Security Weak Spots: From Apps to AI

Google Workspace security

Out of the world population of over 8 billion people, more than a third of them use Google Workspace. That’s a lot of personal and business data held in Google’s applications, much of it data that users wouldn’t want being revealed to others. Google Workspace security is, fortunately, something that Google takes seriously, but that doesn’t mean there aren’t weak spots that the informed user needs to know about - and deal with. 

We covered some of these weak spots in a prior post focusing on Google Drive security. This post will focus on security vulnerabilities that stem from connected apps in Google Workspace, as well as Google’s generative AI: Gemini for Google Workspace.

Let’s begin.

Connected Apps and How They Affect Google Workspace Security

Connected apps are one of the features of SaaS systems that make them so inviting to use. They streamline work processes and enhance productivity in Gmail, Docs, Sheets, Calendar, and numerous other Google Workspace Apps. The Google Workspace Marketplace has over 5000 apps available, many of which have millions of users (giving a definite indication as to their value).

Connecting a SaaS app, however, is effectively adding another point of entry into your SaaS ecosystem, especially when the apps are not created and maintained by the original SaaS application provider. Third-party connected apps, addons and integrations can be leveraged as part of supply-chain attacks, giving bad actors an entrance into your primary SaaS systems.  

Part of the threat of connected apps is their permission scope. Often apps ask for (and receive) permissions that are wider than they need for their functions. If you’re installing an app intended to turn existing Google Sheets data into Google Calendar events, does the app really need permission to “read and change data in Google Sheets”? Even if you can’t think of a reason why it would need to change data in Sheets (it only needs to read it, then change data in Calendar!), there’s a high likelihood that it requested that permission - and you granted it.  

These Google Workspace security issues are present even for company-sanctioned apps. When connected apps are not company-sanctioned, but shadow apps installed without the express permission of the IT department, the security threat grows proportionately.

How to Solve Google Workspace Security Issues Caused by Connected Apps

In order to get the benefits of Google Workspace connected apps without exposing your organization to the abovementioned threats, you need four key capabilities:

  • Complete visibility into all your third-party connected apps and their access permissions 
  • Intelligent analysis and identification of over-privileged or untrusted apps
  • Near real-time detection of suspicious app activity
  • On-demand and automated remediation of detected threats

Let’s explain each capability and what it means practically.

Complete visibility into all your third-party connected apps and their access permissions 

You can’t protect yourself from what you don’t know about. The first step in Google Workspace security when it comes to connected applications is discovering and mapping every addon or integration in your Google Workspace ecosystem, including sanctioned, abandoned, malicious and shadow apps. Information about each app’s access permissions is essential. Data about each app’s users is ideal. 

Intelligent analysis and identification of over-privileged or untrusted apps

Now that you have comprehensive information about all of your Google Workspace connected apps, it’s time to analyze the data and come to conclusions about risk. DoControl, for example, considers app permission and scope, usage, and geolocation data to determine the risk score of each connected app.

Near real-time detection of suspicious app activity

Assessment of likely risk is one thing. Detection of suspicious activity as it occurs, even from a low-risk app, is another - and just as important. 

Is an app accessing data in an unusual way? Connecting to systems it doesn’t usually interact with? Has its rate of activity increased dramatically in a short time period? Does it have a sudden influx of new users?

Any of the above are critical to notice as soon as possible after they occur. The explanation could be benign (e.g. one employee is so enthralled with the app that they’ve been recommending its use to everyone at the company), but then again it might not. You certainly want to know which one it is before any negative consequences come to light.

On-demand and automated remediation of detected threats

If you’ve come to the conclusion that an app or its activity is a Google Workspace security risk, you should be able to deal with it as soon as possible. Removing certain app permissions, suspending the app, and/or preventing the app’s installation in the future are all actions that might be called for. 

In some cases you might want an automated workflow to go into effect as soon as a risk trigger is identified; in others, you might prefer that only an alert is sent to the appropriate department for them to decide and perform remediation on-demand. You should have both remediation pathway options available to you.

How Gemini AI Affects Your Google Workspace Security

Since the premiere of ChatGPT in late 2022, use of generative AI has exploded. Google, not one to be left behind, launched Google Gemini (originally called Duet AI) in March 2023. 

Of course, Gemini has been integrated into Google Workspace. What does it do? All those tasks we’re now coming to expect from generative AI:

  • Doing research
  • Putting together reports
  • Summarizing meetings
  • Writing customer proposals
  • Composing emails
  • Creating custom images
  • Turning text into presentations

Exciting, no doubt. Productivity booster, almost certainly. 

But generative AI comes with data security risks, including:

  • Amplified internal data leakage: a user was accidentally given access to an asset, and the generative AI uses the asset in answer to a prompt 
  • External leakage of remixed data: a user creates content using sensitive data to which they had legitimate access, but this new content is not labeled as sensitive and gets shared more widely than it should 
  • Your data being used to train the AI model: this confidential data could potentially leak out in answers given to someone who later uses that version of the model

Any and all of these are data security situations that you want to avoid. But has Google taken the proper precautions with Gemini to keep your Google Workspace data secure?

How Google Workspace Does Protect You From Generative AI Security Problems

Google certainly tries to maintain Google Workspace security in the face of the risks inherent in generative AI. The following are some of the precautions they take:

  • They do not use your Google Workspace data to train or improve the underlying models that power their generative AI systems
  • They store both your Gemini prompts and generated content with your Workspace content and don’t share them outside your organization
  • Gemini uses the same security protections as the rest of your Workspace, automatically applying your existing controls and data policies, such as Google Workspace DLP

On the face of it, this sounds great - and it’s certainly a good start. But relying on what Google does alone won’t solve generative AI-related data leakage. 

Where You Need to Plug the Gemini AI Security Gaps

One of the major contributors to potential data leakage is that Google Gemini relies on your Workspace data controls and policies. 

If you’re very on top of your Google Workspace data management, this might not pose a problem. But does your existing Google Workspace data protection protect your data enough? 

Too-wide access permissions 

As mentioned above, a primary data security risk of generative AI is amplified internal data leakage. Let’s say a Google Workspace user was accidentally given access to a sensitive Drive document, which often happens when the asset creator, acting out of convenience, gives access to “everyone at the organization.” Before generative AI, it’s likely the user would never realize they had been given access to the document, and they would never be exposed to the sensitive data within. 

If this user prompts Gemini, however, Gemini can use in its answer any data assets the user has legitimate permissions for. And this Workspace user does have access permissions for this asset. 

In this all-too-common situation, Gemini could inadvertently expose sensitive data to people who shouldn’t have it - and it won’t be Google’s fault, either, because it was based on your designated access permissions.

Third-party Gemini addons

Google’s commitments to protecting your data can only extend to Google Workspace applications that Google controls. But many Gemini functions for your Workspace are actually offered, not by Google itself, but by third-parties.

All the app-related Google Workspace security issues hold true, and even more so, when Gemini comes into play. 

So when you see a list of access permissions and scopes like the following, and you know that Google isn’t taking responsibility for it, you should be extra careful. 

Be Aware and Take Care

No matter how much effort Google puts into security for Workspace (and they do put in a lot!), you can’t rely on them blindly and assume that everything will be fine. Be aware of the issues and the holes you need to plug. Then independently implement the right practices and solutions to ensure your Google Workspace data protection and security. 

FAQ section

Does Google Workspace have built-in security?

Google Workspace has many built-in security features, from data encryption to admin controls that enable strict access permissions to detection of cyber threats in emails and shared files.

Responsibility still lies on the customer to make sure all security settings are implemented properly, as well as to take care of the areas outside Google’s responsibility, such as Google Workspace connected apps and identity security.

How do I make my Google Workspace secure?

Important steps in making your Google Workspace secure include:

  • turning on 2-step verification
  • requiring strong passwords
  • classifying files in your Google Drive and/or reviewing AI classification labels
  • implementing smart access and sharing controls for other users in your organization 
  • limiting what data can be shared with third-party apps that have not been officially approved

How does Gemini AI impact Google Workspace security?

Gemini AI positively impacts Google Workspace security by enabling smarter prevention, detection and mitigation of threats in Workspace.

On the other hand, Gemini AI can lead to amplified internal data leakage and external leakage of remixed data.

What security standards does Google Workspace comply with?

Google Workspace complies with dozens of global and local security standards and frameworks, many of which they are Independently audited for. Significant standards with which they comply include SOC 2, SOC 3, ISO/IEC 27001 (Information Security Management), ISO/IEC 27017 (Cloud Security), ISO/IEC 27018 (Cloud Privacy) and ISO/IEC 2770 (Privacy).

Is Google Workspace GDPR compliant?

Google Workspace has the potential to be GDRP compliant, as long as you take the appropriate steps in how you set up your Workspace. Important steps include:

  • making sure you have a signed Data Processing Agreement (DPA) with Google. 
  • implementing strict access controls and permissions using Google Workspace's admin controls
  • correctly enabling Google Workspace’s built-in encryption
  • setting up processes to handle access, correction, deletion and portability requests from data subjects regarding their personal data

Get updates to your inbox

Our latest tips, insights, and news