Securing Google Drive Files with Excessive Permissions

Publicly-exposed or overly-permissive files in Google Drive accounts at your organization could be big security risk. In this guide, we'll show you how to maintain a secure Google Drive posture.

Patrick Londa
May 30, 2023
 min read
Share this post

Sharing files on Google Drive is convenient and efficient. It's one of the most popular collaboration tools used in organizations today for a good reason.

However, the convenience of Google Drive does come with some risks. If files are not properly managed and secure, your organization can quickly find itself exposed to serious security threats and data breaches. 

The risk of shared Google Drive files can cause financial and reputational damage, and sensitive information such as customer or employee data could get exposed.

In this post, we’ll outline the risk of overly-permissive Google Drive files for organizations and explain how to take actions to mitigate this risk.

The Security Risk of Shared Google Drive Files

The risk of shared Google Drive files is real, and organizations of all sizes have fallen victim to data breaches caused by publicly-available files.

For example, in 2020 the NHS was developing a coronavirus-tracking app and accidentally exposed a publicly accessible Google Drive link to sensitive documents about the app’s future development roadmap. These documents could be viewed anonymously as long as someone had the link address.

Even worse, in 2023 a Google Drive link from the American College of Pediatricians published publicly on the doctors' organization website exposed more than 10,000 sensitive documents. The documents included financial and tax records, membership lists, and emails that date back over ten years. The publication of these documents happened while the organization battled a legal fight over the abortion drug mifepristone, further damaging the organization’s reputation.

IT and security teams must consider the systematic protections they can put in place to prevent this type of data exposure from applications like Google Drive.

Understanding Permission-Levels for Google Drive Files

For Google Drive files, you can extend file permissions to specific people by specifying one of four access levels:

  • Can view
  • Can comment
  • Can edit
  • Is owner

You can also specify the following general access permissions:

  • Restricted (only accessible to specific invited people)
  • Shared with anyone in a specific group or organization
  • Anyone with the link can view

All of these access levels come with risks, such as:

Insider Threats: Individuals with access to sensitive files can abuse their privileges and steal or misuse sensitive information. For instance, an outgoing employee with file access can download or alter files in a malicious way.

Third-party Risks: If you share files with third parties, such as vendors, contractors, or customers, they may not have the same security standards in place as you do. Additionally, if their access to the file is not properly managed, they could continue to have access even after the business relationship ends.

Employee Mistakes: It’s easy to make mistakes when sharing files, such as accidentally giving someone too much access or forgetting to revoke access after completing a project. An employee might also mistakenly share a sensitive file with someone who shouldn’t have access to it, such as a competitor.

Public Links: Public links are a convenient way to share files with people outside your organization. However, this also comes with the risk of exposing sensitive information to anyone with the link.

Google Workspace Tools for Administrators

Administrators have access to a wide range of tools and settings that can help them prevent data breaches and other security threats. 

For example, if an administrator identifies a file that is shared inappropriately, they can manually update permissions and access levels.

Administrators can also keep track of user activities in Google Drive using audit logs. By monitoring for suspicious activities, administrators can protect against data theft and develop Data Loss Prevention (DLP) policies.  

If you have the licensing to define and implement DLP policies in Google Workspace, this can be another way to detect if a user is about to share confidential data and alert the user or administrator before the file is publicly available.

Automatically Monitoring for Overly-Permissive Google Drive Files with Blink

Google Workspace administrators shouldn’t have to manually monitor which files are publicly-available or high risk. Most organizations have hundreds and thousands of files with constantly changing permissions. 

How do you actually keep track of your permissions creep?

With Blink, you can run this simple weekly automation to detect which files in your organization’s Google Drive likely have excessive permissions and notifies the owner to make updates via Slack.

Blink Automation: Perform Weekly Cleanup of Externally Shared Files and Folders in Google Drive
Blink Automation: Perform Weekly Cleanup of Externally Shared Files and Folders in Google Drive

When this automation runs, it executes the following steps:

  1. Gets all the Google Drive users.
  2. For each user, it lists insecure files.
  3. For each file, it asks its owner to Revoke Public Access or Dismiss via Slack.
  4. If there is no response within 24 hours, the file will be revoked from public access automatically.
  5. If the user selects Revoke Public Access, deletes that permission from the file.
  6. If the user Dismisses, sends a message to the Admin via slack.

You can add conditional steps and custom subflows to create a robust Google Drive security system that aligns to your organization.

For example, a file has been shared with a 3rd-party for over a year. Is it still necessary for that external organization to have access to that document? If it was a project-level collaboration, a simple notification could be the reminder your team needs to make a quick update to lower your data exposure.

If you have DLP concerns about outgoing employees, you can run an automation to monitor the Google Drive audit logs for suspicious activity so you can act in real time if data is being stolen.

Whether you want to create your own custom workflows or use the over 5K pre-built automations in the Blink library, it’s never been easier to secure your Google Drive and prevent data loss.

Get started with Blink today to see how easy automation can be.

Automate any workflow in seconds.

Blink is an automation copilot that enables you to create full ready-to-run workflows between tools – just type a prompt.

Get Started