Google Drive

Storing data in Cloud storage platforms presents the same risks of data breach or unauthorized access as traditional storage methods. DSPM addresses those risks with this new feature which discovers, detects, and classifies risks found in your Google Drive storage.

Prerequisite

An AWS Account must be onboarded to DSPM first, with an Onboarding Version of 64 or later. This AWS account will be used as a sidecar for scanning your data, keeping your data within your boundary. You can find our AWS Onboarding instructions here.

Required Accounts outside of DSPM

  • Sidecar AWS Account - Since Google Drive is a SaaS application, DSPM cannot deploy the stack and create the necessary resources on it directly as can be done on AWS. The solution requires creating a sidecar AWS account where resources are created and then connected to Google Drive using an AWS secret. This AWS account should be onboarded on the DSPM platform before beginning this Google Drive account onboarding process.
  • Google Drive - An active google account that is hosting the drive to be onboarded for discovery, detection, and risk classification.

Detailed steps for Onboarding Google Drive on DSPM are outlined below.

Google Account

STEP 1: Create a Service Account

  1. Begin by logging into your Google account at console.cloud.google.com and create a new project from the dropdown box next to Google Cloud.
  2. Next, open the main menu from the 3 bars icon in the top left corner and then select APIs & Services -> Credentials.
  3. Make sure your new project is selected from the dropdown list

  4. Select CREATE CREDENTIALS at the top of the screen, then Service account from the options shown

  5. Fill in the Service account name and optional Service account description, then select CREATE AND CONTINUE

  6. Grant role as Owner then select CONTINUE and DONE

  7. On the updated Credentials screen, select the email link for the new service account to view the details
  8. Copy and save the newly created Service account Client ID for later

  9. Copy and save the Email created for later

  10. Select KEYS from the menu on the same page

  11. Select the ADD KEY dropdown and then Create new key

  12. Keep the JSON selection and then select CREATE which will save the file to your computer
  13. Save the private key file

STEP 2: Authorize the Domain

  1. Open a new tab and login to the Admin Console at admin.google.com

    We will go back and forth so leave both consoles open

  2. Navigate to Security -> Access and data control -> API controls
  3. Under Domain Wide Delegation -> MANAGE DOMAIN WIDE DELEGATION

  1. Select Add new
  2. Enter the Service Account Client ID created in the previous step on the Client ID line
  3. Add the following OAuth scope:

    https://www.googleapis.com/auth/drive.readonly

  1. Click on Authorize to finish

STEP 3: Add Google API’s

  1. Back in console.cloud.google.com, from the left side menu select APIs and Services and then Enabled APIs and services

  2. Select ENABLE APIS AND SERVICES from the top panel to find the specific APIs that need to be enabled

  3. Search for Google Drive and select google drive api from the results

  4. Select ENABLE for the Google Drive API

  5. Navigate back and search in the API library for the Admin SDK API and enable it as well.

STEP 4: Add Roles to the Service Account

  1. Swap back over to the Google Admin console (admin.google.com)

  2. From the main menu select Account -> Admin Roles

  3. Select User Management Admin -> Assign admin

  4. Select Assign service accounts

  5. Enter the Service Account email created in Create Service Account section earlier then select ADD.

  6. Next, select ASSIGN ROLE. The email should now show in the Admins list.

That completes the configurations required in your Google Account.

AWS Sidecar Account

STEP 5: Sidecar AWS Account Configuration for Google Drive

  1. Login to the AWS management console and navigate to Secrets Manager
  2. Select the option for Store a new secret
  3. Under Secret Type, select Other type of secret
  4. Under Key/value Pairs - select Plaintext and remove the existing entry
  5. Copy the full text from the .JSON file downloaded in Create Service Account section and paste it in the Plaintext field
  6. Set the Encryption Key to aws/secretsmanager and select Next.
  7. Enter a name for this Secret and a description (optional)
  8. Using the ADD button, add the following Tag with these values:
    • Key: Name
    • Value: Normalyze

This is used for the DSPM IAM role to access the secret. It is important to enter the Key as “Name” and the value “Normalyze” exactly as shown here with capitalization.

  1. Leave the other sections with the default values and select Next on each screen and then select Store to finish.
  2. Refresh the page to see the new Secret in the list.
  3. Select the new secret to view the details and copy the Secret ARN value. You will use this value in the next step.

DSPM Account

STEP 6: Onboarding Google Drive from DSPM

  1. Login to DSPM and go to Workspace -> Accounts -> Onboard Cloud Account
  2. Select Google Drive from the Cloud Account Provider section.

  3. Enter the following details for the each of the options:

    Account Nickname - Provide a name for this account on DSPM as per your organizational naming convention

    Google Workspace Domain - Provide the domain name of the Google account which is being onboarded

    Environment Type - Designate the account as one of the types from the list of values available.

    Description - Add a short description for the account.

    Secret ARN - Provide the ARN of the secret, copied in Step 5-11 under AWS Sidecar Configuration
    After entering the Secret ARN, the fields “Account ID” and “Region” will populate from the values in the secret.

  4. Select Next. This will trigger the Cloud Scan operation for the new account.

This completes the onboarding for your Google drive account.