Sunday, 14 July 2019

Google Vault: Are shared files discoverable?




Google Vault: Are off domain shared files discoverable in Vault?


Recently a question about Google Vault was put to me in the G Suite product forums where I contribute under Google's Product Experts Program.


We are setting up Google Vault for our organization. Using me as an example, say my wife, who not a part of our organization but who has a personal Google account, shares a Google Doc for a household grocery list with me at my work address. Are you saying that that document would be then searchable by Vault administrators, since it was shared to my work account? [link]

Normally Google's Help Center is the place to go for most answers, but I was unable to find an article that covers this specific question. This article goes close but does specifically talk about the drive content owned by an off domain user.

So how does Vault handle this?

Testing

Test #1: Discover shared Drive content by off domain owner.


  1. Login as a consumer gmail account.
  2. Create a Google Doc
  3. Share it directly with a G Suite user in a domain with Vault enabled.
  4. Login as G Suite user and confirm I can view the shared file.
  5. Login in as an Admin to Vault and search for the Google Doc.

Test #1 Result: Files shared by off domain user (owned) are discoverable in Vault.

Test #2: Discover unshared content by off domain owner.


  1. Login as a consumer gmail account.
  2. unshare the above Google Doc
  3. Login as G Suite user and confirm I cannot view the shared file.
  4. Login in as an Admin to Vault and search for the Google Doc.

Test #2 Result: Files unshared by off domain user (owned) are no longer discoverable in Vault.

Test #3: Discover publicly shared Drive content by off domain owner.

  1. Login as a consumer gmail account.
  2. Create a Google Doc
  3. Share it publicly (link).
  4. Login as G Suite user and use the link to confirm I can view the shared file.
  5. Login in as an Admin to Vault and search for the Google Doc.

Test #3 Result: Files shared publicly (by link) by an off domain user (owned) are not discoverable in Vault.

Test #4: Discover publicly shared Drive content by off domain owner and "Add to My Drive..."


  1. Login as a consumer gmail account.
  2. Create a Google Doc
  3. Share it publicly (link).
  4. Login as G Suite user and use the link to confirm I can view the shared file.
  5. Add the Doc to "My Drive" via the "Add to My Drive..." Option
  6. Login in as an Admin to Vault and search for the Google Doc.

Test #4 Result: Files shared publicly (by link) by an off domain user (owned) are discoverable in Vault, if the G Suite user adds the file to their Drive .

Test #5: Discover publicly unshared content by off domain owner after it's removed from My Drive.

  1. Login as G Suite user, select the Doc and "Remove from my Drive".
  2. Login in as an Admin to Vault and search for the Google Doc.

Test #5 Result: Files are not discoverable in Vault.



Summary

Key findings:

  • Files owned by users outside the domain and shared directly with G Suite users are discoverable.
  • Discovery is only possible while sharing remains enabled.
  • If the owner revokes the sharing, discovery is no longer possible.
  • Files publicly shared, must be added via "Add to My Drive" for discovery to work.
  • Removing the file from "My Drive", will stop discovery.

Considerations:

  1. Vault will not provide visibility to data leakage via files owned by off domain users.

    Potentially a malicious actor could establish a Google consumer account, create and share a file with an G Suite user. Then dump data into that file and unshare, without Vault showing a record of that.
  2.  External parties sharing Drive files or Google Docs with G Suite users must be aware G Suite admins can access via Vault.