SaaS Security - Google Workspace Footprint

After Activating Google Workspace (Gmail and Google Drive), Avanan automatically creates a Super Admin, host (mail route), inbound gateway, SMTP relay service, two user groups, and four content compliance rules.

Super Admin

While installing the Avanan Cloud Security app, a new Super Admin account is created in your Google Admin console.

The Super Admin has an email address in the cloud-sec-av@[domain] format and is sometimes referred to as the Avanan Service User. This user requires a Gmail license. For more details about the Super Admin role, see Pre-built administrator roles.

What is the Super Admin User Used For?

Avanan uses Super Admin user to perform tasks that cannot be accomplished with the Google APIs.

Avanan uses Super Admin user to do these tasks:

Super Admin Security

The password of the Super Admin contains 43 random characters, a mix of lower case letters, upper case letters, and digits. The password is safely stored in AWS Key Management Service (AWS KMS).

Also, Avanan recommends to enable Multi-Factor Authentication (MFA) to enhance security for this account.

Changing the Google Application Role

After successfully onboarding the Google Workspace SaaS application to Avanan, the administrator can change the role assigned to the Avanan application. To do that:

  1. Sign in to your Google Admin console with an account with super administrator privileges.
  2. Create a custom admin role. For more information, see Google Documentation.
  3. Assign these privileges to the role:
    1. In the Admin console privilege, assign Settings and Groups privileges to Gmail.
    2. In the Admin API privilege, assign Groups privilege.
  4. Search for the Cloud-Sec-AV Service Admin role and do these:
    1. Unassign the Super Admin role. For more information, see Google Documentation.
    2. Assign the custom admin role created in step 2. For more information, see Google Documentation.

User Groups

After activating Google Workspace, Avanan automatically creates two user groups. You can review these user groups under Groups in your Google Admin console.

  • avanan_inline_policy
  • avanan_monitor_policy

Note - If you use GCDS (Google Cloud Directory Sync) to synchronize your user groups on-premises and in the cloud, the synchronization triggers the deletion of these two user groups. Though this will not impact the email delivery, Avanan cannot scan the emails, and no security events get generated.

Before activating Google Workspace, create two exclusion rules for the two user groups. Select the exclusion type as Group Email Address, match type as Exact Match, and the group email address should be in the groupname@[domain] format.

For example, the group email addresses should be avanan_inline_policy@mycompany.com and avanan_monitor_policy@mycompany.com, where mycompany is the name of your company.

Host

Avanan automatically creates a host (aka mail route) in your Google Admin console.

You can see the host from the Google Admin Console under Apps > G Suite > Settings for Gmail > Hosts.

gmail-hosts

Inbound Gateway

Avanan automatically creates an Inbound gateway. You can see the inbound gateway from the Google Admin console under Apps > G Suite > Settings for Gmail > Advanced Settings.
Note - In the Inbound gateway settings, you must select the Require TLS for connections from the email gateways listed above check-box.

google-console-inbound-gateways

SMTP Relay Service

Avanan automatically creates an SMTP relay service. You can see the SMTP relay service from your Google Admin console under Apps > G Suite > Settings for Gmail > Advanced Settings.

google-console-smtp-relay-service

Content Compliance Rules

Avanan automatically creates three Content Compliance Rules. You can review the content compliance rules from your Google Admin console under Apps > G Suite > Settings for Gmail > Advanced Settings.

The rules are called:

  • [tenantname]_monitor_ei
  • [tenantname]_monitor_ii
  • [tenantname]_monitor_eo
  • [tenantname]_inline_ei

where ei stands for incoming traffic, ii stands for internal traffic, and eo stands for outgoing traffic.

Note - The [tenantname]_inline_ei rule gets created when the Prevent (Inline) mode is enabled. If you remove the Prevent (Inline) mode for users in Avanan, the Content Compliance Rule remains in the Google Admin console but the content of the user group avanan_inline_rule gets updated to reflect that no users are protected in this mode.

Google Drive Permissions Changes

Depending on the Google Drive policy configured by the administrator, Avanan takes action (quarantine, remove permissions) on the files uploaded to Google Drive.

Avanan uses different users to take these actions depending on whether the Drive containing the file has an owner.

  • If Google Drive has an owner, Avanan takes the action on behalf of the owner.
  • If Google Drive does not have an owner, Avanan follows this procedure:
    • Avanan adds the Super Admin user as an owner of the Drive.
    • Avanan uses the Super Admin user to take the necessary action on the file.
    • Avanan removes the Super Admin user from being the owner of the Drive.