Cloudflare Docs
Cloudflare Zero Trust
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
View GitHub RSS feed
Set theme to dark (⇧+D)

Google Workspace

The Google Workspace integration detects a variety of data loss prevention, account misconfiguration, and user security risks in an integrated Google Workspace account that could leave you and your organization vulnerable.

This integration covers the following Google Workspace products:

​​ Integration prerequisites

​​ Integration permissions

For the Google Workspace integration to function, Cloudflare CASB requires the following Google API permissions:

  • https://www.googleapis.com/auth/admin.directory.domain.readonly
  • https://www.googleapis.com/auth/admin.directory.user.readonly
  • https://www.googleapis.com/auth/admin.directory.user.security
  • https://www.googleapis.com/auth/calendar
  • https://www.googleapis.com/auth/cloud-platform.read-only
  • https://www.googleapis.com/auth/drive.readonly
  • https://www.googleapis.com/auth/gmail.settings.basic

These permissions follow the principle of least privilege to ensure that only the minimum required access is granted. To learn more about each permission, refer to the Google Workspace Admin SDK Directory API.

​​ Security findings

The Google Workspace integration currently scans for the following findings, or security risks. Findings are grouped by category and then ordered by severity level.

To stay up-to-date with new CASB findings as they are added, bookmark this page or subscribe to its RSS feed.

​​ User account settings

FindingSeverityDescription
Google Workspace Admin User 2FA DisabledCriticalAn administrator in Google Workspace does not have two-factor authentication enabled.
Google Workspace User 2FA DisabledHighA user in Google Workspace does not have two-factor authentication enabled.
Google Workspace User without Recovery EmailLowA user in Google Workspace does not have a recovery email set.
Google Workspace User without Recovery PhoneLowA user in Google Workspace does not have a recovery phone number set.

​​ Inactive or suspended users

FindingSeverityDescription
Google Workspace Admin User InactiveMediumAn administrator account in Google Workspace has not logged in for 30 days.
Google Workspace Admin User SuspendedMediumAn administrator account in Google Workspace is suspended.
Google Workspace User InactiveLowA user account in Google Workspace has not logged in for 30 days.
Google Workspace User SuspendedLowA user account in Google Workspace is suspended.

​​ File sharing

FindingSeverityDescription
File Publicly Accessible Read and WriteCriticalA Google Drive file is publicly accessible on the Internet that anyone can read or write.
File Publicly Accessible Read OnlyHighA Google Drive file is publicly accessible on the Internet that anyone can read.
File Shared Outside Company Read and WriteHighA Google Drive file is shared with another organization or outside party with read and write permissions.
File Shared Outside Company Read OnlyMediumA Google Drive file is shared with another organization or outside party with read permissions.
File Shared Company Wide Read and WriteMediumA Google Drive file is shared with the entire company with read and write permissions.
File Shared Company Wide Read OnlyMediumA Google Drive file is shared with the entire company with read permissions.
Google Workspace Calendar Publicly AccessibleMediumA user’s Google Calendar is publicly accessible on the Internet that anyone can read.

​​ Data Loss Prevention (optional)

These findings will only appear if you added DLP profiles to your CASB integration.

FindingSeverityDescription
File Publicly Accessible Read and Write with DLP Profile matchCriticalA Google Drive file contains sensitive data that anyone on the Internet can read or write.
File Publicly Accessible Read Only with DLP Profile matchCriticalA Google Drive file contains sensitive data that anyone on the Internet can read.

​​ Third-party apps

FindingSeverityDescription
Installed 3rd Party App with Drive AccessHighA third-party application has been granted permissions to a user’s Google Drive.
Installed 3rd Party App with Gmail AccessHighA third-party application has been granted permissions to a user’s Gmail.
Installed 3rd Party App with Google Docs AccessMediumA third-party application has been granted permissions to a user’s Google Documents.
Installed 3rd Party App with Google Slides AccessMediumA third-party application has been granted permissions to a user’s Google Slides.
Installed 3rd Party App with Google Sheets AccessMediumA third-party application has been granted permissions to a user’s Google Sheets.
Installed 3rd Party App with Google Sign In AccessLowA user has used their Google Workspace account to sign up for a third party service.

​​ Gmail administrator settings

FindingSeverityDescription
Google Workspace Domain SPF Record Allows Any IP AddressHighA Google Workspace Domain SPF record allows any email to be sent from any IP address on your behalf.
Google Workspace Domain SPF Record Not PresentMediumAn SPF record does not exist for a Google Workspace Domain.
Google Workspace Domain DMARC Record Not PresentMediumA DMARC record does not exist for a Google Workspace Domain.
Google Workspace Domain DMARC Not EnforcedMediumA DMARC record for a Google Workspace Domain is not enforced.
Google Workspace Domain DMARC Not Enforced for SubdomainsMediumA DMARC record for a Google Workspace Subdomain is not configured to quarantine or reject messages that fail authentication.
Google Workspace Domain DMARC Only Partially EnforcedMediumA DMARC record for a Google Workspace Domain is not configured to quarantine or reject messages that fail authentication.

​​ Email forwarding

FindingSeverityDescription
Google Workspace User Delegates Email AccessHighA user has delegated access to their inbox to another party. Delegates can read, send, and delete messages on the user’s behalf.