Copy of Webinar: Google Drive security: Challenges and ...
51
researchsoc.iu.edu
Transcript of Copy of Webinar: Google Drive security: Challenges and ...
researchsoc.iu.edu
Google Drive security: Challenges and solutions
Mark KrenzChief Security AnalystCenter for AppliedCybersecurity Research,Indiana University
August 26, 2021
Ishan AbhinitSenior Security AnalystCenter for AppliedCybersecurity Research,Indiana University
Housekeeping
● All participants are on mute.
● Ask your questions via the Q&A feature.
● We will record this webinar and provide a link.
● Slides will also be made available.
A quick preview:Challenges:• Sharing problems• Revoking Access• Transferring
ownership• Ransomware
Solutions:
• Review permissions
• Set policy on use• Backup Google
Drive docs• Consider using
Google Shared Drive
Overview:• Types of Google
Drive• Permissions model• Academic/Research
use
Who is ResearchSOC?
Training for Higher Ed infosec
Vulnerability scanningSTINGAR decoy
computers (honeypots)
Project liaison
Project leadership
Virtual Security Teams*
REN-ISAC Threat intelligence
OmniSOC 24x7x365 Eyes on Glass SOC
Ishan Abhinit● Senior Security Analyst at Indiana University's● Center for Applied Cybersecurity Research since 2019● Part of Trusted CI and RSOC Group● Masters graduate student from Northeastern University● Previously worked with IBM India and Infosys Ltd.● Working on Google Drive permissions issues and researching the use of
Google Shared Drive
Mark Krenz● Chief Security Analyst at Indiana University's Center for Applied Cybersecurity
Research● CISO of ResearchSOC● Deputy CISO of Trusted CI● Cybersecurity professional for over 9 years● Linux System Administrator prior for 15 years in large enterprise, government,
small business, and an ISP.● Created cloudperm for Google Drive auditing
Understanding Google Drive:An introduction to the permissions system and features
Google Drive: an Intro
• Types of Google Drive
• Google Drive (normal)
• GSuite for Enterprise / Education
• Google Shared Drive (formerly Team Drive)
• Object storage (Not a filesystem hierarchy)
Google Drive: an Intro• Access based on email address and their IAM• Adding/Removing access in a "higher level"
folder propagates (most of the time)• A file is owned by the person who creates it.• Permissions can be controlled by any editor• File owner can prevent permissions changes
Google Drive: an Intro
• Documents/folders can be• Restricted to just the owner
• Shared with others by email
• Shared with others who have the document link
• Shared with public (deprecated)
• Documents in restricted folders can be more
permissive.•
GDrive User Case study: Trusted CI• NSF funded project• Heavy use of Google Drive and Google Docs• Multi-institution team• Pre-"GSuite for Education"• External collaborators• Internal and public documents
Questions so far?
Security Concerns with Google DriveAn introduction to the permissions system and features
Sharing Problems - with link
• Sharing with link
• Those with former access still have link
• Could be linked from other documents
• Email could be compromised
Sharing Problems - with domain
• Anyone at the institution can see the file
• Anyone at the institution can discover the
file• Keyword search "source:domain"
• Do they know what they are sharing?
• Why are so many people sharing so much?
Already known, already a problem
Source: https://www.reddit.com/r/k12sysadmin/comments/jb474i/student_you_guys_should_go_through_sourcedomain/
Source: https://support.google.com/a/thread/5253719/how-can-i-find-all-shared-files-in-my-drive-that-can-be-found-by-anyone-in-my-organization?hl=en
"Data leak affects about 3,000 NYC students and 100 employees, officials confirm" - August 5th, 2021
"At least one student within the public school system managed to access a Google Drive that contained the private information of students and department employees across the city."
"In response to the incident, the education department also conducted a full review of all electronic files, restricted file sharing permission settings."
"..the incident is not thought to have been malicious, or even intentional."
https://ny.chalkbeat.org/2021/8/5/22612388/data-breach-nyc-students-staff-google-drive
"NYC Teachers' Social Security Numbers Exposed" - August 20, 2021
https://www.infosecurity-magazine.com/news/nyc-teachers-social-security/
"..students at Brooklyn Technical High School reportedly stumbled across a Google Drive containing documents uploaded by staff and students at schools across New York City."
"The students could access the files because of a quirk in the school’s education department’s Google Drive sharing settings."
"When the students rechecked the Google Drive in March, they found that even more documents were now accessible."
Sharing Problems - Revoking Access• Revoking from top of tree isn't 100%• They still retain access to what they own• How to handle ownership change?• Folders owned lead to re-propagation• Weird unexplainable problems• They still know the document URLs
Sharing Problems - Revoking Access
Sharing Problems - Revoking Access
Sharing Problems - Revoking Access
Sharing Problems - Revoking Access
Sharing Problems - Revoking Access
Providing too much access to subfolders
● New user added at higher level gains access to restricted sub folder
Multiple Institution Problems• Transferring ownership denied by Google• Some may not use GSuite for Education• Differing security policies
What happens when someone leaves?• Do they retain access?• They still know the URLs• Can ownership be transferred?• What if they delete documents they own?• What if they delete their account?
Accidental deletion of documents
● "Remove document" option is very easy to access● May accidentally/unknowingly remove a document● Other people may not know until it's too late● Trashed documents are removed after 20-30 days
What about ransomware?• Google Drive Sync and File Stream are an attack
vector• Doc versions may save you* (depending on how the Ransomware works)
Google Docs live chat feature
● Users listed in the sharing settings may have access to live chat feature
● Not available everywhere● Chat is not logged● No ability to report a user who harrasses others
Questions so far?
SolutionsWorkarounds and solutions to these issues
Auditing permissions - GSuite Admin• They can recover files, check and set permissions and
do special things• Seek them out and build a relationship• GAM, a tool they can use:
https://github.com/jay0lee/GAM
Auditing permissions - GDoc Add-on• No API access required• Add-on permission may be required• You're granting an unknown developer access to your
stuff.
Auditing permissions - Normal user API• Non-admins can access• Requires API access permission• Tool: Cloudperm
https://github.com/deltaray/cloudperm
What are you sharing with the domain?
● Find files that you have shared with others within your domain through the "Shared with domain" setting.
● Search for "owner:me source:domain" to find stuff you've exposed to the domain.
Google Groups as an IAM solution
● groups.google.com● Create a group, add people● Add the group to the sharing settings of a document● Can give a user more permissions, but not less
Setting Policy• IAM requirements• Restrictions on Add-ons• Restrictions on mounting/syncing software• Tags in filenames to show sharing intent
[INTERNAL], [SHARED-EMAIL], [SHARED-LINK], [SHARED-OWNER]
Backing up Google Drive• Deleted files gone after 20-30 days• Deleted files may not be noticed• Protects against Ransomware• Time and space requirements• Tool: google-ocaml-fuse• Tool: rclone
Google Shared Drive• Formerly "Google Team Drive"• Ideally, start with this• The drive "owns" the files• Managers assigned• Solves many permissions issues
Cross domain file ownership transfer• Requires "Google Shared Drive"• "From owner" moves file to Shared Drive• "Receiving owner" transfers file back.• Metadata, comments, versions and document id are
preserved• Caveats:
• Folders can't be transferred• Permissions not preserved
• Source:https://www.tabgeeks.com/tabgeeks-blog/how-to-transfer-ownership-between-domains-in-google-drive
Google Shared Drive (Deep Dive)• Files can be moved from My Drive to shared drive or from one shared drive to another.• Collaboration with users from other domains (external users)• When a member leaves, the files stay in the shared drive and can be used by the other
members since the content is owned by the team.• As a G Suite administrator, you can restore files that were deleted from a shared drive. If the
entire shared drive was deleted, you can also restore the shared drive and its contents.• Shared Drive Limitation.• Moving the files from the shared drive to My Drive and vice-versa doesn’t change the ‘URL’ or
the ‘Share Link’ of the files. Moving the files from one shared drive to another doesn’t change the URL of the files, either.
• Access Permissions
To review:Concerns:• Sharing permissions• Sharing with domain• Offboarding can be hard• Ransomware can affect Google
Drive
Solutions:• Check Google Drive permissions• Backup your Google Drive data• Set policy for Google Drive use
Questions from registration1. Is Google Drive security HIPAA compliant?2. Can we share best practices for using Google Drive as a platform for
storing and sharing protected/human subject research data?3. How to migrate to shared drive when you have hundreds of docs
owned by many people, some of whom are not around?4. How are their solutions implemented with globus and rclone?5. What are the security concerns when connecting to a Globus collection
it during account creation?
Questions from registration (cont.)1. Does device profiling exist with google drive to ensure computers are
encrypted before data synchronization?2. Lack of Enterprise Features/Logging, DLP, enforcement of internal
policiesa. DLP -> https://support.google.com/a/answer/9646351?hl=en
3. Sharing sensitive files outside of policy4. Are there tools for faster data (that are still secure)?5. Used as a group - how safe is it?6. I've heard about potential access control vulnerabilities for Google
drive documents and would like to learn more.
Connect with ResearchSOCVisit the ResearchSOC website: https://researchsoc.iu.edu/Subscribe to the ResearchSOC announcements list: https://researchsoc.iu.edu/contact/index.htmlRead the ResearchSOC Blog: https://blogs.iu.edu/researchsoc/Join our Community of Practice: https://ask.cyberinfrastructure.org/c/rsocFollow ResearchSOC on Twitter @IUResearchSOC
@
Contact us
The ResearchSOC is supported by the National Science Foundation under Grant 1840034. The views expressed do not necessarily reflect the views of the National Science Foundation or any other organization.
researchsoc.iu.edu
