Google Workspace: GDrive
This section covers the following topics:
Prerequisites
| Component | Description | 
|---|---|
| Proxy Agent | Proxy Agent host with direct internet access. Recommended Proxy Agents: • Windows Agent • Linux Agent | 
| TCP Allowed Connections | Port 443 | 
Configure Google Workspace account
Before you add Drive targets, you must have:
- A Drive administrator account for the target Drive domain. 
- A Drive account. DDC only supports Drive accounts. Personal Google accounts are not supported. 
To configure your Google Workspace account for scanning:
Select a project
- Log on to the Google API Console. 
- From the projects list, select the project that you want to scan with DDC. If no project exists, create a new project. 
Enable APIs
To scan a Drive account, enable the APIs for it in your selected project.
To enable the APIs:
- In the left pane, click Enabled APIs & services. 
- On the APIs & Services, click + ENABLE APIS AND SERVICES. 
- On the API Library page, search for the following APIs: - Target Drive - API Library - All - Admin SDK API - Google Drive - Drive API 
- Click ENABLE for both the APIs. 
Create a service account
Before adding Drive as a target, you must create a Google service account for use with DDC. The service account must have the required permissions to allow DDC to authenticate and access (scan) the resources in your Drive account.
- Log on to the Google Cloud Console. 
- Select the desired project from the project list. 
- Click the hamburger icon (☰) to expand the navigation menu. 
- Go to IAM & Admin > Service Accounts. 
- Click +CREATE SERVICE ACCOUNT. 
- In the Service account details section, specify the following details: - Field - Description - Service account name - Enter a descriptive name for the service account, for example, - ddc-sa.- (Optional) Service account ID - Edit the default ID for the service account, or click the refresh button to generate a service account ID. For example, - ddc-sa@project-id.iam.gserviceaccount.com. This will be required when configuring connection for the Drive data store.- (Optional) Description - Provide a description for the new service account. 
- Click CREATE AND CONTINUE. 
- In the Grant this service account access to project section, from the Select a role drop-down list, select Project > Owner. 
- Click CONTINUE and then Done. Your service account is created. 
- Navigate back the Service accounts page. 
- Click the newly created service account. 
- Click the DETAILS tab. 
- Note down the Unique ID (or OAuth 2 Client ID) for the service account (for example, - 123456789012345678901). This is required when setting up domain-wide delegation.
Set up domain-wide delegation
After creating a service account, you need to set up and enable domain-wide delegation to allow DDC to access your Drive domain with the service account.
To delegate domain-wide authority to a service account:
- Log on to Google Admin Console as a super administrator of the Drive domain. 
- Click the hamburger icon (☰) to expand the navigation menu. 
- Go to Security > Access and data control > API controls. 
- Click MANAGE DOMAIN WIDE DELEGATION. 
- Click Add New. The Add a new customer ID dialog box is displayed. 
- In the Customer ID field, enter the service account's Client ID or Unique ID (for example, - 123456789012345678901).
- In the OAuth scopes (comma delimited) field, enter a comma-separated list of Google API scopes for every Drive service that you want to scan with DDC. - Google Service - Google API OAuth 2.0 Scope - All (required) - https://www.googleapis.com/auth/admin.directory.user.readonly - Google Drive - https://www.googleapis.com/auth/drive.readonly - For example, specify - https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/drive.readonly.
- Click AUTHORIZE. 
Generate a new key for the service account
Credentials for a service account are set to expire in the year 10000, making expiration unlikely. However, a contingency plan exists for regenerating a new key, if needed. If the key is not obtained or expires, it's acceptable to create a new key, although not an ideal practice.
- Log on to the Google Cloud Platform (GCP) with your credentials. 
- Go to the DASHHBOARD. 
- Click the hamburger icon (☰) to expand the navigation menu. 
- Click IAM & Admin > Service Accounts. 
- Search for the project in which the required service account is available. 
- Click the ellipses icon (  ) and click Manage keys. The Keys page is displayed. ) and click Manage keys. The Keys page is displayed.
- Click ADD KEY, then Create new key to generate a new key. The Create private key for "<Your service account>" dialog box is displayed. 
- Select P12 as the Key type and click CREATE. 
The key will be automatically downloaded to your system. Save the created P12 private key file to a secure location on your computer. This will be required when configuring connection for the Drive data store.
Add Drive data store
To add the Drive data store:
- Log on to the CipherTrust Manager GUI. 
- Open the Data Discovery & Classification application. 
- Click Data Stores > Data Stores > Add Data Store. The Add Data Store screen is displayed. 
- Complete the following steps: 
Select Type & Category
- Under Select Data Store Category, select Cloud. 
- From Select Cloud Type, select G-Drive. 
- Click Next. 
General Info
- Specify the following details: - Data Store Name: Name for the data store. 
- Description (Optional): Description for the data store. 
- Location Name: Location of the data store. 
- Add Location: Click Add Location to add new locations to the Location Name drop-down. Refer to Adding Locations for detailed steps. 
- Sensitivity Level (Optional): Sensitivity level for the data store. Refer to Sensitivity Levels for details. 
- Enable Data Store: Whether to enable the newly added data store. Select the check box to enable the data store. 
 
- Click Next. 
Configure Connection
- Specify the credentials of the Google domain. - Field - Description - Google Domain - Google domain that you want to scan. For example, if your Drive administrator email address is - admin@example.com, your Google domain is- example.com.- User - Email address of the Drive administrator account. For example, - admin@example.com.- Service Account ID - Your service account ID or email address. For example, - ddc-sa@project-id.iam.gserviceaccount.com. Refer to Create a Service Account to get the service account ID.- Private Key - Private key ( - *.p12) associated with the Google Workspace service account. Refer to Generate a New Key for the Service Account for the key details.
- In the Select Number of Agents field, set the minimum and maximum number of agents for the data store. Refer to Agents for more information. - Warning - As there is no limit on the number of minimum and maximum agents that you can set, you should exercise caution so that you do not impact the system performance by using too many resources for a single scan.
- You will not be able to add a datastore if the minimum number of agents cannot be assigned.
- A scan will fail if the assigned agent is unavailable after adding the datastore.
- The minimum number of agents must be less than or equal to the maximum number of agents.
 
- (Optional) In the Add Label field, enter a label. You can also remove an existing label. 
- Click Next. 
Add Access Control & Tags
- (Optional) Grant the - All groups (default)access for reports. Alternatively, select a group.
- Click Save. 
The data store is added to the Data Stores page. If the Ready to Scan column shows Ready, then data store is properly configured.
For more information on Access control and Tags, expand the section below.
Access Control & Tags
The Access Control & Tags tab on the Add Data Store screen allows you to grant access rights to your data store and add tags. More details below:
- ACCESS CONTROL - select user groups that can access the data store. Access to a data store provides ability to see reports that include scans of that data store. The available options are: - All groups: All groups of users can access the data store through reports. This is the default setting. 
- Selected group/s: Specified user defined groups can access the data store through reports. When this option is selected, select a group from the drop-down list. This list shows existing user defined groups. The user defined groups must already exist on CipherTrust Manager. If no user defined groups exist, ask the administrator to create a group. If needed, you can select multiple groups. Start typing the name of the desired group and select from the suggested groups. 
 
- TAGS - Select a tag from the Add Tag drop-down. See the list of prebuilt tags in Predefined tags section. - Tip - New tags can also be added. Start typing a new tag, and click the New: <new_tag> link that appears below the drop-down. 
- Add as many tags as needed. 
- To remove a tag, click the close icon in the tag name. 
 
Add Drive scan
To add a scan for Drive:
- Open the Data Discovery & Classification application. 
- Click Scans > Add Scan. The Add Scan screen is displayed. 
- Complete the following steps: - Refer to Scans for the description of sections of the Add Scan screen. 
General Info
- Specify a Name for the scan. 
- (optional) Add a Description for the scan. 
- Expand Advanced Configuration and specify advanced configurations such Scan Priority, Memory Usage Limit, and Amount of Data Object Volume. Refer to Advanced Configuration for details. 
- Click Next. 
Select Data Stores
- Under Data Store Name, select the desired data store that is Ready for scanning. You can select multiple data stores, if required. 
- Click Next. 
Add Targets
- To add a scan target, do one of the following: - Under the Add Target field, specify the correct target path and click Apply. - If no specific target is added, the entire data store will be scanned. - The following table lists target paths and syntax to specify them with examples. - Target Path to Scan - Syntax - Example - Complete data store - <Empty_Path> - Specific user account - <User_Name> - testuser - Specific folder in user account - <user_name/My Drive/folder_name> - testuser/My Drive/sensitivedata - Specific file inside a folder - <user_name/My Drive/folder_name/file_name> - testuser/My Drive/sensitivedata/foo.txt 
- Navigate and add target paths. - Click Browse to navigate target paths from the root level. - Alternatively, provide an initial path in the Add Target Path field and click Browse to navigate targets from that point onward. 
- In the left pane, navigate and select the desired target path. 
- Click Add Path to add the target path to the right pane. Similarly, add other target paths. 
- Click Add. 
 - Tip - Either navigate the target paths from the root level (without specifying any path in the Add Target Path field) or make sure you provide the correct path to navigate further locations within it. 
 
- Click Next. 
Select Profiles
- Under Classification Profile Name, select the desired classification profiles to search for in the data store. You can select multiple data stores, if required. Refer to Classification Profiles for details on classification profiles. 
- Click Next. 
Add Filters
This step is optional.
- Select the desired filter from the Select Filter drop-down list. - To filter the locations to scan a Drive data store, consider the following syntax. - Note - Exclude Path/DO by prefix, suffix, and expression filters support wildcard characters. See Using Wildcard Characters to learn how wildcards work. - Exclude Path/DO by prefix - Excludes paths or data objects that begin with a given string. It can be used to exclude entire directory trees. Specify - <string>.- Filter Item - Syntax - Example - User - <UserName> - datastorecicduser - Folder - <UserName>/<FolderName> - datastorecicduser/my drive/sensitivedata - File - <UserName>/<FolderName>/<FileName> - datastorecicduser/my drive/sensitivedata/file.txt 
- Exclude Path/DO by suffix - Excludes paths or data objects that end with a given string. Specify - <string>.- Filter Item - Syntax - Example - User - <UserName>* - datastorecicduser* — Applies all paths starting with 'datastoreicduser' as suffix. - Folder - <FolderName>* - folder* — Applies all paths starting with 'folder' as suffix. - File - <FileName> - file1 
 Wildcard usage
 file1* — Applies all paths starting with 'file1' as suffix.
- Exclude Path/DO by expression - This filter is majorly used with wildcard characters. - Excludes paths or data objects that matches the given expression. Specify - <string>.- For example, to exclude locations that contain 'blob' in their path, use expression *blob*. - Filter Item - Syntax - Example - User - <UserName>* - datastorecicduser* - Folder - <UserName>/<FolderName>* or *<FolderName>* - datastorecicduser/my drive/some_folder* or *folder* - File - <UserName>/<FolderName>/<FileName>* or *<FileName>* - datastorecicduser/my drive/some/folder/file1* or *file1* 
- Include DO modified recently - Includes data objects modified within N number of days from the current date, where the value of N ranges from 1 to 99 days. After selecting this filter, specify Days from current date. 
- Exclude DO greater than size - Excludes data objects that are larger than a given file size (in MB). After selecting this filter,specify the file size in MB. 
- Include DO's within modification date - Includes data objects modified within a given range of dates. After selecting this filter, specify Start and End dates. 
 
- Click Apply. 
- Repeat the above steps to apply multiple filters. Click Remove to remove any applied filter. 
- Click Next. 
Schedule Run
- Specify the scan run frequency. The two options are: - Manual: This is the default option. Select this option run the scan manually. Select the Run Now check box to start the scan run after you save the changes. 
- Scheduled: Select this option to configure the scan to run automatically at the specified time. 
 - Refer to Schedule Scan for more details on scheduling scan runs. 
- Click Save.