Security
THE DIFFERENT LAYERS OF Google ADD-ON SECURITY
HOW TO EVALUATE MARKETPLACE APPS / ADD-ONS / CHATBOTS
If managing Google Workspace™ security is not your daily job, you probably want some guidance \ best practice tips on how to evaluate all 3rd parties who have some kind of access to your data in Google Workspace. See some generic best practice tips below.
Scope
Check the scope that the 3rd party wants to access. Evaluate if that is fair for the functionality that is offered in the application. If the application should just work on a spreadsheet data, the scope to access 3rd party web service should not be necessary. Even the Gmail™ scope should not be necessary for an application that just process data of your spreadsheet. Also a common issue in Google Workspace add-ons, is that the scope request access to ALL files in Google Drive™, while just access to a specific file type (e.g. spreadsheet) should be sufficient, and actually just the file that is opened with the spreadsheet, to limit the scope further. If you have questions about the scopes of the application, reach out to support of the supplier.
Supplier name
Check who is delivering the application. If the application is offered by "abc.hacker@gmail.com" you should have some doubts. A trustworthy company name (e.g. Salesforce™) should give your more comfort.
Privacy statement
Every application on the Google Workspace marketplace (web application, add-on, chatbot) comes with a privacy statement of the supplier. That is a mandatory item for everyone who wants to publish an item on the Google Workspace marketplace. Check this document.
Support
Check about support. You might not need it yet. However check how you can get support, when someone run into trouble for using this 3rd party application on his data.
See also Google Workspace admin help: Evaluate a marketplace app's security.
GOOGLE VETTING
Add-ons are vetted by Google™. During publication to the (public) marketplace, Google will check the code of the add-on on any misuse or abuse. If Google discover that the add-ons is against their policy, they don't publish the add-on. If the Add-on is not vetted by Google, the user gets a warning dialog box (see screenshot).
In general the advice is don't use add-ons which are not verified. Our add-ons have all passed the Google verification.
RECOMMENDATION FOR YOUR USERS
You can leave the Google Workspace marketplace complete open for you users. They would have complete freedom to try to find any app for their need and try it out. This would be good if your users are knowing what to do, and how to recognize a security thread of privacy thread. For most organisation it is better to create in the marketplace a section "Recommended for <your organisation>". Doing so, users can easily find the add-ons which are recommended (and safe) to use in your organisation.
General advice: See Google Workspace Admin Help on how to implement a recommended section for your company in the Google Workspace marketplace.
DATA ACCESS APPROVAL: USER VS DOMAIN LEVEL
When add-ons are installed by the user, a consent screen will show which add-ons is installed, who the developer is, and which APIs are used to access your data. In other words, it will show which data is shared with this developer.
Every user should carefully inspect which authorization the add-on will have over your data and review the privacy policy of the developer. For add-ons which you trust in your domain you may not want to show this consent screen to every user. As a Google admin you can approve the add-on on the domain level of your Google Workspace domain. The main advantage of this is that users don't have to accept the consent screen. This will give a smoother experience and clearly shows that the usage of the add-on is accepted in your organisation.
ALLOWLIST / BLOCKLIST
In the Google admin panel the Google administrator can either allow or block certain Google Workspace marketplace apps, add-ons or chat bots.
For more information, Google Workspace admin help:Allow or restrict add-ons in Docs editors.
MONITORING
In the Google admin panel, the authorized Google Workspace administrator, can see (and get alerts) of users authorizing 3rd parties by going in the Google admin console to "Reports". In the Reports screen, select the item "Token" in the Audit section.
You can see who have recently authorized any add-on and you can setup easily an alert via this page.
See Google Workspace admin help:
PUBLIC (MARKETPLACE) VS PRIVATE (INTERNAL) ADD ON
You can either take an add-on from the public marketplace or develop your own add-on and publish the add-on only in your Google Workspace domain. The big difference is that you don't have insight in the code of the add-on you acquired on the public marketplace. When you use an add-on from the public marketplace you have to trust the 3rd party that they are trustworthy. When you develop your own add-on (or ask a developer to do so), you own the code, you publish the code and you maintain the code. Meaning you are fully aware of what the add-on does with your data, and you are fully responsible to keep the add-on up-to-date and handle service requests.
Our add-ons are offered via the Google Marketplace, however if you require you can obtain a copy and deploy your copy within your Google domain. You need to pay a domain licence price for the add-on.
In general the advice is to check the (mandatory) privacy policy and support policy of the developer.
3RD PARTY SECURITY TOOLS
Google Workspace add-ons can be very well controlled via the Google Admin options (to our opinion). However if you want control about all scripts that are used by users you might be interested in one of the cloud security tools. The tools identify any authorization that any user provides to any script. Either developed by the user them self or 3rd party. Via the security tool you can either set automatic actions (e.g. revoke access of the script) or investigate the script.
Security monitoring examples
Spinbackup G Suite Cyber Security Solution with 3rd-Party Apps Audit
GAT shield, Google Workspace Protection and Auditing
Download the Google PDF G Suite (Google Workspace) Data Protection Implementation Guide to learn more about protecting your data in your Google Workspace domain.