G Suite Securlet - TechDocs
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
G Suite Securlet
G Suite Securlet
Table of Contents
Introduction.......................................................................................................................................... 3
Prerequisites.........................................................................................................................................4
Scanning scope................................................................................................................................... 6
Enabling the G Suite Securlet........................................................................................................... 7
Enabling the Securlet for additional G Suite accounts.................................................................16
Using the G Suite Securlet dashboard........................................................................................... 18
Reactivating the G Suite Securlet................................................................................................... 19
Approving new permissions requests for the Securlet............................................................... 21
Checking supported apps................................................................................................................ 22
Organizational unit support..............................................................................................................23
Supported activities...........................................................................................................................25
Remediation options......................................................................................................................... 28
Revision history................................................................................................................................. 29
2
G Suite Securlet
Introduction
The platform lets you confidently leverage cloud applications and services while staying safe, secure and compliant.
Leveraging advanced data science and machine learning, taps real-time user traffic, native SaaS APIs and other data
sources to provide a single pane of glass for monitoring and controlling your SaaS apps.
This Tech Note describes how to set up the G Suite Securlet on .
The G Suite Securlet:
• Automatically imports users, and groups from your Google G Suite account and adds them to for easier onboarding.
• Automatically imports organizational units (OUs) you have defined for your G Suite account users. See the later
section Organizational unit support.
• Imports user activity data for investigation and forensics purposes.
• Provides a dedicated dashboard that lets you track your users’ sharing and collaboration patterns with others both
inside and outside your enterprise.
• Scans files, folders, and emails for risks as described in Scanning scope.
The following sections describe prerequisites and step-by-step instructions that let you enable the G Suite Securlet on
your account.
3
G Suite Securlet
Prerequisites
To enable the G Suite API Securlet on your account:
• You must have administrative privileges on your Symantec account.
• You must have a G Suite account (Basic, Business, or Enterprise).
• You must hold the Super Admin system role for your G Suite account.
• The email address you use as the user name for the administrator login on your G Suite account must be within the
primary domain of your Google account.
• The email address you use as the user name for the administrator login on your G Suite account must be exactly
the same as the email address that you use as your user name. Furthermore, this email address must be within the
primary or secondary domains listed for your account. To confirm, login to , go to the gear icon on the top right corner,
then General, and check your domains as shown in the following.
If necessary, contact Support to add additional secondary domains.
• Enable API in the security settings of your Google admin console as described in the following procedure:
1. Go to more controls and click Security.
4
G Suite Securlet
2. Click API reference and mark the Enable API Access checkbox.
5
G Suite Securlet
Scanning scope
The G Suite Securlet tracks and reports user and admin activity as described in Supported activities:
• Files and folders on Google Drive and Team Drive
• Content in emails, including headers and attachments, on Google Mail
• Content and content inspection on Google Sites
• Events and violations on Google Sites
• Calendar events
In order to ensure fast turnaround for the documents of greatest concern, limits the scope of the documents being
scanned. also applies slightly different scanning criteria to paid customers versus trial customers.
The following table describes the scanning scopes.
Scan type Emails scanned Calendar events scanned Files scanned
First scan Emails less than 30 days old All primary calendars for users Paid customers
and calendar events less than • All files
30 days old. Trial customers
• All Exposed files (no time
limit)
• Unexposed files less than 30
days old
"Re-scan Content" from Securlet Emails exposed within last 30 Exposed calendars and All exposed files
dashboard days calendar events within last 30
days.
On-demand re-scan from file Selected email Selected calendar event Selected file
details panel
Scan due to end-user adds/edits All emails All calendar events • All new documents
• All edited documents
6
G Suite Securlet
Enabling the G Suite Securlet
This section describes how to enable the G Suite Securlet on your account.
1. Log in to using your administrator credentials.
2. On the left side navigation bar, click Store.
3. In the Store, navigate to the Securlets area. If the G Suite Securlet is not listed, click See all to view a full list of
available Securlets.
4. Click the tile for the G Suite Securlet.
opens the G Suite securlet page.
5. Click Enable as shown in the following.
7
G Suite Securlet
sends an activation request to the team for the G Suite Securlet. The label on the Enable button changes to “Request
Pending” as shown in the following.
6. When the team approves the activation request, the button label changes again to “Activate” as shown in the
following. During weekday business hours Pacific time, activation usually takes about 20 minutes. Contact your
representative if the activation takes unusually long.
8
G Suite Securlet
7. Click Activate. prompts whether you want to do a scan or selective scan for a subset of users/groups/folders, as
shown in the following.
8. Select an option and click Activate Securlet.
Once you select an option, you cannot change it after activating the securlet. However, you can change it later by
deactivating and then reactivating the securlet as described in Reactivating the G Suite securlet. After the reactivation,
re-scans all your files and data. prompts you to enter an account name for the Securlet, and to select the G Suite
apps you want to secure, as shown in the following. Drive is pre-selected, and you cannot deselect it.
9
G Suite Securlet
9. In the Account Name box, enter a convenient account name. uses this information to tell the difference between
Securlet instances when you activate the Securlet for multiple G Suite accounts.
10. Mark or clear the checkboxes for Mail and Calendar.
NOTE
You can select just Drive, and add Mail and Calendar at a later time by deactivating and then reactivating the
securlet as described in Reactivating the G Suite securlet. After the reactivation, all your files and data must
be rescanned.
11. If you want to import all your G Suite users with Active status, mark the "Import as active users" checkbox as shown
in the following. If left unchecked, the users' statuses are automatically set to Inactive, and you must manually change
them to Active. Inactive users cannot access SaaS apps through the gateway.
10G Suite Securlet
12. Click Activate.
13. redirects you to Google to sign into your G Suite account. Select the account on which you want to activate the
Securlet.
14. If you are not already logged into the account, sign into it as shown in the following.
NOTE
recommends that you create a special admin user for your Google account, one that is not tied to a specific
person, in order to manage the Securlet. Creating such a user makes it possible to continue to manage the
Securlet in the case of personnel changes within your network administration group. redirects you to the
Securlet App in the G Suite Marketplace.
15. Click Domain Install as shown in the following.
16. On the Domain Wide Install box, click Continue as shown in the following.
11G Suite Securlet
Google prompts you to accept the permissions sought by and also to accept the and G Suite Marketplace Terms of
Service.
17. Click the "I agree..." checkbox and click Accept to grant the requested permissions. The Securlet needs all the
requested permissions in order to protect your files with operations such as removing collaborators and remediating
file exposures.
18. Click Next.
19. Click Complete Additional Setup Now.
12G Suite Securlet
20. If you chose Selective Scan in Step 8, use the tools on the Define Scan Policies dialog box to create granular scan
policies that scan only specific users or groups, or exclude specific users or groups from Securlet scanning:
a. Use the Policy Type buttons to select whether the Securlet scans only the items described in the policy, or scans
everything except the described items.
b. Use the Users menu to select which OUs, groups, and users are included or excluded as shown in the following.
c. Use the Folders menu to select which folders are included or excluded as shown in the following. To add a folder,
select Specific folders matching keywords and then enter a full or partial folder name.
13G Suite Securlet
d. Click Add Rule near the bottom of the box to add additional user, group, or folder rules to the scan policy.
21. Click Start Scan.
The securlet starts scanning user data based on the defined policies.
By default, a video overlay appears on the dashboard to introduce you to the dashboard features and functionality. You
can dismiss the video by clicking Hide overview video.
14G Suite Securlet
If you go to the store again, you see that the G Suite securlet is enabled (with a green check mark at the upper right
corner). This completes the activation process.
The G Suite API Securlet is now enabled on your account. You can view user activities using the Investigate app.
Investigate shows you a detailed analysis of the user activity performed on your G Suite enterprise account.
15G Suite Securlet
Enabling the Securlet for additional G Suite accounts
If you want to enable the G Suite Securlet for more than one G Suite account, first use the procedure in Enabling the G
Suite Securlet to enable the Securlet for the first account. Then use the following procedure to enable the Securlet for
additional G Suite accounts.
1. Contact support to have us add the domain for the additional G Suite account as a secondary domain on your
account.
2. Create a sysadmin user with an email address within the new secondary domain.
3. Login to with that sysadmin account.
4. In the Store, hover over the tile for the G Suite Securlet and click Configure as shown in the following.
5. From the Account information menu, select Register New Account as shown in the following.
16G Suite Securlet
6. Follow the setup prompts as described in the section Enabling the G Suite Securlet. When prompted for an account
name, enter any convenient name that helps you tell the difference between your G Suite accounts in .
17G Suite Securlet
Using the G Suite Securlet dashboard
The G Suite Securlet dashboard delivers a wealth of information about user activity, anomalous behaviors and sharing
and collaboration trends on your G Suite account. To open the dashboard:
1. If you haven’t already done so, then log in to with your administrator credentials.
2. From the left side navigation bar, select Securlets, then select G Suite, and then select one of the available tabs as
shown in the following.
For more information, see Using the Securlet Dashboards.
18G Suite Securlet
Reactivating the G Suite Securlet
You may wish to temporarily deactivate and reactivate the G Suite Securlet. This action is sometimes required when new
functions or features require reactivation. In such a case, you would receive an alert from email or in the Release Notes.
To reactivate the G Suite Securlet:
1. Login to with your administrator credentials.
2. On the left side navigation bar, click Store to open the Store.
3. Scroll down to Securlets area. If necessary, click See All to show all available Securlets.
4. Locate the tile for the G Suite Securlet and click Details.
5. On the Details page, click Deactivate, as shown in the following.
6. prompts you to confirm by entering your primary domain as shown on the Setting General tab, as shown in the
following. Enter the domain information and click Remove.
7. Login to your G Suite account as an administrator.
8. In your G Suite Marketplace, locate and click the entry for the Securlet.
19G Suite Securlet
9. On the page for the Securlet, click Remove App.
10. After deactivating the Securlet and removing the Securlet app from your G Suite marketplace, reactivate the Securlet
as described in the section Enabling the G Suite Securlet.
20G Suite Securlet
Approving new permissions requests for the Securlet
As Symantec adds new features, sometimes it becomes necessary to request additional permissions to your G Suite data
in order for new features to work properly.
To grant the requested permissions:
1. In G Suite, navigate to Apps, then select Marketplace apps, and then select Settings for Securlet.
2. Click the Approval Needed link.
3. Click the Grant data access link.
21G Suite Securlet
Checking supported apps
To check what Google apps are currently secured by the G Suite Securlet:
1. Log in to with your administrator credentials.
2. On the left side navigation bar, click Store to open the App Store.
3. Scroll down to Securlets area. If necessary, click See All to show all available Securlets.
4. Locate the tile for the G Suite Securlet and click the "i" information icon in the lower-right corner as shown in the
following.
opens an Additional Information page to show you what apps the securlet currently secures, as shown in the following.
22G Suite Securlet
Organizational unit support
The G Suite Securlet supports the synchronization of Google Organization units (OUs). When you activate the G Suite
Securlet, it automatically imports the OUs you have defined for your G Suite account users.
To see the OUs, in select Users, and then select Users to open the Users & Groups page. The OUs are shown in the
Organization column on the Users tab, as shown in the following.
The OUs are read-only; you cannot edit them in after the securlet imports them from Google.
The synchronization feature automates the assignment of access profiles to admins based on their OU membership.
You create access profiles and assign them to OUs, and all admins within those OUs are automatically assigned the
corresponding access profiles. The following figure shows the assignment of an access profile to an OU.
23G Suite Securlet
NOTE
Access profiles that grant rights to modify global settings such as Content Inspection settings are not restricted
on an OU-basis. You must use care when creating these access profiles to limit privileges.
24G Suite Securlet
Supported activities
The following tables list all of the Gmail and Google Drive objects and activities that are tracked by the G Suite Securlet.
Gmail:
Object Type Activity Type
Email_Message Add
Create
Delete The Gmail timestamps for deleted email messages are not
sent to the G Suite securlet. The times shown are the times that
the data was pulled into CloudSOC.
Modify
Receive (except from senders inside the organization)
Remove
Send
Trash
Google Drive user activities:
Object Type Activity Type
Api Client Authorize
Remove
Application Authorize
Revoke
File Allow
Create
Delete
Download
Edit
Move
Rename
Restore
Restrict
Role Change
Share
Trash
Unshare
Upload
View
Folder Allow
Create
25G Suite Securlet
Object Type Activity Type
Delete
Edit
Move
Rename
Restore
Restrict
Role Change
Share
Trash
Unshare
Upload
Sites Allow
Create
Delete
Edit
Move
Rename
Restore
Restrict
Role Change
Share
Trash
Unshare
View
Google Drive admin activities:
Object Type Activity Type
Admin Update
Application Add
Remove
Group Create
Delete
Org Change
Create
Remove
Password Reset
Role Assign
Create
Delete
Unassigned
26G Suite Securlet
Object Type Activity Type
Service Toggle
Session (see following note) Invalidlogin
Login
Logout
User Add
Change
Create
Delete
Download
Move
Remove
Restore
Suspend
NOTE
Activities for Session objects come through the Management API, and may be subject to a delay of 30 minutes
to an hour.
27G Suite Securlet
Remediation options
When you configure Data Exposure using Securlets policies for Google Drive in the Protect app, you can select the
following remediation options:
Option Description
File Access: Changes access for the file. Some choices are Share access: Changes share access for the file. Mark the
logically exclusive of others. checkbox to see available settings.
Remove shared link: Removes the link from the file, rendering it
unshared.
Prevent Download, Copy, or Print: Changes file access settings
so no one can download, copy, or print the file.
Prevent Writers from Sharing: Changes file access settings so
that the owner cannot share the file with others.
Collaborator or Team Drive Member Access Select one option. Update member or collaborator role: Changes the collaborator
role. Mark the checkbox to see available settings.
Remove external collaborator or team drive member:
Removes external collaborator privileges
The G Suite Securlet also includes the Quarantine (Preserve Contents) remediation action support that administrators can
perform through CloudSOC. Policies are configured through Symantec DLP (Enforce) or through CloudSoc directly when
you do not use Symantec DLP. The quarantine options are as follows:
Option Description
Copy Creates a copy of the file in the folder or workspace that is
specified by the administrator.
Move Removes all sharing properties from the file, makes a specified G
Suite admin the
file owner, and moves the file to the G Suite admin's workspace.
Move with tombstone Takes the actions that are described for Move, and creates a text
file replacement that contains information about the move. This
option quarantines the file.
The tombstone file is created at the original location of the file with
the configured file name templates.
The administrator can perform the Restore operation through
CloudSOC for quarantined files.
See Using the Protect App for more information about configuring Protect policies.
28G Suite Securlet
Revision history
Date Version Description
2014 to 23 February 2017 1.0-1.12 Initial release and minor revisions
27 February 2017 2.0 Add Admin activities table
17 March 2017 3.0 Update scanning scope, add app
revocation
5 April 2017 3.1 Add recommendation to turn "notify your
users" off
24 May 2017 3.2 Add Google OU, calendar support
12 June 2017 3.3 Add admin login email prerequisite
14 June 2017 3.4 Add email header scanning
23 June 2017 3.5 Add Google account type and admin
privileges to Prerequisites
4 August 2017 3.6 Add calendar event scanning, update
reactivating procedure
2 October 2017 4.0 Move Scanning Scope to beginning of tech
note, move section on revoking 3rd party
apps into Securlet Dashboards tech note
27 October 2017 4.1 Rename to G Suite Securlet, add team
drive remediations
7 November 2017 4.2 Fix typo
9 January 2018 5.0 Address support for multiple G Suite
accounts
23 May 2018 5.1 Minor changes and formatting updates
14 November 2018 5.2 Change "Scan now" to "Re-scan content",
clarify prerequisite of Super Admin system
role
20 November 2018 6.0 Update activation procedure, and address
calendar attachment scanning
17 September 2020 6.1 Minor content updates
09 March 2021 6.2 Add quarantine remediation information
03 May 2021 6.3 Update information about scanning scope
of Google Sites
29You can also read
