Accessing Google Workspace from outside

What happens when the URL of a Drive document (or an email) is sent to somebody outside of PwC? Unless that file has been specifically shared with that person, the answer is: Nothing.

But it is important to know why, and knowing why will make you appreciate why G Suite is one of our safest places to store information.

If you have confidential information, Google Docs is an excellent place, because you control access to it. This post is about the URL to that article - which is controlled by you and not a secret. You can send me that URL and I can do nothing with it. If you copy the actual text inside that Docs and paste it on other platforms, that is a different story! The same applies to screenshots or if you download copies. You will be responsible for those.

That said, let's talk about why URLs are special and not special at the same time!

Recap: URL sharing

URLs that can not be shared

Gmail: emails

URLs that can be shared

See the full post for details!

Drive: all files
Chat: Conversations
Google+: Communities, posts
Keep: Notes
Meet: Meeting codes*
Forms: Forms to fill out*

* Always shared within your company when people know the URL.

You can run into this situation in many cases:

Somebody may send URLs to a client and panic. Is this a data leak? No, as you will find out.
You may store URLs outside of Drive yourself, on purpose. In order to refer to emails or documents as part of your own task management solution, for example. Now you will know why this is not a security issue.
You may be in a situation where your team is only slowly adapting to the G Suite tools and you are still playing the role as underground change ninja. So you may be forced to insert links to G Suite documents into older solutions (or solutions that your boss insist you use, but deviate from the network standard).

G Suite's single most important screen.

What happens when somebody "finds" a link

Everything in G Suite is identified by a URL so you can easily refer to it. So you somehow get in possession of a link to a Google Docs file I have created, but not shared with you. What would happen?

Google will need to check if you should have access. To do that, it needs to know who you are, so it requires you to log into your account. If you log into your home account (you@gmail.com), our work instance of G Suite will reject you outright because we cannot share with Gmail addresses. The same thing goes with pretty much every other address that is not a pwc.com address.

Technically, it does not reject you outright. Google tries to be helpful and offers you to request access - but no matter how nicely you write your request, when I get it, I cannot grant it. I will be taken to the sharing dialog, and when I try to share with an external account, I will receive an error message.

At this point, you should pause for a moment and remember that, had you sent a Microsoft file via email, you would have lost your job.

This means we have the best solution ...

Peace of mind

Your data is save in Google Workspace and Google Workspace has been certified to hold all levels of confidentiality.

You take care of your permissions, and Google Workspace will take care of the rest. URLs will not matter.

Audit trails

Everything that happens in Drive is logged, even when other people access, edit or share your files. You can see this information by going into Drive and looking at a file's information panel.

Google Workspace is how we work with clients

You can work with clients in the same Docs, Sheets, Slides - whether those clients use Google Workspace or not.

This means sharing more responsibly, of course.

... and can never let our guard down

Mind the business rules

Companies have rules in place where important information should be stored permanently. This place may not be Google Drive - do not base yourself on a blog and find out what applies to your line of work.

Don't overshare within your company

You can violate secrecy not just by exposing information to the outside world. Be careful what you share with whom and what you post where.

Take adequate measures

Share your important data only with people you know. Critical data should be reviewed to make sure it has not been overshared.

Use hardened shared drives to further lock down permissions if needed.

Eternal vigilance

You can guess what happens when the little post-it note in the diagram above is gone. So we take great care who we declare "insider".

Keeping G Suite save means closely examining anything and anybody that wants to access it. That results in a quick "no" and a lengthy process for a "yes", and this is usually why we can't use plug-ins and Chrome extensions.

This was heavy reading, but necessary as some things (like visitor sharing) are changing the mix at PwC. It also never hurts to recap the basics, and what could be both more basic or more important? Thanks for sticking around and thank you for reading!

#drivePublished 2020-05-21 by Holger Matthies.Modified 2020-10-13 by Holger Matthies.

Page updated

Report abuse