The free version of Google Workspace lacks event logging, which can be exploited by attackers to download data from Google Drive without any trace of their unauthorized activity, researchers reported in recent findings.
Mitiga researchers identified a significant "forensic security deficiency" in the widely used productivity application. This deficiency occurs because log generation is only available for users with a paid enterprise license for Workspace.
As stated in a recent blog post by Mitiga on May 30, this situation exposes enterprises to insider threats and the risk of potential data leaks.
A forensic security deficiency refers to a specific weakness or gap in the security measures of a system that hinders effective forensic analysis and investigation. In simpler terms, it means there is a flaw in the system's ability to gather and provide critical information necessary to understand and respond to security incidents.
Event logging is the process of recording and storing detailed information about events or actions that occur within a system or application. It involves capturing data such as user activities, system events, errors, and other relevant information.
The purpose of event logging is to provide a trail of recorded events that can be used for troubleshooting, security analysis, auditing, and compliance purposes.
Users who have a paid license, like Google Workspace Enterprise Plus, have access to "drive log events" that provide visibility into Google Drive activity.
These log events track actions such as copying, deleting, downloading, and viewing files. However, users with the default Cloud Identity Free license do not have this visibility.
“Google Workspace provides visibility into a company’s Google Drive resources using ‘Drive log events,’ for actions such as copying, deleting, downloading, and viewing files. Events that involve external domains also get recorded, like sharing an object with an external user,” Mitiga explained.
As a result, organizations using the free license cannot detect potential data manipulation and exfiltration attacks promptly. This limitation hinders their ability to effectively assess the extent of data theft, or even determine if any data has been stolen at all.
“We recommend Google Cloud customers use VPC Service Controls and configure organizational restrictions in Google Cloud Storage buckets for exfiltration protection. Between this and appropriately configured cloud audit logs, customers can rest assured that their data is secure...”
“…While improving log forensics hasn’t been an issue raised by our customers, we are continually evaluating ways to improve customers’ insight into their storage. The highlighted forensics gap in the blog is one of those areas we are examining,” a Google Cloud spokesperson reported.
