In order to enhance security in Google Drive, we have launched the Shared Drives cleanup feature on our Tricent tool. Now, assigned users will be able to review Shared Drives files and decide whether to unshare them or extend their sharing period. This way, we offer even more protection in Google Drive by involving the end-users, who know best what needs to be (un)shared, and not the admins.
In order to enhance security in Google Drive, we have launched the Shared Drives cleanup feature on our Tricent tool. Now, assigned users will be able to review Shared Drives files and decide whether to unshare them or extend their sharing period. This way, we offer even more protection in Google Drive by involving theend-users, who know best what needs to be (un)shared, and not the admins.
How is it different from our previous Shared Drives feature?
Before, we had a bulk operation where admins would scan a drive, ask to see which files were x months old, get a list of those files, and unshare them. It was something an admin would do every once in a while, but now it’s more of a continuous, end user-driven cleanup like on My Drive.
We held a webinar where we discussed Shared drives security and demonstrated the new feature setup process. You can watch the recording below.
How to set it up
We will go through the setup process step by step, so that admins know how to customize their settings according to their company’s needs and users understand what’s changed for them.
The short version:
Go to Google Drive → Go to Shared Drives → Make sure the right people are (Drive) Managers and Content Managers
Go to the Tricent portal → Configure the settings under the Shared Drives tab → See if there’s any policy override that you want to enable for specific drives → Enable the drive you want to clean up OR enable all of them
Make sure to exclude service accounts that have access to your Shared Drives in the cleanup settings!
The detailed version:
1. Review your Managers and Content Managers in Shared Drives
It is best practice to not give every user a manager role in Google Drive, so make sure to apply the least privilege principle when giving access to your Shared Drives. If everyone has “Manager” or “Content Manager” access, then everyone will get the cleanup emails from Tricent, which is unnecessary and potentially a compliance risk.
It’s fine to use groups as Shared Drives members i.e. “firstname.lastname@example.org” or “email@example.com”, but we recommend not giving them “Manager” or “Content Manager” privileges.
How to review access levels?
Go to Shared Drives in Google Drive. Right-click on each drive and click “Manage Members.”
Now, you can make sure the right people are the Managers and Content Managers of your Shared Drives. When you’re done reviewing each member, click on “Done” to save your settings.
Next, moving on to the Tricent Compliance Tool.
2. Admin Cleanup Settings
Click on the Shared Drives tab on the left menu bar.
Admins will then see the following section at the top:
Automatic cleanup enabled
On the right side of the screen, define the parameters you want to use for the Automatic cleanup of Shared Drives and then enable this feature (see screenshot below). If the settings fields are left empty and you enable the feature, the tool will apply the global cleanup settings that are in use for cleaning up My Drive’s.
New file safe for (days) - quarantine period for new files. If a user creates a new file and share it, we won’t send them email reminders to unshare it for x amount of days. After that period, the cleanup frequency will go into effect and they will be getting email reminders as usual.
You can select what kind of users are responsible for cleaning up your Shared Drives: Drive Managers (known as “Managers” in Shared Drives), Content Managers, and exclude certain accounts.
You can exclude certain people you don’t want to be responsible for cleaning up, but the most important measure with this feature is to exclude service accounts (accounts that are all programmatic and have no user at the other end of it).
We use a service account that is automatically a Manager account in order for us to access our customers’ drives (to scan a drive or unshare files), but we exclude it by default. However, if you have other service accounts with (Drive) Manager or Content Manager roles, our tool is going to assume that those service accounts are actual people and will send them emails to clean up the drive.
Moreover, our tool cleans up drives that have cleanup enabled and where at least one manager exists. If a service account happens to be the only Manager account on a drive, the files will get automatically unshared and only admins will be able to restore the sharings, unless other Managers are added to the drive. To avoid that, exclude all service accounts from the cleanup responsibles.
Shared Drives Actions
The Alert Bell will change colors depending on the issue discovered, meaning it will turn:
Yellow, if there’s no one to clean up the shared drive, i.e. if you choose Content Managers to perform the cleanup, but the drive has no Content Managers. This is important because we don’t clean up any drive where we can’t find any managers;
Red, if a shared drive has a member that is an external account. Since we cannot remove their permissions, admins should review access levels of external accounts.
Automatic cleanup switch
You can switch on automatic cleanup for specific drives if you don’t enable automatic cleanup on all drives by default.
You can also create Override policies for drives, i.e. you can enable custom cleanup settings for certain drives in terms of the cleanup responsibilities and the cleanup settings. Simply click on the cog icon that says “Override Global Settings” and customize it up to your liking.
If/When you do enter custom settings, you need to make sure to click “Enabled policy override” and then “Save” if you want those new settings to go into effect. They will be saved there as a draft, so in case you do want to enable them at some point, they will still be there.
The cog will turn blue when “Enabled policy override” is active on a drive. If you want to default to the general settings (the settings at the top of the app), you simply disable “Enabled policy override” and click “Save.”
On the right side of each drive, you now have statistics revealing the number of:
This new update will give you a fast overview of the files situation in each drive and makes it easier for admins to know which drive to act on.
Shared Drives Scan Log
You can download .csv files for each scan log. The file will show you all the permissions for all the files, including both emails and domains, and allows admins to analyze the shared drives sharings.
Best practices for Admins
Regularly review members’ access level to your Shared Drives;
Figure out how to clean up Shared Drives according to your users’ needs (bulk cleanup, override policy for some, etc.);
Analyze the scan logs every once in a while to check if there’s a domain that shouldn’t have access.
What does it mean for the users assigned to clean up?
The users assigned to clean up Shared drives will get a new set of email reminders to review files from the drive they are responsible for. That means they will get a new tab in the Tricent app (see app view below).
Users will have the same experience on the Tricent tool as when they were only responsible for their own My Drive files. That means that Dashboard, Safelist (List of files with extended/renewed sharing period), and History will be the same, but they only need to make sure they are in the right Drive to see what files they have to review.
Whether a user is a Content Manager or a Drive Manager, they can always keep track of what’s been safelisted or unshared from the Safelist and respectively History tab. They just need to make sure they’re in the Shared Drives tab.
Users can filter by specific drives or simply just scroll down and see which shared drives files they are responsible for.
Should you have any questions regarding the Shared Drives feature, do let us know.