.png)
.png)
Why it matters
The riskiest things in Workspace usually aren’t zero-days. They’re the everyday decisions that make collaboration fast—installing a helpful app, flipping a folder to “anyone with the link,” trusting a service account to do its magic—and then leaving those doors open for months. Attackers thrive in that gap between convenience and control. The fix isn’t a 50-step checklist; it’s a short sequence that gets visibility first, then changes the defaults that cause most leaks, and finally adds post-delivery detection so you can undo damage quickly when something slips through.
Independent studies continue to show that the human element is involved in a large share of breaches, hovering around ~60% in the latest Verizon DBIR. That’s exactly the kind of credential abuse and oversharing that native policy and in-tenant remediation can actually reduce. Meanwhile, IBM’s 2025 report keeps the average breach cost in the multimillion-dollar range, providing more evidence that minutes saved in detection and containment meaningfully change outcomes.
The most common gaps and the fastest patches
1) Third-party OAuth apps with more access than you think
Most orgs accumulate dozens or hundreds of OAuth apps across Gmail, Drive, and Calendar. The problem isn’t apps per se—it’s scope sprawl and absent review. Start by enforcing App access control so only allowlisted or limited-scope apps can reach sensitive Google services. In the Admin console, this lives under Security → Access and data control → API controls → App access control, where you can trust specific OAuth client IDs and restrict the scopes they can request. Pair that with a Marketplace allowlist so only sanctioned apps are even available to users. These two levers turn “anything goes” into “explicit by design.”
Why it works: you reduce attack surface from compromised vendors and abused tokens without slowing approved workflows. (You can still grant broader access where a business case exists—just do it intentionally and log it.)
2) Domain-wide delegation and long-lived service account keys
Domain-wide delegation (DWD) is powerful because a service account can act on behalf of users across the domain. It’s also a perennial persistence vector if scopes are too broad or keys live forever. Security researchers have demonstrated design-level risks when DWD is misconfigured, including scenarios where existing delegations can be misused to reach Workspace APIs. The right response is not panic; it’s least-privilege scopes, regular reviews of delegated clients, and key rotation for any user-managed service account keys. Google’s own guidance stresses keeping scopes narrow, auditing delegations, and rotating keys frequently; Google Cloud updates now make key-rotation processes and alternatives clearer so you can shrink key exposure windows.
What “good” looks like: every DWD client has a ticketed owner and an expiry; scopes match the minimum needed; keys are rotated on a schedule and discouraged in favor of keyless patterns wherever possible. (If your SIEM supports it, alert on new DWD grants so hidden persistence doesn’t linger.)
3) Oversharing in Drive: open links, inherited access, and weak defaults
Most quiet leaks in Drive stem from “anyone with the link” or a generous parent folder whose permissions cascade endlessly. Get visibility first in Security center → Dashboard → File exposure; this report shows public and external links, top external domains, and frequently viewed shared files, and lets you drill in from View report. From there, clean up broad links, fix parent-level sharing, and shift the default experience so safer choices are what users see. Target audiences lets you pre-suggest the right groups in the share dialog so people naturally avoid org-wide or public links; Trust rules for Drive let you enforce collaboration boundaries between users, groups, org units, and partner domains in a granular way. Together, defaults and guardrails reduce mistakes before content rules fire.
One more nudge that pays dividends: enable Access Checker so when users paste Drive links into Gmail, recipients’ access is verified and the sender is prompted to set the right audience before the email leaves. It’s a simple send-time fix for a surprisingly large class of exposures.
4) Post-delivery threats in Gmail that SEG filters don’t catch
Modern losses often start with messages that look clean at delivery and only turn obviously malicious after a user engages. Keep your pre-delivery defenses sharp by turning on Advanced phishing & malware protection and, for attachments, Gmail Security Sandbox. But you’ll have to assume some attacks will reach inboxes. The missing piece is in-tenant detection and post-delivery remediation that can pull confirmed phish, neutralize malicious forwarders, and tighten risky Drive access kicked off by the email thread. That combination is what cuts minutes from incident response and closes the loop between email and files.
5) Content leaving on unmanaged devices
Even perfect sharing can leak via downloads or copies. Use Context-Aware Access to block download, print, and copy actions for viewers and commenters when the device posture or network context doesn’t meet policy. You can scope these rules to sensitive units or partner scenarios so collaboration stays fast while exfil paths get narrower.
A practical rollout that won’t create ticket debt
Begin with visibility. Turn on the Security center dashboard and study File exposure for two to four weeks to learn where risk clusters exist; grant the Security center administrator privilege to responders so they can pivot into the investigation tool without waiting on a super admin. Then change the defaults that create exposure in the first place: replace open links with named access, set target audiences so the Share dialog nudges people toward scoped groups, and add trust rules for sensitive teams. Only after you’ve steered behavior should you enforce: enable DLP in audit-only to discover real signals, review Rule log events and DLP snippets, and promote high-confidence rules to warn, block, or quarantine. Finish by applying Context-Aware Access to disable risky actions on unmanaged devices, and by layering post-delivery remediation for Gmail so you can “un-send” risk when reality—not reputation—says something’s wrong.
If you need a single statistic to convince stakeholders that this sequence is worth the time, point to the latest IBM cost data and Verizon’s human-element rate: less time to detect and contain, and fewer human-scale oversharing mistakes, are exactly where the dollars are.
Admin paths
In the Admin console, API controls and the Marketplace allowlist help you rein in OAuth access; Security center → File exposure shows where Drive is exposed; Target audiences and Trust rules change the sharing experience; Advanced phishing & malware and Security Sandbox harden Gmail pre-delivery; Data protection (DLP) with audit-only rules and Rule log events gives you safe enforcement; Context-Aware Access limits risky actions on unmanaged devices; and Access Checker fixes permissions at send time. These are native controls designed to work together.
Connect with Material Security
Native controls get you far. To go further without slowing people down, Material Security adds an identity-centric, in-tenant layer that correlates signals across email, files, permissions, and user context and automatically remediates issues. Pull delivered phish, disable malicious forwarders, and tighten risky Drive access created by email workflows. Request a demo of Material Security today.
.png)