The Challenge #
A publicly traded technology company had never had an independent security review of its Google Workspace environment. The tenant had grown organically: administrators were added as needed, third-party applications were connected without formal approval, and configuration decisions were made reactively rather than against a security baseline. The company needed a clear picture of its exposure and a prioritized path to remediation.
Scope #
The assessment evaluated the full Google Workspace environment against two frameworks: the CIS Google Workspace Foundations Benchmark (89 controls across account management, application settings, authentication, access controls, and monitoring) and a supplementary extended checklist covering areas CIS does not address: organizational unit structure, admin role governance, OAuth application hygiene, domain-wide delegation, email authentication (DKIM, SPF, DMARC), and AI/Gemini controls.
The review included direct Admin Console inspection, DNS record analysis, a full OAuth application inventory export, domain-wide delegation grant analysis, and audit log review of Drive sharing activity.
Key Findings #
The assessment identified 33 findings: 5 critical, 11 high, and 17 medium severity. Only 36% of CIS controls were passing. Several findings represented material risk:
Executive communications exposed to administrators. Conversation history was enabled on sensitive internal groups, including an executive leadership team group. Any Super Admin, of which there were far too many, could browse archived messages that could contain material nonpublic information. For a publicly traded company, this is an insider trading risk.
Third-party application sprawl was severe. Over a thousand OAuth applications had active users, and only a handful were formally configured. Hundreds of ungoverned internal Apps Script projects had no ownership or review process. A decommissioned security vendor still held email read/write access across hundreds of users. The third-party app policy was set to allow everything.
AI amplified existing oversharing. Gemini for Workspace was enabled at default settings for all users with no role-based restrictions. Because Gemini surfaces any data a user can access through natural language prompts, it converted latent Drive oversharing into active data exposure. Drive permissions had never been audited.
Administrative controls were overextended. The environment had significantly more Super Admin accounts than recommended, all used for day-to-day work rather than reserved for administrative tasks. No break-glass emergency admin account existed outside of SSO. A third-party reseller retained Admin Console access disproportionate to their billing role.
Email authentication was incomplete. While DKIM and SPF were properly configured, DMARC enforcement was set to apply to only 5% of failing messages, meaning 95% of spoofed email passed through. Subdomains had no protection at all.
No data loss prevention. No DLP policies existed in Drive or Gmail. Protected health information and personally identifiable information could be shared externally without detection or prevention. Endpoint-level DLP existed on managed devices but did not cover Workspace-native sharing, AI outputs, or unmanaged endpoints.
Approach #
Rather than delivering a checklist, the assessment was structured around operational impact. Every finding included severity, scope, root cause analysis, and a specific remediation recommendation the IT team could implement without additional consulting.
Findings were organized into three remediation tiers: immediate items that could be completed in a single Admin Console session (disabling dangerous defaults, revoking stale access, fixing alert configuration), short-term items requiring planning or phased rollout (reducing admin accounts, building a functional organizational unit hierarchy, ramping DMARC enforcement), and medium-term items requiring cross-functional coordination (deploying DLP, implementing context-aware access, establishing a quarterly security review cadence).
The organizational unit structure, or lack of one, was identified as the root cause behind multiple findings. Without a functional OU hierarchy, it was impossible to scope AI access by role, apply differentiated DLP policies, enforce session controls for administrators, or restrict application access for contractors. This architectural gap was elevated as a foundational remediation item.
Deliverables #
The client received a comprehensive assessment report with an executive summary, detailed findings with CIS control references, a complete CIS Benchmark scorecard, a third-party application risk analysis, a domain-wide delegation inventory review, and a prioritized remediation roadmap. The report was designed so leadership could understand the risk posture while the IT team could work directly from the remediation recommendations.
Outcome #
The assessment gave the company its first clear view of Google Workspace security risk. Many of the highest-impact remediations (disabling conversation history on sensitive groups, revoking stale vendor access, fixing alert configuration) were Admin Console changes that the team began implementing immediately. The remediation roadmap provided a structured path for the larger architectural changes needed to properly govern the environment going forward.