How are you handling accidental Google Drive exposure in your org?
Posted by WatchNiBe@reddit | sysadmin | View on Reddit | 12 comments
We had a close call recently — a Google Drive folder containing sensitive IP was set to "Anyone with the link" without anyone realizing it. The problem is that Google gives you poor indication of a folder's sharing level.
For a small team it's manageable, but at scale it's a ticking time bomb. Once someone shares a folder externally or sets it to public, there's no persistent reminder that it's exposed.
Curious how other admins are handling this:
- Are you auditing Drive sharing permissions regularly? If so, with what tooling?
- Has anyone set up alerts for when folders get shared externally or set to public?
- Are you using Google Workspace DLP rules to catch this, or is it mostly manual?
After our incident I ended up building a small Chrome extension for myself that just injects a color-coded banner into the Drive UI — green for private, red for public, etc. — so I can see at a glance without clicking into settings. It only uses drive.metadata.readonly and runs entirely locally. Happy to share if anyone's interested, but mostly curious what the proper enterprise-grade approach looks like for orgs managing this at scale.
Kumorigoe@reddit
Sorry, it seems this comment or thread has violated a sub-reddit rule and has been removed by a moderator.
Do Not Conduct Marketing Operations Within This Community.
Your content may be better suited for our companion sub-reddit: /r/SysAdminBlogs
If you wish to appeal this action please don't hesitate to message the moderation team.
shikkonin@reddit
Google Drive is blocked entirely.
avidresolver@reddit
Sharing outside organisation is disabled. If someone external needs access then they need to be sent it by another means.
WatchNiBe@reddit (OP)
Any recommendations when an external vendor has to share files with us that would contain our IP?
avidresolver@reddit
Most organisations I work with as an external vendor use Box for sharing with me.
electrobento@reddit
Disable external sharing.
WatchNiBe@reddit (OP)
Any recommendations when an external vendor has to share files with us that would contain our IP?
electrobento@reddit
If in the Microsoft world, a good solution is to invite guests if you want to share content with them. Inviting should be restricted to only certain individuals and follow some sort of approval process. Plus need to make sure everything is set up in a way that external users/guests ONLY get access to what is explicitly shared with them.
A more expensive solution is to have a completely different product for external sharing. You could, for example, only allow external sharing from Box.com, not Microsoft. Of course, even there, anonymous access should always never be allowed.
patmorgan235@reddit
Turn off anonymous access, it's impossible to secure a system when you can create a link that anyone can use.
WatchNiBe@reddit (OP)
Any recommendations when an external vendor has to share files with us that would contain our IP?
patmorgan235@reddit
In the Microsoft world you can invite individual guest to your tenent and share documents/resources with them, I'm assuming there's something similar in the Google world.
Mindestiny@reddit
DLP software on top of Workspace. The DLP controls inside of Workspace are amateur hour, like most Workspace enterprise security features.
I find this a better approach than just fully disabling external sharing, because in a cloud storage environment there's always a business reason that some things need external shares and nobody is mailing a hard drive full of files to a business partner in 2026 when they can just click "share" to collaborate. But you need something much better than what Workspace allows to give proper granular control and auditing of that sharing.