Google Drive

Overview

LightBeam Spectra users can connect various data sources to the LightBeam application and these data sources will be continuously monitored for PII, PHI data.

Example: Google Drive, OneDrive, SharePoint, etc

Connecting Google Drive Data Source

1. Login to your LightBeam Instance.

2. Click on DATASOURCES on the Top Navigation Bar.

3. Click on “Add a data source”.

1. Search for “Google Drive”.

1. Click on Google Drive.

1. Fill in the requested information and click on Next.

Basic Information

1. Data Source Name: This is the unique name given to the data source.

2. Description: This is an optional field needed to describe the use of this data source.

3. Primary Owner: Email address of the person responsible for this data source which will get alerts by default.

4. Entity Creation: LightBeam Spectra detects and associates attributes based on the context and identifies whose data it is; these are called entities. Example: Jane Doe is an entity for whom LightBeam Spectra might have detected Name and SSN in a monitored data source.

5. Source of Truth: LightBeam Spectra would have monitored data sources that contain data acting as a single point of truth and that can be used for looking up entities/attributes which help to identify if the other attributes/entities found in any other data source are accurate or not. A Source of Truth data set would create entities based on the attributes found in the data.

6. Location: The location of the data source.

7. Purpose: The purpose of the data being collected/processed.

8. Stage: The stage of the data source. Example: Source, Processing, Archival, etc.

1. Provide the credentials as shown below and click on Test Connection.

1. Verify that you get the message Connection Success! on the screen. Click on Next.

2. In this step, you can choose either of three scan setting options –

i) Scan all Drives

ii) Scan selected Drives

iii) Scan folder

To choose option (i), select Scan all Drives, and click on Save.

To choose option (ii), select Scan selected drives. Now enter the names of the drives that you would like to include for scanning in the Search box individually.

Select the drives by ticking the checkboxes next to them.

Click on Save.

To choose option (iii), select Scan folder.

This is a two-fold process:

• To add the drive containing the folder you want to scan, first follow the instructions in option (ii).

• Now enter the ID of the folder that you would like to include for scanning in the Search box. ID can be found the folder URL. Example: https://drive.google.com/drive/folders/<Folder_ID>

Click on Save.

Now we are ready to browse through onboarded Google Drive data source dashboard.

Appendix

Service account json creation for Google Drive

This document describes the steps to generate the service account json required to connect to and call Google APIs to access various Google services.

Create Service Account

Create Project and Enable API Services

• As a Google Admin User: Create a project if the one needed does not exist already: https://console.developers.google.com/projectcreate?

• Select the newly created project and click on ENABLE APIS AND SERVICES on this link https://console.developers.google.com/apis/dashboard.

Make sure the following APIs are enabled:

• Google Drive API

• Admin SDK API

• Gmail API

• Drive Labels API

Create Application within Project

Generate credentials onhttps://console.developers.google.com/apis/credentials

1. Click on CONFIGURE CONSENT SCREEN which is shown at the top as a warning. Choose User Type as Internal and click on CREATE.

• Give a name to your application. e.g. demo-application.

• Choose/Write the logged-in admin user’s email as the value for the mandatory fields of User support email and Developer contact information.

• Click on SAVE AND CONTINUE.

• Skip the next screens and come back to the Credentials page.

1. Create a service account. Click on the CREATE CREDENTIALS > Service account.

• Give a name and description and click on CREATE.

• Select a role for this service account. You might see an option labeled 'Currently used', and the role value could be 'Owner'. This is because we've logged in using an admin account and created the project. Click on CONTINUE.

• You can also add more users (apart from the logged-in admin user) to the service account. This step is optional.

• Click on DONE.

Create Service Account

1. You will now be redirected to the credentials page and observe that a service account is created. Click to edit the created service account.

• In the pre-selected DETAILS tab, click on the advanced settings drop-down

CREATE GOOGLE WORKSPACE MARKETPLACE- COMPATIBLE OAUTH CLIENT

• There is another section called Keys.

Click on ADD KEY → Create new key → Choose Key type as JSON → CREATE.

A service account JSON will be downloaded.

This file will be used as <inputfile> in the last command mentioned in the document.

• Go to the credential page URL https://console.cloud.google.com/apis/credentials

You will see that an Oauth 2.0 Client ID is created as a result of the previous step of creating a service account.

Copy the Client ID to the clipboard of this newly created client for your service account. At this stage, your Credentials page would look like the screen below:

Add Permissions and Scopes to the Client ID

Sign in with an administrator account.

To sign in to admin.google.com, use an administrator account for a managed Google service, such as Google Workspace or Cloud Identity.

On the https://admin.google.com/ page with the same logged-in admin user,

click on Main Menu (This is located at the top left section of the page and is a hamburger menu option) → Security → Access and Data control → API Controls.

Click on Manage domain-wide delegation.

• You will see a screen where all the clients for your account are listed. You will need to add scopes for the newly created client whose Client Id has already been copied to your clipboard (see annotated text above in Create Service Account). Here, click on Add new.

• Paste the Client Id in the corresponding placeholder.

• Enter the below OAuth scopes in a comma-separated fashion in the second field:

• Click on AUTHORIZE.

Then, select the configured client and click on “view details” to make sure all OAuth scopes are configured correctly, it should look like:

Above is Including scope for Google labels integration.

Fetch the Auth Values to connect to LightBeam

base64 -i inputfile -o outfile

OR

openssl base64 -A -in <inputfile> -out <outfile>

Save the outfile which will be needed while onboarding the datasource.

After the generation of the service account JSON, one needs to use the same while onboarding the Google Drive datasource into LightBeam. We explain the steps for this in the following section.

Onboarding Google Drive Datasource

To onboard the Google Drive datasource in LightBeam we need the following:

1. Delegated credentials.

2. Base64 encoded value of the service account json created (using the steps listed here)

The following explains the meaning of delegate credentials and their use with LightBeam:

Delegated credentials: This field is the email address of the user who is the Google account admin for the organization. In most cases, this email id is the same as that of the user who helped generate the service account credentials. If not the admin, the email id must be of a user who at minimum has permission for Groups and Services in the Admin portal. Attached below is a screenshot of how the config for this kind of user would look in the Admin portal.

How does LightBeam use the Delegated credentials? For accessing the Gmail data of users in the organization a service account is created, and it needs to be given domain-wide delegation. Domain-wide delegation allows a service account to access user data on behalf of any user in a Google Apps domain without requiring consent from every user. This email represents the user on behalf of whom the service account would be accessing various google api calls like listing users, drives etc.

About LightBeam

LightBeam automates Privacy, Security, and AI Governance, so businesses can accelerate their growth in new markets. Leveraging generative AI, LightBeam has rapidly gained customers’ trust by pioneering a unique privacy-centric and automation-first approach to security. Unlike siloed solutions, LightBeam ties together sensitive data cataloging, control, and compliance across structured and unstructured data applications providing 360-visibility, redaction, self-service DSRs, and automated ROPA reporting ensuring ultimate protection against ransomware and accidental exposures while meeting data privacy obligations efficiently. LightBeam is on a mission to create a secure privacy-first world helping customers automate compliance against a patchwork of existing and emerging regulations.

For any questions or suggestions, please get in touch with us at: [email protected].