Gmail

Overview

LightBeam Spectra users can connect various data sources to the LightBeam application and these data sources will be continuously monitored for PII, PHI data.

Example: Gmail, MS Outlook, Slack, etc.

Scanning Behavior

LightBeam implements a flexible scanning pattern for Gmail:

• By default, scans the “Sent Items” folder of configured users.

• No other folders are monitored unless explicitly configured.

• Users can be included or excluded from scanning after registration.

Technical Implementation

• Scanning begins automatically after data source configuration.

• Applies to all users selected during setup (either All members or Selected members).

• Users can be included or excluded from scanning configuration at any time.

• Scanning patterns are adjustable post-setup to accommodate specific user preferences.

Connecting Gmail Data Source

1. Login to your LightBeam instance.

2. Click on DATASOURCES on the Top Navigation Bar.

3. Click on “Add a data source”.

1. Search for “Gmail”.

1. Click on Gmail.

1. Fill in the requested information and click on Next.

Basic Information

1. Data Source Name: This is the unique name given to the data source.

2. Description: This is an optional field needed to describe the use of this data source.

3. Primary Owner: Email address of the person responsible for this data source which will get alerts by default.

4. Entity Creation: LightBeam Spectra detects and associates attributes based on the context and identifies whose data it is; these are called entities. Example: Jane Doe is an entity for whom LightBeam Spectra might have detected Name and SSN in a monitored data source.

5. Source of Truth: LightBeam Spectra would have monitored data sources that contain data acting as a single point of truth and that can be used for looking up entities/attributes which help to identify if the other attributes/entities found in any other data source are accurate or not. A Source of Truth data set would create entities based on the attributes found in the data.

6. Location: The location of the data source.

7. Purpose: The purpose of the data being collected/processed.

8. Stage: The stage of the data source. Example: Source, Processing, Archival, etc.

1. Provide the credentials as shown below and click on Test Connection.

1. Verify that you get the message Connection Success! on the screen. Click on Next.

2. In this step, you can choose either of two scan setting options –

i) All members and groups

ii) Selected members and groups

To choose option (i), select All members and groups, and click on Save.

Under EXCLUSION LIST FOR SCANNING, you can enter the email addresses of the members and groups you would like to exclude from the scan.

To choose option (ii), select Selected members and groups. Now enter the email address(es) of the member(s) and group(s) that you would like to include for scanning in the Search box individually.

Select the inputs by ticking the checkboxes next to them.

Click on Save.

Now we are ready to browse through onboarded Gmail data source dashboard.

Appendix

Service account json creation for Gmail

This document describes the steps to generate the service account json required to connect to and call Google APIs to access various Google services.

Depending on the services you plan to use, choose the corresponding subscription plan for your GSuite account. You must select the G Suite Business subscription if you want a use case to access Audit API reports, let users create shared drives, etc.

Create Service Account

Create Project and Enable API Services

1. As a Google Admin User: Create a project if the one needed does not exist already: https://console.developers.google.com/projectcreate?

2. Select the newly created project and click on ENABLE APIS AND SERVICES on link https://console.developers.google.com/apis/dashboard Make sure the following APIs are enabled:

• Google Drive API

• Admin SDK API

• Audit API

• Gmail API

Create an Application within Project

Generate credentials on https://console.developers.google.com/apis/credentials

1. Click on CONFIGURE CONSENT SCREEN which is shown at the top as a warning. Choose User Type as Internal and click on CREATE.

• Give a name to your application. e.g. demo-application.

• Choose/Write the logged-in admin user’s email as the value for the mandatory fields of User support email and Developer contact information.

• Click on SAVE AND CONTINUE.

• Skip the next screens and come back to the Credentials page.

1. Create a service account. Click on the CREATE CREDENTIALS > Service account.

• Give a name and description and click CREATE.

• Choose a role for this service account. You may find an option Currently used and the value for this role would be Owner as we logged in with an admin account and created the project and you may choose that option. Click on CONTINUE.

• You can additionally add more users (apart from the logged-in admin user) to the service account. This step is optional.

• Click on DONE.

Create Service Account

1. You will now be redirected to the credentials page and observe that a service account is created. Click to edit the created service account.

• In the pre-selected DETAILS tab, click on the advanced settings drop-down

CREATE GOOGLE WORKSPACE MARKETPLACE- COMPATIBLE OAUTH CLIENT

• There is another section called Keys.

Click on ADD KEY → Create new key → Choose Key type as JSON → CREATE. A service account json will be downloaded.

This file will be used as <inputfile> in the last command mentioned in the document.

• Go to the credential page URLhttps://console.cloud.google.com/apis/credentials. You will see that an Oauth 2.0 Client ID is created as a result of the previous step of creating a service account. Copy the Client ID to the clipboard of this newly created client for your service account. At this stage, your Credentials page would look like the screen below:

Add Permissions and scopes to the Client ID

Sign in with an administrator account.

To sign in to admin.google.com, use an administrator account for a managed Google service, such as Google Workspace or Cloud Identity.

On the https://admin.google.com/ page with the same logged-in admin user,

click on Main Menu (This is located at the top left section of the page and is a hamburger menu option) → Security → Access and Data control → API Controls.

Click on Manage domain-wide delegation.

• You will see a screen where all the clients for your account are listed. You will need to add scopes for the newly created client whose Client Id has already been copied to your clipboard in 5.d. Here, click on Add new.

• Paste the Client Id in the corresponding placeholder

• Enter the below OAuth scopes in a comma-separated fashion in the second field:

https://www.googleapis.com/auth/admin.directory.group.readonly,

https://www.googleapis.com/auth/drive.readonly,

https://www.googleapis.com/auth/admin.reports.audit.readonly,

https://www.googleapis.com/auth/admin.directory.user.readonly,

https://www.googleapis.com/auth/gmail.readonly

• Click on AUTHORIZE.

Then, select the configured client and click on “view details” to make sure all OAuth scopes are configured correctly. It should look like this:

Fetch the Auth Values to connect to LightBeam

base64 inputfile > outfile

OR

openssl base64 -A -in <inputfile> -out <outfile>

Save the outfile which will be needed while onboarding the datasource.

After generation of the service account json, one needs to use the same while onboarding the Gmail datasource into LightBeam. We explain the steps for this in the following section.

Onboarding Gmail Datasource

To onboard Gmail datasource in LightBeam we need the following:

1. Delegated credentials.

2. Base64 encoded value of the service account json created (using the steps listed in Appendix).

The following explains the meaning of delegated credentials and their use with LightBeam:

Delegated credentials: This field is the email address of the user who is the Google account admin for the organization. In most cases, this email id is the same as that of the user who helped generate the service account credentials. If not the admin, the email id must be of a user who at minimum has permissions for Groups and Services in the Admin portal. Attached below is a screenshot of how the config for this kind of user would look in the Admin portal.

How does LightBeam use the Delegated credentials? For accessing the Gmail data of users in the organization a service account is created, and it needs to be given domain-wide delegation. Domain-wide delegation allows a service account to access user data on behalf of any user in a Google Apps domain without requiring consent from every user. This email represents the user on behalf of whom the service account would be accessing various google api calls like listing users, drives etc.

About LightBeam

LightBeam automates Privacy, Security, and AI Governance, so businesses can accelerate their growth in new markets. Leveraging generative AI, LightBeam has rapidly gained customers’ trust by pioneering a unique privacy-centric and automation-first approach to security. Unlike siloed solutions, LightBeam ties together sensitive data cataloging, control, and compliance across structured and unstructured data applications providing 360-visibility, redaction, self-service DSRs, and automated ROPA reporting ensuring ultimate protection against ransomware and accidental exposures while meeting data privacy obligations efficiently. LightBeam is on a mission to create a secure privacy-first world helping customers automate compliance against a patchwork of existing and emerging regulations.

For any questions or suggestions, please get in touch with us at: [email protected].