Discover more from Deploy Securely
Manage Google Drive security in 60 seconds
This should be easier than it is.
I am generally a big fan of Google Drive and the apps it comes with (Docs, Sheets, etc.). For collaboration purposes, it is much better than the Microsoft Office suite. The fact that it is difficult to download and email around documents (as opposed to just sharing them) is a feature for me, as it helps to mitigate the version control nightmare many organizations face when people email around documents that end with “v2_FINAL_CLEAN.doc” or some version of it.
One problem, however, is that it can be a little tricky to figure out exactly with whom you have shared what. Evidenced by multiple threads on the topic, Google has not made it easy to figure this out. Since sharing documents with people and then forgetting that you have done so can be a potentially security issue, I put together this guide.
The one step solution to this problem
When in Google Drive (https://drive.google.com), type “owner:me from:me” in the search box, as in below:
This shows all of the files and folders you have shared with anyone else. I would recommend taking an inventory and removing anything that doesn’t need to be shared at present.
You should also look at the folders you are sharing. Although Google will warn you when adding new documents to folders that are already shared, you might have ignored this, and now you are sharing more information than you initially intended.
If you are using a paid version of Google Workspace, you also have the option to set an expiration when sharing files and folders. If you are working on a time-limited project with folks external to your organization, this is probably the way to go. Even if you plan on working indefinitely with another group, it might be worth the productivity hit to just expire the permissions every quarter or so and see who re-requests access.
Note: Ofer Shaked originally posted most of this advice on LinkedIn. Credit to him for pointing it out. I am paraphrasing his recommendations here so that there is an easily-accessible reference point for anyone seeking this information in the future.
(Update: August 27, 2023) Jonathan Todd flagged that it is possibly to control sharing settings more granularly if you are an administrator using Google Workspace. Specifically, you can control which:
users' files can be shared with internal or external users
users can receive files from internal or external users
internal or external users can be invited and add items to shared drives
as well as:
turn external sharing on or off for your entire organization
turn external sharing on or off for specific child organizational units or configuration groups
allow sharing only with certain domains
restrict link sharing when external sharing is turned on
restrict external user access to content in shared drives