On her Netflix show, “Tidying Up with Marie Kondo,” Marie’s approach to cleaning out the clutter in guests’ homes and lives is to help them identify the items that “spark joy” -- which they keep -- and moving on the rest, whether that’s by trashing or donating them to charity. If we can do this for Salesforce -- to be honest, this blog inspired me to write -- why not do the same joyful cleaning for our respective Google Cloud console or G Suite domain?
With growing threats, G Suite security assessment is critical for all Admins. Having full control of a well-organized domain helps in:
- Disaster Recovery: During a phishing or malware attack, Admins should be well aware of which TokenID to be turned off and which audit report should be reviewed for users
- Decreased Security Risk: An Admin has defined the policies for Data loss protection and a Change team has educated all users regarding best practices in keeping users’ accounts secure
Dump out all your belongings
Start by pulling reports based on the following categories. This will help you figure out which configurations “spark joy” and those that add to “clutter.”
Admins: Before you begin, you need to first pull a report of all “Admin Role Assignments” to check who has access to what.
Google gives you predefined Admin roles to be assigned to your HelpDesk team responsible for User Management, to your Functional owners responsible for Groups Management, etc.
Within the user deprovisioning process, do you just suspend a user, or do you also unassign the respective admin role as well?
- Discard Clutter: Weed out inactive Admins
- Reorganize: Adjust Admin role access for relevant functional owners.
Licenses and OU: Google Admin console reports do a good job of displaying Audit log; however, if you’d like to report all users, you will have to depend on Reporting API. GAM is an open source option to pull a report of all users, OU, Groups, Aliases
- Discard Clutter: It might be a good practice to review OU categorization and update them based on various license SKU provisioned in your G Suite domain. (For example, deskless, Archived user, VFE, etc).
- Reorganize: Users from Secondary domain/acquisitions/ affiliates may deserve a separate OU. This helps with delegated administration of those OU.
You get the hang of it now. Continue “ikki ni,” which is Japanese for “in one go.” Decide what to keep (is it relevant?) and what to toss. You may have to assign a few of these tasks to your delegated admins. Whitelisted IP addresses that were added for a reason during initial Go-Live may not seem relevant with your evolved business processes. Talk to your teams to find out which configurations can be tossed:
- Groups & Members
- Domains & Domain Aliases
- Resource Calendars & their naming conventions for Buildings + Features
- Gmail: Compliance rules, Whitelisted IP Addresses, Approved Senders list.
Click here for an exhaustive checklist for Security Review.
Google is agile and valuable features are released every week. It is advised to do a clean-up twice a year, or at the minimum, once a year to ensure all configurations are compliant with Google’s best practices.
Once this is complete, you will have a joyful, clean G Suite domain under your control. Similar decluttering can be done for your Cloud Console by assigning IAM (Cloud Identity and Access Management) permissions to respective Project Teams and having Billing Admins for each team’s projects.
About the AuthorFollow on Linkedin More Content by Rancho Iyer