The Google for Education Community Platform

alexgrutza · ‎05-14-2024

---Before anyone chimes in, I know this is most likely a human-related fix, not a technological one, but I must ask because I was told to find out ---

We're a Google Edu Fundamentals workspace
So Administration will be sending a highly confidential financial Google Sheet to Faculty only
They do not want this information or Sheet to be emailed/shared externally
1. This information will be for Faculty only, not Staff, and definitely not Students
2. Faculty and Staff are in the same OU, I think there is a faculty-staff email group, not sure there is a separate Faculty-only group if that helps
They would like the faculty users to be able to download the Google Sheet in case they need to filter it or if Sheets doesn't offer an option for the Faculty to view the document as they would like
1. We know we can audit the download and copying of the original Sheet, and provide that to the Administration

So I guess my question outside of auditing, is how would we best do what Administration is asking of us technically?

They will be sharing a highly sensitive Sheet, and not want anyone to share it externally (or internally to Staff or Students)?
We don't have a timeline as to when this will be needed, but ASAP is what was told to us to figure out...
I'm not sure how DLP rules would work, as the financial information is not bank numbers or credit card numbers

--
CISSP | LinkedIn | @Phyxiis

alexgrutza · ‎05-14-2024

I'm wondering if they attach a Excel spreadsheet instead of a Google Sheet, to a Confidential mode email, if that would have a similar effect of what they're wanting? My major worry is that the Faculty cannot download it, and if the Excel is too large, it may not render within the browser

--
CISSP | LinkedIn | @Phyxiis

Kim_Nilsson · ‎05-14-2024

Just share it with View-only and disallow copy/download.

Even View-users can filter locally.

Done.

If you allow access in any other way you lose all control of what happens with the content.

--
https://wheretofind.me/@NoSubstitute

alexgrutza · ‎05-14-2024

Administration wants them to be able to download, so that they can use pivot tables and other filtering Sheets may not allow, or that the Faculty can input into different systems (database was mentioned) to come to a conclusion that is agreed upon.

I think what we may do is add a couple unique strings in the spreadsheet somewhere, and create a dlp rule to filter for those unique values so if someone renames the document, or by accident leaves the dlp-id in the document we can block/audit

--
CISSP | LinkedIn | @Phyxiis

MarkLoundy · ‎05-14-2024

Alex,

Google Sheets supports pivot tables.

Mark Loundy (He, Him, His)

Instructional Technology Specialist
De Vargas Elementary School
Ignited Fellow
Google Certified Educator

alexgrutza · ‎05-14-2024

That was just one example someone through out. As I have no idea what the Faculty would want to do, if they ran into an issue where Sheets was not able to perform what they needed, they'd then require us to find a solution. I'd rather find the right solution for what's being asked in advanced, than after the fact scrambling. I haven't even met with the person sending the document to see what it looks like.

They're having people sign NDA's, so again, this is more of a people-problem, not a technical-problem. But they're requesting different options as stated. View only is not one unfortunately. Just trying to get ideas that we haven't thought about.

--
CISSP | LinkedIn | @Phyxiis

SteveHarmon · ‎05-14-2024

I agree with @Kim and @MarkLoundy solutions. If you allow someone to download the data, then you just lost control of that data as they can do anything they wish with it (such as: copy it to a thumb drive, post it on forums, or email it to anyone outside your domain).

Best option would be to add the people who should have access to the Google Sheets share with View-only rights and disable download and copy (like @Kim_Nilsson said).

You could create the pivot tables yourself and give the viewer the ability to mess with those (though this may require giving them edit access and then protecting all of the cells except for the variables).

Another option would be to use the Query function to allow the viewer the ability to change variables to view what data they want. This would require edit access and cells protection.

alexgrutza · ‎05-15-2024

Unfortunately, download is a requirement. I just used pivot table as an example as someone mentioned it, but others have mentioned the Faculty may want to put in into tools to run queries using those tools, outside of Google (ie. a database tool, or a reporting tool like IBM Cognos, etc.).

I'm thinking a DLP rule looking for a unique string that we enter into the Sheet and hope they don't remove those unique strings, that should catch external email sharing or Drive sharing (tested).

I understand once we allow download (nothing stops someone from taking a screenshot either), we lose control/visibility without the proper DLP tools or extensive work on the backend (gpo's restricting all Windows devices from only signing in with thier Org gmail but that doesn't stop Mac users, etc.). I've let my VP of IT know and she's aware and has reiterated this to the Administration. We do have auditing at least to know who downloads/copies the file.

--
CISSP | LinkedIn | @Phyxiis

The Google for Education Community Platform

Restrict sensitive financial sheet - see body