Service

Google Meet

Secure Cloud Business Applications (SCuBA)

Description

Secure Cloud Business Applications Minimum Viable Secure Configuration Baselines

 

 


 

CISA Google Workspace Security Configuration Baseline for Google Meet

Google Meet is a video conferencing service in Google Workspace that supports real-time video, desktop, and presentation sharing. Meet allows administrators to control and manage their video meetings. This Secure Configuration Baseline (SCB) provides specific policies to strengthen Meet security.

The Secure Cloud Business Applications (SCuBA) project provides guidance and capabilities to secure agencies' cloud business application environments and protect federal information that is created, accessed, shared, and stored in those environments. The SCuBA Secure Configuration Baselines (SCB) for Google Workspace (GWS) will help secure federal civilian executive branch (FCEB) information assets stored within GWS cloud environments through consistent, effective, modern, and manageable security configurations.

The CISA SCuBA SCBs for GWS help secure federal information assets stored within GWS cloud business application environments through consistent, effective, and manageable security configurations. CISA created baselines tailored to the federal government's threats and risk tolerance with the knowledge that every organization has different threat models and risk tolerance. Non-governmental organizations may also find value in applying these baselines to reduce risks.

The information in this document is being provided "as is" for INFORMATIONAL PURPOSES ONLY. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial entities or commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoritism by CISA.

This baseline is based on Google documentation available at Google Meet settings reference for admins and addresses the following:

  • Meeting Access
  • Internal Access to External Meetings
  • Host Management Meeting Features
  • External Participants

Settings can be assigned to certain users within Google Workspace through organizational units, configuration groups, or individually. Before changing a setting, the user can select the organizational unit, configuration group, or individual users to which they want to apply changes.

Assumptions

This document assumes the organization is using GWS Enterprise Plus.

This document does not address, ensure compliance with, or supersede any law, regulation, or other authority. Entities are responsible for complying with any recordkeeping, privacy, and other laws that may apply to the use of technology. This document is not intended to, and does not, create any right or benefit for anyone against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

Key Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

 

Baseline Policies


1. Meeting Access

This control limits safe meeting access to users with a Google Account or Dialing in using a phone.

Policies

GWS.MEET.1.1v0.2

Meeting access SHOULD be restricted to users signed in with a Google Account or Dialing in using a phone.

  • Rationale: Allowing users not signed-in to join meetings diminishes host control of meeting participation, reduces user accountability, and invites potential data breach. This policy reduces that risk by requiring all users to sign-in.
  • Last modified: June 29, 2023
  • Note: There is a related configuration option shown to the meeting organizer within Google Meet itself, called "Meeting access type." The setting in the admin center restricts at the org-level the types of users able to join meetings. The setting shown to the meeting organizer allows the organizer to specify who, of those permitted to join meetings by the org-wide setting, must ask to join their meeting. This baseline only provides guidance on the org-wide setting; the per-meeting setting MAY be set as each agency sees fit.
  • MITRE ATT&CK TTP Mapping

Resources

Prerequisites

  • None

Implementation

To configure the settings for Domain Meet safety settings:

GWS.MEET.1.1v0.2 Instructions
  1. Sign in to the Google Admin Console.
  2. Select Apps -> Google Workspace -> Google Meet.
  3. Select Meet safety settings -> Domain.
  4. Select Only users from your organization or users dialing in using a phone or Users signed in with a Google account or dialing in using a phone.
  5. Select Save.

 

2. Internal Access to External Meetings

This control determines which meetings users within the agency's organization can join.

Policies

GWS.MEET.2.1v0.2

Meeting access SHALL be disabled for meetings created by users who are not members of any Google Workspace tenant or organization.

Resources

Prerequisites

  • None

Implementation

To configure the settings for Access within Meet safety settings:

GWS.MEET.2.1v0.2 Instructions
  1. Sign in to the Google Admin Console.
  2. Select Apps -> Google Workspace -> Google Meet.
  3. Select Meet safety settings -> Access.
  4. Select Meetings created in your organization only or Meetings created in any Workspace organization.
  5. Select Save.

 

3. Host Management Meeting Features

This control enables the following features for a host to implement during their meeting: prevent participants from sharing their screen, turn chat messages on or off, end the meeting for all, and mute all. By default, this control is disabled.

Note: When this feature is not enabled, any attendee that is a member of the host's organization can record the meeting.

Policies

GWS.MEET.3.1v0.2

Host Management meeting features SHALL be enabled.

Resources

Prerequisites

  • None

Implementation

To enable Host Management meeting features:

GWS.MEET.3.1v0.2 Instructions
  1. Sign in to the Google Admin Console.
  2. Select Apps -> Google Workspace -> Google Meet.
  3. Select Meet safety settings -> Host management.
  4. Check the Start video calls with host management turned on checkbox.
  5. Select Save.

 

4. External Participants

This control provides a warning label for any participating a meeting who is not a member of the organization or whose identity is unconfirmed.

Policies

GWS.MEET.4.1v0.2

Warn for external participants SHALL be enabled.

Resources

Prerequisites

  • None

Implementation

To enable Host Management meeting features:

GWS.MEET.4.1v0.2 Instructions
  1. Sign in to the Google Admin Console.
  2. Select Apps -> Google Workspace -> Google Meet.
  3. Select Meet safety settings -> Warn for external participants.
  4. Check the External or unidentified participants in a meeting are given a label checkbox.
  5. Select Save.

 

5. Incoming Calls

This section covers who domain users are allowed to receive a 1:1 call from.

Policies

GWS.MEET.5.1v0.2

Incoming calls SHALL be restricted to contacts and other users in the organization.

Resources

Prerequisites

  • None

Implementation

GWS.MEET.5.1v0.2 Instructions
  1. Sign in to the Google Admin Console.
  2. Select Menu -> Apps -> Google Workspace -> Google Meet.
  3. Click Meet safety settings.
  4. Click Incoming call restrictions.
  5. Ensure Users receive calls only from contacts and other users in the organization or Users can't receive calls is selected.
  6. Click Save.