Protecting your users & data for Google Workspace extensions
Manage the Workspace Marketplace store
The first recommendation is to configure in the Google Workspace domain to only allow approved 3rd party applications from the Google Workspace marketplace. To do so, go in your Google Admin console (at admin.google.com) to Apps > Google Workspace Marketplace apps. Select the option: "Allow users to install and run only selected apps from the Marketplace". This will ensure user can only install applications that the Google Admin approved.
The Google Workspace marketplace also offers you the ability to create an application store for your users on the URL; https://workspace.google.com/marketplace/mydomainapps. This page will show only apps that you want to promote to your users. See also tip further below.
HOW TO EVALUATE MARKETPLACE APPS / ADD-ONS / CHATBOTS
Before you deploy a Google Workspace extension in your Google domain it is recommended to check the Google Workspace admin help page: "Evaluate a marketplace app's security" and the list below for a bit more practical guidance. The pre deployment checklist below contains best practice tips and guidance for Google Workspace extension deployment.
Check the API scope that the 3rd party wants to access. Evaluate if that is fair for the functionality that is offered in the application. If the application should just work on a spreadsheet data, the scope to access 3rd party web service should not be necessary. Even the Gmail™ scope should not be necessary for an application that just process data of your spreadsheet. Also a common issue in Google Workspace add-ons, is that the API scope request access to ALL files (e.g. all spreadsheets) in Google Drive™, while just access to a specific file type (e.g. the used spreadsheet) should be sufficient, and actually just the file that is opened with the spreadsheet. If you have questions about the scopes of the application, reach out to support of the supplier. In the API scope review, use the Google add-on scopes and the OAuth API verification FAQs as reference.
Check who is delivering the application. If the application is offered by "email@example.com" you should have some doubts. A trustworthy company name (e.g. Salesforce™) should give your more comfort.
Every application on the Google Workspace marketplace (web application, add-on, chatbot) comes with a privacy statement of the supplier. That is a mandatory item for everyone who wants to publish an item on the Google Workspace marketplace. Check this document. Some collaboration with your legal team or GDPR team might be applicable.
Check about support. You might not need it yet. However check how you can get support, when someone run into trouble for using this 3rd party application you need to know who you can obtain support. Check also the latest release date. Is the add-on still managed by the provider. Some add-ons are not actively managed by their supplier. You might want to contact the developer, just to check the response time and the support options.
Look at the review section especially on the negative ones and see if the supplier posted a reaction.
Extensions are vetted by Google™. During the (public) publication process, Google will check the extension on any misuse or abuse. If Google discover that the add-on is against their policy, they don't publish the extension.
In general the advice is don't use add-ons which are not vetted by Google. Our add-ons have all passed the Google vetting procedure.
Workspace Marketplace for your users
For most (if not any) organization it is advised to create in the Google Workspace marketplace a section "<your organisation> apps". Doing so, users can easily find the add-ons which are recommended (and safe) to use in your organization. See your current list of approved extensions on URL: https://workspace.google.com/marketplace/mydomainapps.
DATA ACCESS APPROVAL: USER VS DOMAIN LEVEL
When add-ons are installed by the user, a consent screen will show which add-ons is installed, who the developer is, and which APIs are used to access your data. In other words, it will show which data is shared with this developer.
ALLOWLIST / BLOCKLIST
PUBLIC (MARKETPLACE) VS PRIVATE (INTERNAL) ADD ON
3RD PARTY SECURITY TOOLS
Additional security resources
As you made it to the last part of the page, you like are very interested in the Google Workspace security topic. For more reading see the list below of some Google resources:
Google Workspace security whitepaper, Oct 2020