SCuBA Google Calendar

Secure Cloud Business Applications Minimum Viable Secure Configuration Baselines

Version: 1.01

Publication: 12/2023

CISA Google Workspace Security Configuration Baseline for Google Calendar

Google Calendar is a calendar service in Google Workspace used for creating and editing events that enables collaboration amongst users. Calendar allows administrators to control and manage their sharing settings for both internal and external use. This Secure Configuration Baseline (SCB) provides specific policies to strengthen Calendar security.

The Secure Cloud Business Applications (SCuBA) project provides guidance and capabilities to secure agencies' cloud business application environments and protect federal information that is created, accessed, shared, and stored in those environments. The SCuBA Secure Configuration Baselines (SCB) for Google Workspace (GWS) will help secure federal civilian executive branch (FCEB) information assets stored within GWS cloud environments through consistent, effective, modern, and manageable security configurations.

The CISA SCuBA SCBs for GWS help secure federal information assets stored within GWS cloud business application environments through consistent, effective, and manageable security configurations. CISA created baselines tailored to the federal government's threats and risk tolerance with the knowledge that every organization has different threat models and risk tolerance. Non-governmental organizations may also find value in applying these baselines to reduce risks.

The information in this document is being provided "as is" for INFORMATIONAL PURPOSES ONLY. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial entities or commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoritism by CISA.

This baseline is based on Google documentation available at Google Workspace Admin Help: Set Calendar sharing options and addresses the following:

• External Sharing Options for Primary Calendars
• External Invitations Warnings
• Calendar Interop Management
• Paid Appointments

Settings can be assigned to certain users within Google Workspace through organizational units, configuration groups, or individually. Before changing a setting, the user can select the organizational unit, configuration group, or individual users to which they want to apply changes.

Assumptions

This document assumes the organization is using GWS Enterprise Plus.

This document does not address, ensure compliance with, or supersede any law, regulation, or other authority. Entities are responsible for complying with any recordkeeping, privacy, and other laws that may apply to the use of technology. This document is not intended to, and does not, create any right or benefit for anyone against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

Baseline Policies

This section determines what information is shared from calendars with external entities.

Policies

GWS.CALENDAR.1.1v0.2

External Sharing Options for Primary Calendars SHALL be configured to "Only free/busy information (hide event details)."

• Rationale: Calendars can contain private or otherwise sensitive information. Restricting calendar details to only free/busy information helps prevent data leakage by restricting the amount of information that is externally viewable when a user shares their calendar with someone external to your organization.
• Last modified: July 10, 2023
• MITRE ATT&CK TTP Mapping
  • T1530: Data from Cloud Storage

GWS.CALENDAR.1.2v0.2

External sharing options for secondary calendars SHALL be configured to "Only free/busy information (hide event details)."

• Rationale: Calendars can contain private or otherwise sensitive information. Restricting calendar details to only free/busy information helps prevent data leakage by restricting the amount of information that is externally viewable when a user shares their calendar with someone external to your organization.
• Last modified: July 10, 2023
• MITRE ATT&CK TTP Mapping
  • T1530: Data from Cloud Storage

• Google Workspace Admin Help: Set Calendar sharing options
• CIS Google Workspace Foundations Benchmark

• None

To configure the settings for External Sharing in Primary Calendar:

GWS.CALENDAR.1.1v0.2 Instructions

1. Sign in to the Google Admin Console.
2. Select Apps -> Google Workspace -> Calendar.
3. Select Sharing settings -> External sharing options for primary calendars.
4. Select Only free/busy information (hide event details).
5. Select Save.

GWS.CALENDAR.1.2v0.2 Instructions

To configure the settings for External Sharing in secondary calendars:

1. Sign in to the Google Admin Console.
2. Select Apps -> Google Workspace -> Calendar.
3. Select General settings -> External sharing options for secondary calendars.
4. Select Only free/busy information (hide event details).
5. Select Save.

This section determines whether users are warned when inviting one or more guests from outside of their domain.

GWS.CALENDAR.2.1v0.2

External invitations warnings SHALL be enabled to prompt users before sending invitations.

• Rationale: Users may inadvertently include external guests in calendar event invitations, potentially resulting in data leakage. Warning users when external participants are included can help reduce this risk.
• Last modified: July 10, 2023
• MITRE ATT&CK TTP Mapping
  • T1530: Data from Cloud Storage
  • T1566: Phishing
    • T1566:001: Phishing: Spearphishing Attachment
    • T1566:002: Phishing: Spearphishing Link
    • T1566:003: Phishing: Spearphishing via Service

• Google Workspace Admin Help: Allow external invitations in Google Calendar events
• CIS Google Workspace Foundations Benchmark

• None

GWS.CALENDAR.2.1v0.2 Instructions

To configure the settings for Confidential Mode:

1. Sign in to the Google Admin Console.
2. Select Apps -> Google Workspace -> Calendar.
3. Select Sharing settings -> External Invitations.
4. Check the Warn users when inviting guests outside of the domain checkbox.
5. Select Save.

This section determines whether Microsoft Exchange and Google Calendar can be configured to work together to allow users in both systems to share their availability status so they can view each other's schedules. The availability and event information that will be shared between Exchange and Calendar include availability for users, group or team calendars, and calendar resources (such as meeting rooms). Calendar Interop respects event-level privacy settings from either Exchange or Calendar.

Due to the added complexity and attack surface associated with configuring Calendar Interop, it should be disabled in environments for which this capability is not necessary for agency mission fulfillment.

GWS.CALENDAR.3.1v0.2

Calendar Interop SHOULD be disabled.

• Rationale: Enabling Calendar interop adds a layer of complexity to Calendar management, possibly increasing the attack surface. Disabling this feature unless required by the organization conforms to the principle of least functionality.
• Last modified: July 10, 2023
• Notes
  • This policy applies unless agency mission fulfillment requires collaboration between users internal and external to an organization who use both Microsoft Exchange and Google Calendar
• MITRE ATT&CK TTP Mapping
  • T1530: Data from Cloud Storage
  • T1199: Trusted Relationship

GWS.CALENDAR.3.2v0.2

OAuth 2.0 SHALL be used in lieu of basic authentication to establish connectivity between tenants or organizations in cases where Calendar Interop is deemed necessary for agency mission fulfillment.

• Rationale: Basic authentication is a deprecated and risk-prone authentication method. Using OAuth 2.0 helps reduce the risk of credential compromise.
• Last modified: July 10, 2023
• MITRE ATT&CK TTP Mapping
  • T1555: Credentials from Password Stores

• Google Workspace Admin Help: About Calendar Interop
• Deprecation of Basic Authentication in Exchange Online

• None

GWS.CALENDAR.3.1v0.2 Instructions

To configure the settings for Calendar Interop:

1. Sign in to the Google Admin Console.
2. Select Apps -> Google Workspace -> Calendar.
3. Select Calendar Interop management.
4. Uncheck the Enable Interoperability for Calendar checkbox.
5. Select Save.

GWS.CALENDAR.3.2v0.2 Instructions

To configure the settings for Calendar Interop:

1. Sign in to the Google Admin Console.
2. Select Apps -> Google Workspace -> Calendar.
3. Select Calendar Interop management.
4. Select OAuth 2.0 client credentials
5. Select Save.

This section covers whether or not the paid appointment booking feature is enabled.

GWS.CALENDAR.4.1v0.2

Appointment Schedule with Payments SHALL be disabled.

• Rationale: Enabling paid appointments adds a layer of complexity to Calendar management, possibly increasing the attack surface. Disabling this feature conforms to the principle of least functionality.
• Last modified: July 10, 2023
• MITRE ATT&CK TTP Mapping
  • T1530: Data from Cloud Storage
  • T1199: Trusted Relationship

• Google Workspace Help: Allow paid appointment schedules in Calendar

• None

GWS.CALENDAR.4.1v0.2 Instructions

1. Sign in to the Google Admin Console.
2. Select Apps -> Google Workspace -> Calendar.
3. Select Advanced Settings -> Appointment schedules with payments
4. Select OFF- Blocks users' from adding required payments to their Calendar appointment schedules
5. Select Save