Administering a large product group like Google Workspace can feel overwhelming at times. This is especially true if you are a small business with low manpower in the IT space. The availability of your business’s IT services is clearly important, but how do you set up your Google Workspace in a way that puts up guard rails for your users?
There are a lot of risks to consider when you think about the sensitive data that your employees interact with on a daily basis. Google does a lot out of the box to ensure your data is in safe hands. They protect your data that you upload to Google Drive by encrypting it both in transit (using TLS) and at rest (using AES).
However, this only protects you in the event of Google being compromised. Most of the risk when it comes to information security is introduced by the humans that are using the technology. If you’re a business that uses Google Drive to host most of your data, you need to be able to see potential mistakes that could happen and put a stop to them ahead of time.
In this guide, we will dive into an 8-part guide on configuring your Google Workspace to follow security best practices, especially pertaining to Google Drive.
The first and arguably most important step in preventing unwanted data leakage is to educate your employees about the risks of sharing files and how sharing permissions work in Google Drive. This education could be in the form of training or a written policy within your organization. Either way, making Google Drive’s sharing best practices known to your employees will help prevent mistakes from being made in the first place. The below list of ideas about sharing files in Google Drive should be taught to your employees:
It’s best to narrow the scope of what you share whenever it makes sense to do so. By sharing individual files, you ensure that it’s impossible to inadvertently share a file with someone by placing it in the wrong folder.
When you share a file, you should only share it with the people that need access and nothing more. Creating public or internal links can put your data at risk of being exposed if the link is shared or leaked. It’s best to share with specific individuals or groups instead.
When you share a file with someone else, you should consider how you would expect them to use the file. If they don’t need to make modifications to the file you are sharing with them, then don’t allow them to! You should grant Viewer or Commenter permissions whenever possible while sharing files.
If you do need to grant edit access to a file, make sure that you don’t allow the person you are sharing with to change the permissions on the file themself. By allowing someone else to modify the permissions of your file, you are granting them the ability to share your data with whomever they want, and you are losing control of the access to your data.
As important as it is to limit the scope of what you are sharing, sometimes you just need a larger collection of shared documents that you collaborate on with your team. In those cases, it might make the most sense to set up a Shared Drive.
A Shared Drive is needed when most or all members of a project team need access to the same files. The process to set up a Shared Drive is documented by Google, but it mostly involves picking members, setting their permission levels, and adding the files you need to the shared drive.
The biggest advantage of setting up Shared Drives is to reduce the number of times your employees need to share documents. This helps your employees focus on their work, and it also reduces the chances of a mistake being made when setting up sharing rules.
As an administrator, it would be a good idea for you or your teams to review Shared Drive structure once a year to ensure that access to files still reflects the projects and/or teams that are currently operating in your organization.
In the Shared Drives topic, I alluded to “mistakes” that can be made when sharing files in Google Drive. One of the biggest mistakes that employees can make is creating a shareable link to a file rather than granting access to specific people. I also briefly mentioned this topic as a part of the user education section. To dive deeper into why this can be a big deal, let’s walk through a threat scenario to illuminate the risks on this one.
Let’s say you have an employee in the finance department that has access to sensitive internal data. While working with a 3rd party, they share a document containing payment card information (PCI).
Rather than sharing the document directly with their contact’s email address, the finance employee creates a shareable link for the document. At this point, the finance employee has given up a lot of control over who can access the document. Their 3rd party contact could forward the email to someone else, or worse, get their account taken over by a malicious hacker. Since sharing links can be opened by anyone with access to it, that puts the sensitive PCI data at risk.
There are ways to share links so that they are only accessible by people in your Google Workspace, but still, it’s still excessive access in most cases. As an admin, you should monitor for link sharing and reach out to employees if it seems like the file shared may contain sensitive data or you think it may have be bad practice to use a link.
Luckily, Google gives you a tool to help identify risky sharing: the File Exposure Report.
When you do share a file directly with someone else, they can copy or download the file you sent them by default. This effectively ends the visibility and control you have over your document. That might not be a big deal all the time.
However, sometimes you may have an extremely sensitive document that you want to share with a 3rd party but you don’t want them making copies of. In those cases, you may want to disable downloading, printing, and copying of the files you are sharing from your Google Drive.
The good news is that Google supports that kind of restriction. The bad news for Workspace administrators is that this setting has to be enabled by the owner of the file, which means there is currently no way to enforce it (though you may be able to in the future with Drive labels in Workspace
What you can do now as an admin is monitor downloads, prints, and file copies in the admin console in the audit and investigation page. Using those audit logs, you can monitor external file copying activity and look for opportunities to educate your employees on how and when to further restrict their sharing.
The first half of this article has been exclusively focused on file-sharing best practices. Now for the 2nd half, we will cover some operational security best practices in Google Workspace.
It’s pretty common these days to see web apps that allow you to sign up for their service by using an existing Google account. This can be convenient because it reduces the number of login credentials you have to keep track of, but it also introduces some risks.
Under the hood, you’re gaining access to these services by approving an OAuth request. When you approve an OAuth request, you are giving the web app permissions to your Google account. Sometimes these permissions are as little as being able to see what your email address is. Other times, it might require more intrusive access like write permissions to your Google Drive or Google Calendar.
As a Google administrator for your business, you should periodically (at least once per year) review the apps that are linked to accounts in your organization. Better yet, you can set up your Google Workspace in a way that requires administrator approval before regular accounts can grant OAuth requests for their account. You can read more about how to lock down your company’s Google-linked apps on this Google Support page.
This one gets harped on a lot, but it simply can’t go unmentioned: make sure you are enforcing strong authentication policies on your Google accounts.
This can include requiring a minimum password length and complexity and requiring multi-factor authentication (MFA). The best protection you can add to your accounts, however, is to require a physical key to authenticate. In 2017, all of Google’s own employees were required to use a physical key for authentication. In a two-year study conducted within their organization, Google saw a zero per cent compromise rate when an employee was successfully phished but had a physical key as their additional authentication factor. Even using a one-time password as a second factor had a failure rate of at least three per cent.
For physical key authentication at your organization, Google Workspace allows you to use a smartphone or a U2F/FIDO-compatible key like a Yubikey. As an administrator, you can choose what makes the most sense for your business when it comes to MFA. However, if you opt to not require MFA at all you will likely see a lot more unauthorized access to accounts in your organization.
If your business deals with extremely sensitive data and you can’t take any chances with internal employees exfiltrating data themselves, you may want to restrict Google Drive access to only approved company devices. Why would that be helpful? Well, once Google Drive files are downloaded to personal devices, the audit trail and visibility you have as an administrator ends.
We would all like to think that our employees wouldn’t steal company data, but as an admin or security personnel, it’s your job to make sure that can’t happen. By restricting access to only company devices, you can ensure that visibility and data loss prevention controls are retained even after files are exported from Google Drive.
In order to set up approved devices, Google Workspace administrators can use Context-Aware Access by specifying approved devices by location, security status, IP address, and other attributes. You’ll definitely want to do lots of testing before deploying these rules, or you may risk locking your employees out of their accounts and disrupting business processes.
One more thing you can do to protect your employees’ Google credentials is to try to prevent them from using the same credentials elsewhere. If you use your work credentials on a 3rd party site and that site gets breached, the malicious party can use those credentials to get into your Google Drive as well! As an administrator, how can you police password reuse? Luckily, Google provides something that can help.
Google has created a Chrome extension called Password Alert, and it will alert you if you enter your Google password into any page that isn’t Google’s sign-in page. This is handy for detecting when you’ve been phished, but it also will alert you if you use the same password on other legitimate websites. As an administrator, it would be a good idea to also force install this extension on your employees’ computers (after educating them to use unique passwords and why that’s important).
The last best practice we will cover in this article also has to do with insider risk. When you have an employee leave your company, you need to make sure that their access to Google Drive is revoked properly.
There are lots of different reasons for an employee to take data with them when they leave the company. They could try to steal data for malicious reasons, be leaving for a competitor, or simply try to take files because they want to hold on to their work. Whatever the reason, it’s important to ensure that your offboarding process includes the following key things:
→ Transferring file ownership to ensure that their data is available after they leave
→ Revoking access to the employee’s Google account as soon as they are no longer working
→ Deleting the employee’s account after a set time period
→ Automating the above steps to ensure that it happens every time
Clearly, there’s a lot to consider when it comes to securing your company’s data in Google Drive, and it’s hard to get it all right. But if you get better over time at each of the above best practices, your business will soon become extremely good at managing and sharing Google Drive data in a safe way.