Best Practices for Google Workspace Security

Iain Roberts by Published On - 11.16.2021   Data Security

Best Practices for Google Workspace Security

Google Workspace (formerly known as G Suite) is a cloud-based storage and collaboration platform, which provides all users with a Gmail account and a suite of apps, some of which include; Calendar, Docs, Sheets, Slides, Drive, Meet and Forms.

What’s the Benefit of Google Workspace?

Of course, anyone can get a Gmail account for free, as well as access to various Google applications such as Docs, Slides, and Sheets. So, what’s the point of paying for Google Workspace? Well, because paying customers are given more resources, features and flexibility over their environment.

To start with, as of October 6, 2020, Google Workspace users can access all applications via a single control panel. Google Workspace also allows organizations to setup customized email addresses. For example, instead of using bob123@gmail.com, which doesn’t look very professional, they could choose something like bob@companyname.com.

Perhaps the most notable feature of Google Workspace is the ability for teams to collaborate on documents in real-time. Not only can multiple users open the same document, but they can also add comments and suggested edits, which will be visible to all users immediately.

Content producers also have complete control over who can see their documents. To grant access to a document, they can either enter the email address of who they want to share the document with, or simply send them a link. Paying customers will also have more storage space in Google Drive.

What are the Downsides to Using Google Workspace?

The most commonly cited criticism of Google Workspace is actually more of a general criticism of cloud-based collaboration platforms. For example, customers and business associates may already use Office 365, and may not be willing to change their habits. In some cases, this same problem arises even within a single organization, where different departments are using different collaboration tools.

Google Workspace Security Tips and Best practices

Google Workspace administrators are presented with a wealth of security settings, which they will need to learn in order to effectively keep their environment secure. For example, they can review a list of all user accounts and devices and disable or remove those accounts and devices accordingly. They can also review and manage Google Workspace apps, Additional Google Services, Marketplace Apps, and any apps that connect to Google Workspace via SAML (Security Assertion Markup Language). Administrators also have the ability to validate Google Workspace mail exchange records.

By configuring the Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC), they can block emails that are sent from outside of their organization. Below are some additional steps that administrators can take to keep their Google Workspace secure.

Enable 2-Step Verification

Enabling 2-Step verification will mean that users are required to provide an additional authentication method in order to sign-in to their Google Workspace account. This could be a Security Key, Google Prompt, Google Authenticator, or some other method.

Install the Password Alert Extension

Google provides a chrome browser extension that can help to keep your passwords secure. The Password Alert extension is designed to help prevent phishing/spoofing attacks. Basically, the extension will send you an alert if you try to use your Google account password on a non-Google website. If you receive such an alert, and you don’t recognize the activity, it’s probably a good idea to change your password(s) immediately. Before August 31, 2020, Google also provided a Password Checkup extension, although this extension has now been deprecated, as it is now integrated into the Chrome browser itself.

Use Google Workspace’s Mobile Management Solution

Google Workspace provides a basic device management feature, which is enabled by default. This allows administrators to configure security controls for any devices that access their environment, without needing their employees to install any additional applications on their device. Google also provides an advanced mobile management solution, which comes with a number of additional features, such as remote device wiping, strong passcode enforcement, security policies, and more. As you might expect, certain features are not available in Business Starter and Standard, Essentials, or Cloud Identity Free.

Enable Advanced Phishing and Malware Protection

The advanced phishing and malware protection features are designed to protect you against suspicious attachments and scripts from untrusted senders. It will identify links behind short URLs, scan linked images for malicious content, and display a warning when you click links to untrusted domains. It also provides protection against email spoofing. Google are now beginning to apply machine learning (ML) models to improve the way they detect and respond to phishing and malware threats.

Only Allow Access to Whitelisted Domains

Within the Admin console in Google Workspace, administrators can add domains to a whitelist/allowlist, and thus restrict access to these domains in order to minimize the risk of data leakage/exfiltration. They can also set up warning messages which will appear when a user tries to share data with an unauthorized domain. This can be helpful to ensure that employees don’t accidentality send data to the wrong recipient.

Keep an Eye on Google’s Security Health Recommendations

Enterprise customers will have access to security health recommendations, which are customized according to the threats associated with their accounts and data. Google Workspace will monitor your accounts for trends specifically relating to how your data is stored and shared and give you visibility into any spam/malware that is targeting your organization. The security health recommendations can be found in the Security Center.

How Lepide Helps

Naturally, in order to keep your sensitive data secure, you need to know where it is located and know how and when it is being accessed and shared. This includes keeping track of which applications are consuming sensitive data.

The Lepide Data Security Platform will provide a summary of this information via an intuitive dashboard, where you can also generate pre-defined compliance reports. Such platforms will track logins to Google Workspace, track changes made to sensitive data in Google Drive, as well as any administrative changes.

You can setup real-time alerts that will be delivered to your mobile app or email address, and you can even integrate the solution into your existing SIEM, assuming you use one.

If you’d like to see how the Lepide Data Security Platform can secure your sensitive data in Google Workspace, schedule a demo with one of our engineers or start your free trial today.

Comments are closed.