Google Drive has become an invaluable data storage facility for many organizations, as it enables employees to collaborate on projects, regardless of where they are located in the world.
Is Google Drive Safe for Business?
Of course, Google takes security very seriously, however, as with any cloud service provider, there are inherent risks that you need to be aware of. The most obvious risk being that you are essentially trusting a third party with your valuable company data, and let’s face it, Google is a prime target for hackers.
How to Improve Google Drive Security
Below are some examples of Google Drive’s security features, as well as some additional information to help secure your data on Google Drive.
Use Two-Factor Authentication
There are many different ways that an attacker can steal your credentials. They can try brute force attacks, social engineering and keylogging. In many cases, people use the same credentials on multiple platforms. Were an attacker to gain access to those credentials, they will likely try to use them to gain access to other accounts that use the same credentials.
Two-Factor authentication is more robust that the standard username and password approach, as it includes additional factors, such as something you have or something you are. To setup 2FA on you Google Drive account you will need to login to your Google Account, select Security from the navigation panel, and then under Signing in to Google, select 2-Step Verification, and follow the steps.
Once setup, you will be asked to enter a code in addition to your username and password, which Google will send to your phone via text message.
Encrypt Your Data before Transfer
As mentioned, Google takes security very seriously. For example, when they store your data, the data itself is broken up into chunks and spread across multiple data centres around the world. Each chunk is encrypted with its own key, which means that in the unlikely event that an attacker manages to get access to your Google Drive account, they would need all of the decryption keys to fully retrieve the data.
Google Drive provides 256-bit SSL/TLS encryption for files in transit, which includes uploading, downloading, or accessing the files, and 128-bit AES keys for files at rest. This is great; however, the problem is that Google owns the decryption keys.
In most cases, this is not a problem, but if you are storing large amounts of sensitive data, you will probably want an additional layer of protection. Not only that, but Google obviously cannot provide an encryption service for files that are transferred from your local network or device, to Google Drive.
This opens up a large security risk, as hackers are often looking to intercept files in transit. In which case, you will need to ensure that your files are encrypted before they are uploaded to Google Drive. This may seem like a lot of unnecessary hassle, however, there are various third-party tools available which can streamline the process, providing all the benefits of data encryption with minimal effort, such as Boxcryptor or Cryptomator.
Discover and Classify Your Sensitive Data
The data that organizations store on Google Drive is unstructured, meaning it doesn’t fit in a traditional relational database. Examples of unstructured data include photos, videos, mp3s, spreadsheets, Word documents, PowerPoint presentations, and so on.
The problem with unstructured data is that it is not easy to identify which files contain sensitive data within them. To help with this, there are solutions available that scan your unstructured data for sensitive data and classify the data accordingly.
They can automatically identify a wide range of data types, such as PII, PHI, PCI, IP and so on. Knowing exactly what data you have, where it is located, and how sensitive the data is, will help you make a better decision about whether you should store the data in the cloud, and the level of encryption that is required if you do.
In most cases, it wouldn’t be a good idea to store customer’s credit card numbers on Google Drive. If you really need to do this, make sure that you have a very robust encryption strategy in place.
Use Endpoint Management in G Suite
Organizations who have upgraded to G Suite Basic will have access to endpoint management tools, which come with a centralized dashboard to help organizations manage which devices have access to company data.
You can set password requirements for managed mobile devices, wipe a user’s account from a mobile device and manage apps for Android devices. You can also control which laptops and desktops can access your organization’s data and get details about those devices. You can block devices, sign them out remotely, require screen locks, and keep track of who, what, where and when, users are logging in, and what they are doing.
Naturally, it is a good idea to have as much control as possible over which devices can access to your sensitive data, and how.
Back Up Your Data
Even-though many users use Google Drive to backup data from their local hard drive, companies will need to keep regular backups of any business-critical data they store in Google Drive. You can use the Drive File Stream service to automate the backup process, which allows you to sync your local hard drive with Google Drive.
Control Permissions to Apps, Services and Data
Regardless of where you store your sensitive data, you should always try to adhere to the principal of least privilege (PoLP), which stipulates that users should be granted the least privileges they need to adequately carry out their role.
As an administrator, it is possible to control which users can access which apps, services and data. Controlling access to files is relatively straight forward. For example, to stop sharing a file with someone, you simply select the file or folder, click the Share icon, select the relevant user, and then remove them from the list.
Likewise, to prevent users from downloading, printing and copying a certain file, you can uncheck the option that says Viewers and commenters can see the option to download, print, and copy. You even have the option to set an expiry date of up to one year on file shares.