Checklist: How to secure Google Workspace
The definitive guide on how to clean up security in Google Workspace
Today’s internet-centric world feels a lot like the wild west. Constant threats everywhere and dangers lurking around every corner for both individuals and modern businesses. In our Wrangling in the Wild West series, we explore how IT and security teams can combat the lawlessness and chaos by cleaning up a variety of security and privacy risks across the SaaS tools that they’re responsible for.
For countless companies around the world, Google Workspace has become the de facto collaboration platform for teams to work together, share documents and files, and store sensitive information.
However, for Google Workspace administrators managing their accounts, this level of adoption raises a very interesting question that many have yet to consider. How do teams ensure the security of their users and data stored in Google Workspace? Where do they even start?
Security incidents in Google Workspace are not all that rare with so many avenues for things to go wrong:
- User security: If an employee’s account is compromised, what could a bad actor get access to?
- Misconfigurations: If a discreet setting is set the wrong way, what could be exposed as a result?
- File security: If a file is shared publicly, what kind of sensitive information might be exposed?
- Shadow IT: If a malicious third-party app is granted elevated access, what might they be able to do?
- PII: If someone adds sensitive customer data to documents or files, what privacy risks might be allowed?
In this guide, we’ll wrangle in these five areas of Google Workspace security, cover how IT and security teams can effectively reduce their security risks, and reveal how Vectrix security scans can continuously monitor for these same issues so that your company, employees, and customers stay secure.
Google Workspace User Security
In Google Workspace, user security is the first stop when it comes to cleaning up security risks across an account. As they say, to err is human, and it is no different for the users in your account who may inadvertently leave themselves and your company’s data vulnerable. Follow the checkpoints below to ensure that you’ve done what’s necessary to keep your Google Workspace users safe.
3 checks to ensure the security of your users:
❑ Review active users
In the admin console, navigate to the Users list within the Directory tab and review the names of the active users in your account. Ask questions like:
Does this person work here? Are they still employed? When was the last time they logged?
These kinds of questions will give you a good idea about any further action that should be taken and will help you minimize security risk with any inappropriate access. For example, if you identify an active user that left your company months ago, suspend their access or delete their account, and then document the change for future record-keeping.
❑ Ensure appropriate permissions
You can review user permissions in two different ways; one to review users with Admin access and one to review the permissions of each individual user.
To review users with admin access, navigate to the Users list within the Directory tab and add the filter Admin Role, selecting Super Admin and Delegated Admin. Review the identified users and confirm that it is appropriate for them to have this elevated form of access in Google Workspace.
To review the permissions of individual users, navigate the user in question, locate the section labeled Admin role and privileges, and verify that the roles and permissions shown there are accurate for the user you are reviewing. Asking questions like:
Should this person have access to this? Do they need access to this?
Adjust access so that they have is only what they need and nothing more (following the Principle of Least Privilege).
❑ Verify 2-Step Verification is enabled
To establish the highest level of protection, confirm that your users are following best security practices, primarily by enabling 2-Step Verification, as known as Two-Factor Authentication (2FA). 2FA helps verify that a user signing into their account is the actual person they say they are.
To review users 2-Step Verification status, navigate to the Users list within the Directory tab and click the gear symbol in the top right corner of the User table. Add the column 2-Step Verification enrollment and simply review the list for users who do not have the feature enabled. Alternatively, for a more convenient solution, utilize the Vectrix Google Workspace scan to instantly view a comprehensive list of users without 2FA and be alerted automatically when new users don’t enable 2FA.
After identifying users with 2FA enabled, be sure to reach out and request that they set up 2-Step Verification for their account immediately—no more than a 5 minute effort.
Google Workspace Settings Security
In Google Workspace, account settings are a commonly overlooked area when it comes to minimizing security risks. Misconfigured settings, or settings that simply aren’t following best practice, can easily lead to a wide range of increasingly severe security issues due to the variety of settings in an administrator’s control. Follow the checkpoints below to ensure that you’ve done what’s necessary to keep your Google Workspace settings secure.
5 checks to ensure the security of your settings:
❑ Enforce strong passwords
It’s important to set minimum password strength requirements to make sure that bad actors are not able to easily gain access to a user account.
Review your account’s minimum password requirements by navigating to the Settings page under the Security tab in the admin console, and locating the section labeled Password Management. Here, apply best practices to your password policy by first enabling Enforce Strong Passwords. Require the password length to be at least 8 characters in length and disable Allow Password Reuse. Lastly, add a password expiration under Expiration to avoid leaked passwords being used beyond a certain time frame in a worst case scenario.
❑ Enforce 2-Step Verification policies
To assure that user accounts are protected and are accessed by only their authorized individual, enforce a 2-Step Verification policy for all users in your Google Workspace account.
To do this, navigate to the Settings page under the Security tab in the admin console and locate the section labeled 2-Step Verification. Here, confirm that the setting Allow users to turn on 2-Step Verification is enabled and that Enforcement is set to On.
❑ Enforce minimum session control
To limit the risk of inappropriate access from sources like shared computers, it is best practice to enforce minimum session controls. Minimum session controls asks users to log in after a certain amount of time to verify the person using the account is who they say they are.
Navigate to the Settings page under the Security tab in the admin console and locate the section labeled Google Session Control. Here, set a minimum Web Session Duration of at least 30 days, preferably even more frequent.
❑ Review Less Secure Apps settings
Navigate to the Settings page under the Security tab in the admin console and locate the section labeled Less Secure Apps. Here, select the setting Disable access to less secure apps (Recommended), if not done so already.
❑ Enable security rules
Navigate to the Rules page under the Security tab in the admin console. Here, review each of the security rules provided by Google by default and enable the Rules and Alerts that suit your security needs.
Google Workspace File Security
In Google Workspace, the security of your files, folders, and drives is of obvious importance and the highest priority. Unfortunately, Google administrators don’t always have great insight into what has been shared with who, leaving them with a critical blindspot into the security of their information. Follow the checkpoints below to ensure that you’ve done what’s necessary to safeguard your Google Workspace files, folders, and drives.
3 checks to ensure the security of your files:
❑ Review default Drive and Docs settings
Navigate to the Drives and Docs page under the Google Workspace drop down in the Apps tab. Here, locate the section labeled Sharing Settings and review each of the included configurations, modifying the setting to the preferred level of security.
❑ Review user access to shared drives
Navigate to the Drives and Docs page under the Google Workspace drop down in the Apps tab. Here, locate the section labeled Manage Shared Drives. For each shared drive in the list, review user access by clicking Manage Members while hovering over the shared drive. Confirm that the users with access have the appropriate access level (Manager, Commenter, etc.).
Next, for each shared drive, review their sharing settings by clicking Settings while hovering over the shared drive. Modify each drive’s settings to your desired level of security based on the context of the drive and the files it holds.
❑ Review user access and sharing settings to sensitive files and folders
For particularly sensitive files and folders, it may be a good idea to review who can access and share them on an individual basis. To do this, navigate to the file or folder in question within Google Drive and open up its Sharing Settings. When performing your review, ask questions like:
Who has access and are any of them external parties? What level of access is granted? What are the existing sharing setting and can anyone with a link view the file?
If you find any sensitive files with the wrong sharing settings, be sure to make adjustments immediately to avoid potential data leaks.
Shadow IT in Google Workspace
Today, Google Workspace users often use their individual accounts to create new accounts and sign in to other third-party applications, sometimes under the radar of their IT teams—otherwise known as Shadow IT. While Shadow IT poses a variety of security risks for teams and administrators, one of note is the access that these third-party applications are granted, including access to files, emails, calendars, and more. Follow the checkpoints below to ensure that you’ve done what’s necessary to protect you Google Workspace against unsolicited third-party access.
Check to ensure the security of third-party access:
❑ Review connected third-party apps for each user
To see which third-party applications your users may be accessing via their Google sign in (and what data they might be granting access to), navigate to the Users list within the Directory tab and click into the user whose third-party app access you want to review.
Locate the section labeled Security, and once inside, review the section titled Connected Applications. Here you’ll find a list of the applications connected by the user in question, as well as the kind of access granted. For suspicious and unapproved applications, you’ll have the ability to remove access by hovering over the application name and clicking the trash bin icon.
Unfortunately, Google does not currently support a consolidated view of third-party access and requires you to review this information on user by user basis. Save time and energy by using Vectrix Google Workspace scan to see all the third-party access granted by your users in one place.
PII in Google Workspace
In Google Workspace, it’s far too easy to mistakenly allow personally identifiable information (PII)—especially that of your customers—to be entered into your documents and files. From names and emails to SSNs and credit card numbers, PII leaks are a prominent security concern. Follow the checkpoints below to ensure that you’ve done what’s necessary to keep PII out of your Google Workspace files and folders.
Check to ensure the security of PII:
❑ Review the data protection page
To get a high-level overview of how sensitive data might be used across your files, navigate to the Data Protection page under the Security tab in the admin console. Here, review the breakdowns of data used in your files, how they’ve been used and shared, and more. Ensure that you stay up to date with how data is being handled by enabling Data Scanning and Report at the bottom of the page.
Wrangling it all together
While most IT and security teams recognize the inherent security risk that Google Workspace introduces, being a Google Workspace administrator is usually just one part of their job. It’s not uncommon for smaller teams to not know where to begin or where to look for security issues in the first place.
Guides like these can help clean up what was problematic to start, but things change, and it’s important to recognize that without frequent, ongoing monitoring, these same issues can be reintroduced just as quickly as they were fixed. So if one-time reviews aren’t enough for you and your organization, check out the Vectrix platform to see which SaaS tools you can scan and continuously monitor for security issues in just a few clicks.