Checklist: How to secure Google Workspace
The definitive guide on how to clean up security in Google Workspace
Today’s internet-centric world feels a lot like the wild west. Constant threats everywhere and dangers lurking around every corner for both individuals and modern businesses. In our Wrangling in the Wild West series, we explore how IT and security teams can combat the lawlessness and chaos by cleaning up a variety of security and privacy risks across the SaaS tools that they’re responsible for.
For countless companies around the world, Google Workspace has become the de facto collaboration platform for teams to work together, share documents and files, and store sensitive information.
However, for Google Workspace administrators managing their accounts, this level of adoption raises a very interesting question that many have yet to consider. How do teams ensure the security of their users and data stored in Google Workspace? Where do they even start?
Security incidents in Google Workspace are not all that rare with so many avenues for things to go wrong:
- User security: If an employee’s account is compromised, what could a bad actor get access to?
- Misconfigurations: If a discreet setting is set the wrong way, what could be exposed as a result?
- File security: If a file is shared publicly, what kind of sensitive information might be exposed?
- Shadow IT: If a malicious third-party app is granted elevated access, what might they be able to do?
- PII: If someone adds sensitive customer data to documents or files, what privacy risks might be allowed?
In this guide, we’ll wrangle in these five areas of Google Workspace security, cover how IT and security teams can effectively reduce their security risks, and reveal how Vectrix security scans can continuously monitor for these same issues so that you and your company stay secure.
Google Workspace User Security
In Google Workspace, user security is the first stop when it comes to cleaning up and minimizing security risks across an account. As they say, to err is human, and it is no different for the users in your account who may inadvertently leave themselves and your company’s data vulnerable. Follow the checkpoints below to ensure that you’ve done what’s necessary to keep your Google Workspace users secure.
3 checks to ensure the security of your users:
❑ Review active users
In the admin console, navigate to the Users list within the Directory tab and review the names of the active users in your account. Ask questions like Does this person work here, Are they still employed, When was the last time they logged in, etc. These kinds of questions will give you a good idea about any further action that should be taken and will help you minimize security risk with any inappropriate access.
For example, if you identify an active user that left your company months ago, suspend their access or delete their account, and then document the change for future record-keeping.
❑ Ensure appropriate permissions
You can review user permissions in two different ways; one to review users with Admin access and one to review the permissions of each individual user.
To review users with admin access, navigate to the Users list within the Directory tab and add the filter Admin Role, selecting Super Admin and Delegated Admin. Review the identified users and confirm that it is appropriate for them to have this elevated form of access in Google Workspace.
To review the permissions of individual users, navigate the user in question, locate the section labeled Admin role and privileges, and verify that the roles and permissions shown there are accurate for the user you are reviewing, asking questions like Should this person have access to this, do they need access to this, etc. Make changes to ensure that the access they have is only what they need and nothing more (following the Principle of Least Privilege).
❑ Verify 2-Step Verification is enabled
To ensure the highest level of protection, confirm that your users are following best security practices, primarily enabling 2-Step Verification which helps verify that a user signing into their account is the actual person they say they are.
To review users 2-Step Verification status, navigate to the Users list within the Directory tab and click the gear symbol in the top right corner of the User table. Add the column 2-step verification enrollment and simply review the list for users who do not have the feature enabled. Reach out to identified users and request that they set up 2-Step Verification for their account, a 5 minute effort.
Google Workspace Settings Security
In Google Workspace, the security of your account’s settings are a commonly overlooked area when it comes to cleaning up and minimizing security risks across an account. Misconfigured settings, or settings that simply aren’t following best practice, can easily lead to a wide range of increasingly severe security issues due to the variety of settings in an administrator’s control. Follow the checkpoints below to ensure that you’ve done what’s necessary to keep your Google Workspace settings secure.
5 checks to ensure the security of your settings:
❑ Enforce strong passwords
It’s important to set minimum password strength requirements to ensure that bad actors are not able to easily gain access to a user account.
Review your account’s minimum password requirements by navigating to the Settings page under the Security tab in the admin console, and locating the section labeled Password Management. Here, apply best practices to your password policy by first enabling Enforce strong passwords if not done already. Require the password length to be at least 8 characters in length and disable Allow password reuse, if enabled. Lastly, add a password expiration under Expiration to ensure that any leaked passwords won’t be usable beyond a certain time frame in a worst case scenario.
❑ Enforce 2-Step Verification policies
To help ensure that user accounts are protected and are accessed by only their authorized individual, enforce a 2-Step Verification policy for all users in your Google Workspace account.
To do this, navigate to the Settings page under the Security tab in the admin console and locate the section labeled 2-Step Verification. Here, confirm that the setting Allow users to turn on 2-Step Verification is enabled and that Enforcement is set to On.
❑ Enforce minimum session control
To limit the risk of inappropriate access from sources like shared computers, it’s best practice to enforce minimum session controls which asks users to log in after a certain amount of time to ensure the person using the account is who they say they are.
Navigate to the Settings page under the Security tab in the admin console and locate the section labeled Google session control. Here, set a minimum Web session duration of at least 30 days, preferably even more frequent.
❑ Review Less Secure Apps settings
Navigate to the Settings page under the Security tab in the admin console and locate the section labeled Less secure apps. Here, select the setting Disable access to less secure apps (Recommended), if not done so already.
❑ Enable security rules
Navigate to the Rules page under the Security tab in the admin console. Here, review each of the security rules provided by Google by default and enable the Rules and Alerts that suit your security needs.
Google Workspace File Security
In Google Workspace, the security of your files, folders, and drives is of obvious importance when it comes to cleaning up and minimizing security risks across an account. Unfortunately, Google administrators don’t always have great insight into what has been shared with who, leaving them with a critical blindspot into the security of their information. Follow the checkpoints below to ensure that you’ve done what’s necessary to keep your Google Workspace files, folders, and drives secure.
3 checks to ensure the security of your files:
❑ Review default Drive and Docs settings
Navigate to the Drives and Docs page under the Google Workspace drop down in the Apps tab. Here, locate the section labeled Sharing settings and review each of the included configurations, modifying the setting to the preferred level of security.
❑ Review user access to shared drives
Navigate to the Drives and Docs page under the Google Workspace drop down in the Apps tab. Here, locate the section labeled Manage shared drives. For each shared drive in the list, review user access by clicking Manage members while hovering over the shared drive. Confirm that the users with access have the appropriate access level (Manager, Commenter, etc.).
Next, for each shared drive, review their sharing settings by clicking Settings while hovering over the shared drive. Modify each drive’s settings to your desired level of security based on the context of the drive and the files it holds.
❑ Review user access and sharing settings to sensitive files and folders
For particularly sensitive files and folders, it may be a good idea to review who can access and share them on an individual basis. To do this, navigate to the file or folder in question within Google Drive and open up its Sharing settings. Review who has access, what level of access they have, and the existing sharing settings (ie, can anyone with a link view the file?).
Shadow IT in Google Workspace
Today, Google Workspace users often use their individual accounts to create new accounts and sign in to other third-party applications, sometimes under the radar of their IT teams - otherwise known as Shadow IT. While Shadow IT poses a variety of security risks for teams and administrators, one of note is the access that these third-party applications are granted, including access to files, emails, calendars, and more. Follow the checkpoints below to ensure that you’ve done what’s necessary to keep your Google Workspace files, folders, and drives secure.
Check to ensure the security of third-party access:
❑ Review connected third-party apps for each user
To see which third-party applications your users may be accessing via their Google sign in (and what data they might be granting access to), navigate to the Users list within the Directory tab and click into the user whose third-party app access you want to review.
Locate the section labeled Security, and once inside, review the section titled Connected applications. Here you’ll find a list of the applications connected by the user in question, as well as the kind of access granted. For suspicious and unapproved applications, you’ll have the ability to remove access by hovering over the application name and clicking the trash bin icon.
Unfortunately, Google does not currently support a consolidated view of third-party access and requires you to review this information on user by user basis. Save time and energy by using Vectrix scans to see all the third-party access granted by your users in one place.
PII in Google Workspace
In Google Workspace, it’s far too easy to mistakenly allow personally identifiable information (PII) - especially that of your customers - to be entered into your documents and files. From names and emails to SSNs and credit card numbers, PII leaks are an obvious area of concern when it comes to cleaning up and minimizing security risks across an account. Follow the checkpoints below to ensure that you’ve done what’s necessary to keep PII out of your Google Workspace files and folders.
Check to ensure the security of PII:
❑ Review the data protection page
To get a high-level overview of how sensitive data might be used across your files, navigate to the Data protection page under the Security tab in the admin console. Here, review the breakdowns of data used in your files, how they’ve been used and shared, and more. Ensure that you stay up to date with how data is being handled by enabling Data scanning and report at the bottom of the page.
Wrangling it all together
While most IT and security teams recognize the inherent security risk that Google Workspace introduces, being a Google Workspace administrator is usually just one part of their job. It’s not uncommon for smaller teams to not know where to begin or where to look for security issues in the first place.
Guides like these can help clean up what was problematic to start, but things change, and it’s important to recognize that without frequent, ongoing monitoring, these same issues can be reintroduced just as quickly as they were fixed. So if one-time reviews aren’t enough for you and your organization, check out the Vectrix platform to see which SaaS tools you can scan and continuously monitor for security issues in just a few clicks.