When was the last time you talked to someone who still hid their life savings in cash under their mattress?
Just like most people keep their financial assets in digital form, whether in banks, investment portfolios or payment apps, so too most people keep their data assets in digital SaaS systems like Google Drive.
There are plenty of safety advantages to storing assets digitally (for example, they can’t be destroyed by a fire or flood), but there are also accompanying security risks.
This post will take a look at some of the security risks inherent to Google Drive, and provide you with concrete strategies to mitigate or minimize those risks.
Understanding Google Drive Security Risks
There are two major avenues of security risk when it comes to Google Drive. One is your Google Workspace user account; the other is the files and other assets you have stored in Google Drive.
Your Google user account is the more severe avenue of security risk; if it is compromised, it puts all of your Google Workspace applications at risk. A bad actor who has obtained control of your Google user account can exfiltrate or corrupt data from your Google Drive, send malicious emails from your email address, install problematic apps… and the list goes on.
The assets in your Google Drive are often easier than your user account for a bad actor to get access to - and their exposure can also cause you significant damage.
For example, if your Google Drive houses sensitive personal or corporate information, exposure can lead to identity theft or financial harm (on the personal level) and legal compliance issues or financial and strategic losses (on the corporate level).
How can you prevent this potential harm and loss? Let’s take a look at five critical ways.
5 Ways to Prevent a Google Drive Data Breach
1. Enable Two-Factor Authentication (2FA) and Strong Password Policies
We emphasize that you need two-factor authentication AND strong password policies, because one just isn’t enough.
Even if you make sure that no user chooses a flimsy password like “password123”, passwords can still be obtained by bad actors through phishing campaigns or data breaches that result in username/password combinations being sold in the thousands on the dark web. That’s why you need two-factor authentication: to block bad actors who have found out your users’ passwords.
So why isn’t multi-factor authentication (MFA) enough on its own? Why is it a problem if your users choose “password123”? After all, even if a bad actor easily gets past the password obstacle, they’ll be blocked by the MFA, right?
Well, bad actors are as resilient and resourceful as the rest of us. (Sometimes more so.) And to get over the hurdle of multi-factor authentication, bad actors have developed a technique called MFA bombing, or MFA fatigue. In MFA bombing, bad actors try to log in many, many times - which sends many, many MFA requests to the user. So many, many MFAs requests, in fact, that statistically some users are likely to approve the request just to get the annoying messages to stop coming.
And then the bad actor is past the MFA hurdle - and in.
So stack the numbers in your favor. Put up multiple obstacles, and don’t make any of them easy to get past.
2. Share Files According to Principle of Least Privilege
One of the major causes of sensitive information being leaked is a sensitive file being shared too widely.
In a study we did of companies with over 1,000 employees, we found that the average company had 35K sensitive SaaS assets shared publicly.
Why should sensitive corporate data be shared with anyone in the world who has the link? Answer: it shouldn’t. But when users aren’t careful with how they set sharing settings, and they choose the widest possible sharing setting out of convenience, they put your company data security at risk.
The solution to this risk avenue is to enforce sharing according to least privilege: any given asset should be accessible ONLY by people who actually need the asset for their job.
Additionally, the access given should be the minimum necessary for them to do their job, and no more. So, for example, if a work colleague only needs to know the information in a document, they should have “Viewer” access; not “Commenter” and not “Editor.” If you need their feedback on their information, but would not appreciate them changing the information without your approval, they should have “Commenter” access - not “Editor.”
Because convenience is a highly motivating factor, and users will tend to share too widely (even if given data security awareness education), it is important to set up defaults that encourage appropriate sharing, along with automated remediation for cases when files are shared too broadly.
3. Implement a Data Loss Prevention (DLP) Solution
What if an authorized user - either intentionally or accidentally - does share a sensitive Google Drive asset in an insecure way?
To remediate this security risk before it leads to a data breach, you need a Google Drive Data Loss Prevention (DLP) solution.
Google Workspace does have its own built-in DLP solution, which classifies your Google Drive assets based on sensitive data discovery methods such as regular expressions and exact match word lists. It also has the option for AI-based Classification, which will label your assets based on a model that gets training input from users you designate.
You can then use the resulting classifications to trigger Google DLP Remediation Actions, which include blocking shares and disabling print, download or copy functions for the asset in question.
Google’s built-in DLP is certainly a good start for Google Drive data loss prevention, but it has several limitations that leave significant security holes, including limitations on:
- Accuracy of sensitive data classifications
- Speed of scanning and classification
- Size of file that can be scanned
- Type of file that can be scanned
- Granularity of remediation actions
In order to implement DLP that overcomes the above limitations, you need to look to more advanced third party DLP tools. DoControl for Google Workspace, for example, provides:
- DLP scanning with advanced NLP-based methods, solving the accuracy issue
- Swift risk assessment based on contextualized user information, solving the speed and size issues
- Granular policy control, solving the specificity of remediation issue
4. Watch for Suspicious User Behavior
Even DLP solutions can fall short when the threat comes from a privileged insider. A user from your accounting department often has access to and shares sensitive financial assets as part of their job. Blocking their ability to share a Google Drive asset just because it is classified as sensitive would more likely disrupt business than it would protect it.
How can you tell when user interaction with your Google Drive data assets is work-as-usual, and when it is a sign of a potential data breach?
To accomplish this detective work effectively, at the speed and scale required for Google Workspace instances, you need an insider risk management solution that tracks and analyzes user behavior.
For example, if the accounting department employee shares one or two sensitive financial document with a user in another department, that may be normal (especially if you have a benchmark of what their personal or departmental norm is). If, however, they share 50 sensitive financial documents with said other users, that already should be grounds for suspicion and remedial action.
Your insider threat management solution should be able to know all this behavioral information as soon as it happens, and have automations set up to take remedial action. Only then can it catch and prevent insider threats in time, before the data moves beyond your reach.
5. Remediate Risky, Over-permissioned or Inactive Third-Party Apps
So far the Google Drive data breach prevention strategies we’ve mentioned have focused on the human users in your Google Workspace and their actions. But humans aren’t the only parties interacting with your data assets. For the average company, dozens of third-party connected apps (if not more) are reading and modifying your Google Drive assets all the time.
To prevent third-party apps from becoming the cause of a data breach, it’s critical to be on top of those apps and their risk level.
One of the most important things to check is the level of permissions they have. Just as human users should have access to your assets according to the principle of least privilege, the same goes for apps.
If you install an app with the purpose of converting lists in Google Sheets into tasks or events in your Google Calendar, then the app should have:
- Read access to Google Sheets
- Read and modify access to Google Calendar
If said app has permissions to modify Google Sheets, something is wrong, because it doesn’t need that permission for its function. And yet so many times we see apps that DO have extraneous permissions.
It’s not necessarily malicious; usually it’s just laxity on the part of the app developer. But it means unnecessary risk for you, and it should be identified and addressed.
The same goes for inactive apps: an unnecessary addition to your Google Drive attack surface.
And of course any apps that show signs of being threatening or malicious should be identified and remediated immediately.
Avoid Phishing Attacks Targeting Google Drive Users
Google Workspace does have relatively good phishing email identification, sending suspicious emails straight to Spam or displaying a warning at the top of the email.
But their identification isn’t perfect. The University of Nevada, Reno announced earlier this year that they were switching away from Google Workspace in favor of Microsoft because - in part - of the fact that “many students have fallen victim to phishing on the current Google platform and moving to Microsoft will prevent this.”
Phishing can happen on any platform, however, and reducing its impact also requires:
- user education
- making accessing a user account more difficult, such as implementing MFA. That way, even if a phishing attempt does succeed in getting a user’s Google login information, they will have an additional hurdle to cross in order to actually access their Google Drive
- identity security measures like monitoring login attempts for anomalies, such as origin in a different geographic area than usual
Meet DoControl for Google Drive Data Protection
DoControl was designed expressly for the multiple layers and attack surfaces of Google Workspace: data, identities, configurations and connected apps. The DoControl platform and solutions can help your organization easily implement all the strategies to prevent Google Drive data breaches mentioned in this post.
DoControl’s Data Access Governance and Data Loss Prevention secure your data all across your Google Workspace ecosystem. Advanced data classification methods mean that no sensitive data goes undiscovered, and automated workflows mean that any detected threat can be mitigated in near real-time.
DoControl’s Identity Threat Detection & Response (ITDR) and Insider Risk Management secure your Google Workspace user identities, protecting you from external threat actors or insider threats. Data from multiple business-critical SaaS applications and behavior benchmarking for individuals and groups, along with important contextual information from HRIS, EDR and IdP systems enable smart differentiation between normal business activity and suspicious actions.
DoControl’s Shadow App Discovery & Remediation secure your third-party OAuth connected apps by monitoring app behavior and removing unnecessary apps and app permissions.
DoControl’s SaaS Misconfiguration Management secures your Google Workspace admin configurations, checking them against industry standards like CIS and offering remediation guidance.
Make Google Drive Data Security Your Priority
Implement the strategies and principles contained in this post, and you’ll be light-years ahead of where you were in protecting yourself from a Google Drive data breach.
.png)
.png)