300 years ago, sharing information with someone across the world meant waiting weeks until your physical piece of paper delivered by a physical person reached your recipient.
Today, SaaS applications like Google Drive enable you to share information with anyone, anywhere - instantly.
Does this impact your productivity?
Yes! It’s great for productivity!
Does this impact your information security?
Yes! It’s… well… it’s not always that great for your information security.
Let’s take a look at the issues, and then a closer look at how you can share files on Google Drive to positively impact your productivity without compromising on security.
How Safe Is Sharing a Google Drive File?
Sharing a Google Drive file is almost always safe for you, as a Google Drive user. No one is going to gain access to your Google user account as a result of your sharing a Google Drive file. (Unless, for some reason, you store your Google user access details in a Drive file. Please don’t do that. Ever.)
What can commonly happen as a result of your sharing a Google Drive file is that it can open up access to your data - to people you didn’t intend.
If this is personal data from a personal Google Drive, exposure to unwanted parties can have personal ramifications, like identity theft. If this is company data from a corporate Google Drive, exposure can have financial and legal ramifications.
The extent of the exposure and its potential consequences depends on:
- what you are sharing
- who you are sharing with
This post will go through seven different best practices we recommend you follow to secure your important data when sharing files through Google Drive. The practices will be divided according to the “what you are sharing” and “who you are sharing with” categories.
Top 7 Tips for Secure File Sharing with Google Drive
The “What” you’re sharing
If you share files containing sensitive or confidential information, and the wrong party gets their hands on them, it can result in data exposure or leaks. At the same time, sometimes you do need to share sensitive information for legitimate reasons.
To share files securely, we recommend that you:
Tip #1: Activate AI Classification for Google Drive
Google Workspace’s AI Classification function uses AI to automatically generate labels for your Drive assets. Then, specific users designated by your admin evaluate those labels to improve the AI model’s accuracy for your data. Once the model is sufficiently trained, your admin can turn AI classification to automatic.
AI Classification needs to be initially activated by a Workspace admin; it’s not enabled by default.
While the labels aren’t 100% accurate, they are close enough that (unless you have a human being manually reviewing and labeling all your Workspace assets 24/7) having them is an improvement on your data security.
These Google Workspace asset labels can improve your file sharing security by:
- Serving as a guide and a reminder when you or your users are manually sharing files
- Serving as part of a larger Data Loss Prevention (DLP) solution
Let’s focus in on DLP solutions for the second secure file sharing tip.
Tip #2: Install a Data Loss Prevention (DLP) solution
Data Loss Prevention (DLP) solutions for Google Drive use rules and policies you set in order to evaluate Google Drive file shares and take action if determined to be risky.
Google Drive does have a basic built-in DLP functionality, which can be helpful for protection of sensitive data that can be easily defined by regular expressions or exact match word lists.
If, however, you need a more complex evaluation of risk, one that can take into account:
- Markers of sensitivity based on the linguistic context of the data
- The business roles of the initiator and recipient of the file share
- The complete Google Drive file dataset (and not just the first 1MB)
- Audio and video files stored in Google Drive
- And more
Then it pays to acquire a more advanced DLP solution. Look for a solution that can take advantage of built-in Google features, like their AI classification, to trigger specific, granular remediations.
The “Who” you’re sharing with
Humans are dangerous. Sometimes intentionally; sometimes accidentally. The following tips cover how to reduce the risk of file sharing by managing who you share with and the extent of the access they have.
Tip #3: Grant the right level of access permissions
Google Drive gives you multiple options when it comes to file sharing.
There are three basic access levels you can give to users:
- Viewer (they can see the content of the file, but they cannot affect the content)
- Commenter (they can make suggestions on the content, but it will not replace the original content without approval)
- Editor (they can change the original content)
There are also different ranges in which you can grant these access levels:
- To individual user accounts
- To organizational units (the exact makeup of these units will vary based on what the Google Workspace admin has defined)
- To “anyone with the link”
In order to ensure secure file sharing, give only the level of access permissions that is actually needed to get the job done.
If, for example, you have a spreadsheet that lays out your organization’s planned budget for the coming year, you should only give “Editor” level access to a user you are authorizing to make changes to next year’s budget. If you want to get feedback on the budget, give “Commenter” access only.
An access range like “anyone with the link” should only be assigned when you might actually want anyone in the world to be able to access this document. An example might be a template that you want to make available for free. Actual corporate examples are few and far between, however, and most access permissions for “anyone with the link” are given not because of real need but out of convenience. The asset owner simply does not want to be bothered by repeated access requests from every new individual in the organization that it turns out needs access to the asset.
To balance this desire for convenience with security precautions…
Tip #4: Set a safe default share level
Create Google Drive organizational units that define groups likely to need joint access to assets. Say: the marketing department, or the accounting department, or the cross-departmental team that works on the organization’s budget for the coming year.
Set the appropriate organizational unit as the default for asset sharing in the relevant Google Drive. This way, when a given user clicks “Share” and sees that organizational unit as the preset default, they will be less tempted to change it to “anyone with the link” or “anyone at the organization” or any other overly-wide range of access.
Tip #5: Remove the option to download, copy or print
For extra-secure file sharing, you may want to take extra precautions against data exfiltration. While nothing can prevent the data from getting out of your purview once you choose to put it in front of someone’s eyeballs (for example, they can get a piece of paper and a pen and copy down the information on their screen), making it hard to do that digitally is often a sufficient deterrent.
The way to remove the option to download, copy or print on a Google Drive asset is to click “Share” and then click the gear icon in the pop-up:
Then uncheck the “Viewers and commenters can see the option to download, print, and copy” box.
Tip #6: Remove access when it’s no longer needed: external users
In large organizations, it’s not unusual to find Google Drive documents that are shared with all kinds of external users… and no one seems to know who they are or why they have access to the document.
Don’t let that be your organization.
Of course external contractors, agencies and consultants may need to be given access to your internal assets. But when their contract or project ends, so should their access.
There are two ways to make sure this access is removed. One is to remove it manually. Part of the checklist for project completion or switching providers should include removing all asset access from the external users involved.
Since - in our experience - it’s hard to remember to do that consistently, using automated workflow tools can help ensure that this removal of access happens. With tools like these, such as DoControl, triggers that indicate a project is complete or a contract is concluded can lead automatically to access removal for all relevant external users.
Tip #7: Remove access when it’s no longer needed: internal users
It’s not only external users who stay with your company for a limited time only. Internal users also have turnover - and when they go, their access should go, too.
Manual user offboarding takes a very long time (47 hours for every departing user, as per Okta’s estimations). IdP solutions’ automated offboarding speeds that up considerably, although gaps do remain. IdPs only cover user and application access; they don’t address data asset access from personal accounts to which the user had granted access before they departed. It takes automated workflow tools like DoControl to fully cover data asset access removal.
Mistakes to Avoid When Sharing a Google Drive File
As seen from above, the main mistake to avoid when sharing a Google Drive file is sharing too broadly. This includes:
- Granting access to unnecessary users
- Granting broader abilities than necessary to any given user or group of users
This guide on risky sharing in corporate SaaS goes into more detail on different risky sharing scenarios, the threat to your data security and how to remediate each scenario.
FAQs:
Is it possible to encrypt files before sharing them on Google Drive?
Yes, you can encrypt files before sharing them on Google Drive by using third-party encryption tools. Encrypt the file locally, then upload it to Google Drive. Share the encrypted file and provide the decryption key separately to ensure secure access.
Can I limit who can download files from Google Drive?
Yes, in Google Drive, you can prevent viewers and commenters from downloading, printing or copying your files. To do this, open the sharing settings of the specific file, click on the gear icon to access "Settings," and uncheck "Viewers and commenters can see the option to download, print, and copy.” Note that this restriction doesn't apply to editors, and it must be set individually for each file, as it cannot be applied to entire folders.
If you want more freedom in how you limit downloads per user or based on file classification, you will need a Data Loss Prevention (DLP) tool like DoControl that enables you to build automated workflows to cover all kinds of scenarios.
How can I revoke access to a file I’ve already shared on Google Drive?
To revoke access to a shared Google Drive file, open the file, click the "Share" button, locate the user in the sharing settings, and click the "X" next to their name. Alternatively, if the file has been shared with an organizational unit or with “anyone with the link”, you can click the “Share” button and then change those sharing link settings to a more restricted range of users.
How does setting expiration dates on shared links help with security?
When you set expiration dates on shared links, you avoid the need to remember to go and manually change the sharing settings once a project is over. That said, if the project is delayed and continues for longer than the expiration date, you will need to go back and renew the access to prevent operational issues.
Enhance Google Drive Secure File Sharing with DoControl
DoControl was designed expressly for the multiple layers and attack surfaces of Google Workspace: data, identities, configurations and connected apps. The DoControl platform and solutions can help your organization easily implement all the Google Drive secure file sharing tips mentioned in this post.
DoControl’s Data Access Governance and Data Loss Prevention secure your data all across your Google Workspace ecosystem. Advanced data classification methods mean that no sensitive data goes undiscovered, and automated workflows mean that any detected threat can be mitigated in near real-time.
DoControl’s Identity Threat Detection & Response (ITDR) and Insider Risk Management secure your Google Workspace user identities, protecting you from external threat actors or insider threats. Data from multiple business-critical SaaS applications and behavior benchmarking for individuals and groups, along with important contextual information from HRIS, EDR and IdP systems enable smart differentiation between normal business activity and suspicious actions.
DoControl’s Shadow App Discovery & Remediation secure your third-party OAuth connected apps by monitoring app behavior and removing unnecessary apps and app permissions.
DoControl’s SaaS Misconfiguration Management secures your Google Workspace admin configurations, checking them against industry standards like CIS and offering remediation guidance.
Secure File Sharing: A Major Productivity Boost
Even if you’re in a hurry to get something done, if that causes you to be careless and have an accident, the trip via the emergency room will make it take a whole lot longer.
The same is true for getting things done within Google Drive or any SaaS system. If rush-induced carelessness leads to a data breach, your productivity is going to take a major hit.
So, for any given asset share, take the few moments to think about and apply the best settings for Google Drive secure file sharing. Your security - and your productivity - will be all the better for it.
%20(1).png)
