It’s easy for an organization to start using Google Workspace. (That’s why there are over 8 million organizations who use it.)
It’s also not too hard for an organization to secure their Google Workspace… if they know what to do. That’s what this post is about. Discover these top 10 Google Workspace security best practices, implement them, and your Google Workspace will be as simple to secure as it is to use.
Do Not Allow/Heavily Restrict Public Sharing
Be honest: when was the last time you saw an organization’s Google Drive file that really, truly needed to be shared publicly so that “anyone with the link can view”?
I can count on one hand the files l’ve seen that match that description. They were all spreadsheet templates that the organization in question was providing as a public service.
In all other cases, a user who shares their Google Workspace assets publicly is basically saying: “I’m not sure exactly who is going to need access to this file, and I really don’t want to be bothered by share requests. So I’ll just make it publicly accessible, and then I won’t have to think about it anymore.”
Convenient? Definitely.
Secure? Definitely not.
Some of DoControl’s clients, like Unqork, use DoControl’s automated workflows to remove any public sharing access as soon as it is given.
Even if that level of crackdown doesn’t fit your organization, you’re certainly going to want to heavily restrict the impact of public sharing to only what is necessary for business. You might want to auto-expire public sharing links, for example. Or check with end users as to the business justification of the public share.
However you cut it, public sharing increases your organization’s SaaS attack surface. That’s how you get to the situation we found in our analysis of companies, where the average company had 35K sensitive assets shared publicly. Don’t let that be you.
Heavily Restrict Organization-Wide Sharing
Organization-wide sharing is not as bad as public sharing, but it’s still often unnecessary. Negative consequences include:
- Lack of ethical walls
- Increased insider risk
- Unintended sensitive data exposure
The data exposure issue has become more relevant and serious with the widespread integration of Gemini AI into Google Workspace. Gemini, like most generative AI assistants, uses access permissions to know what data assets it can use in its responses to users. If a Google Workspace user has access permissions for a sensitive Drive document, then Gemini can and will use that asset’s data in responses, exposing sensitive data that otherwise the user might never realize they had access to.
Organization-wide sharing is sometimes necessary, so it shouldn’t be disallowed altogether, but Google Workspace security best practices suggest its restriction. It shouldn’t be the default sharing option. And you should give your users better options, that fit their desire for convenience while maintaining security.
One such approach is to set up smaller organizational units (departments, sub-departments, role-based groups) within Google Workspace, based on groups that logically need to share information with each other. Have the most limited but logical unit be the default sharing option.
Enable Google AI Data Classification Labels
AI isn’t only a security risk; it can also further Google Workspace security. Google’s AI Data Classification Labels are a prime example of that.
Once you enable Google Workspace AI Labels (it’s not enabled by default), Google will use AI to automatically generate labels for your Drive assets (e.g. confidential, sensitive, intellectual property, PII, PCI, PHI, etc.). Specific users you’ve designated review and respond to those labels, thereby training the model and improving its accuracy for your data.
Like any AI-based assessment, Google’s AI classification labels aren’t 100% accurate, but we recommend that our clients who use Google Workspace do leverage the AI labels. It’s more accurate, covers more use cases, and requires significantly less maintenance.
Be Aware of What Google DLP Does and Doesn’t Cover
If you augment your Google Workspace security by using Google Workspace Data Protection, you should be aware of its limitations. Even for Workspace Enterprise, Data Protection is limited in the size and type of file content that it can handle. For example, it can’t check and classify any content in audio or video files, or in the comments on text or spreadsheet files. It also only scans the first 1MB of the content, and makes its data classification of the entire asset based on that content.
Additionally, it takes time (from hours to days) to scan and change classifications on all your Drive assets after you make an update to a Data Protection rule. During this time, your data is still vulnerable, but since you made the rule already, you may be under the impression it is protected.
Being aware of these limitations is the first critical step in Google Workspace security. To actually overcome these limitations, however, you’ll need a third-party solution like DoControl for Google Workspace.
Don’t Forget to Fix the Past (Historical Remediation)
If your organization has become gradually, increasingly aware of Google Workspace security issues, you may have significant numbers of unprotected assets. Google Workspace’s Data Protection remediation actions are limited to new cases that trigger existing policies. So assets created before you implemented Data Protection remain exposed.
Google Workspace does not have a built-in way to clean up historical exposure at scale. That’s why DoControl’s bulk historical remediation capability is so valuable. No matter when your company started its Google Drive data security initiatives, you can use DoControl to remove public sharing links or specific types of user permissions from millions of files in minutes.
You can’t change the past… except when you can. So make sure you do.
Watch Your Users’ Behavior
Google Workspace offers some helpful identity management solutions, like SSO (single sign-on). This is definitely worth implementing to raise the default level of your identity security. Identity management on its own, however, cannot protect against insider threat: legitimate Google Workspace users who decide to take advantage of their privileged access to steal or corrupt your organization’s valuable data.
Identifying insiders who have gone from innocuous to insidious requires keeping a careful eye on their behavior within your Google Workspace environment. Are they downloading or sharing more data assets than usual? Are they interacting with data assets or other users in a way that is atypical for them or for the organizational unit they are a part of?
Protecting your organization from insider threats requires monitoring of user behavior and analyzing it for anomalies that could suggest security issues. Make sure you set up an insider risk management solution that can accomplish this.
Involve Your End Users
Aside from intentional threat, another way that end users can jeopardize your Google Workspace security is through lack of awareness or serious thought about the consequences of their actions:
- Sharing publicly, organization-wide, or with personal email addresses because it’s convenient
- Installing shady third-party add-ons and apps
Just blocking or preventing users from carrying out these actions doesn’t necessarily help them understand what they did wrong, and you’ll probably need to deal with the exact same situation in the future.
Security education programs are one way of raising user awareness of your Google Workspace security standards, but detached “education” is often in-one-ear, out-the-other. A more effective way - that improves security and decreases work for your information security team, now and in the future - is user involvement in remediation, in real time, as the risky action is performed.
When it comes to risky interaction with Google Workspace data assets, users can be called upon to remediate their action, with an explanation of why it was a problem.
When it comes to app installation, user involvement can help understanding of the business context for the app and delegation of app risk assessment.
End-user involvement is a Google Workspace security best practice that yields results in both the short- and the long-term.
Stay on Top of Your Connected Apps
Speaking of third-party apps brings us to a Google Workspace security best practice that relates directly to them: don’t lose track of your Google Workspace apps!
It’s so common:
- The app installed by a marketing agency you used for a project months ago.
- The app installed by a user, used once, then abandoned.
- The app installed by another app.
It’s like an episode of Where Are They Now?, but less exciting and with more serious consequences if you can’t give an answer.
Keeping on top of your Google Workspace apps, integration and add-ons really has two separate components:
- Determining whether your organization actually (still) needs the app: maybe it was never necessary; maybe you needed it months ago but no longer.
- Determining whether the app needs all of its permissions: for the app’s business function, does it really need to read and write to your Drive, Gmail and Calendar? If not, it shouldn’t have that permission scope.
Make sure you have a granular solution for managing your Google Workspace apps, one that can both discover and evaluate the apps, and then take remediate action for problem, such as:
- Suspending an app
- Removing specific app permissions
- Remediating any extant oAuth tokens
- Preventing app reinstallation in the future
Make Sure Your Admin Configurations are (and Stay) up to Spec
Configurations deserve a “best practices” article all on their own. The challenge is determining which configurations settings are actually the best practices for your organization (it will depend on your industry) and, once you’ve set them, making sure they stay that way. Configurations have a tendency to… drift.
Compare your Google Workspace security-related configurations against industry-required or suggested compliance frameworks (e.g. CIS). Correct any misconfigurations. Then, set up a process by which you can monitor configurations for unintended changes and fix them before they open doors to threats. An automated misconfiguration management tool can be very useful here.
And speaking of configurations, we’re going to end our list of best practices with the security setting that everyone agrees you should have for Google Workspace - and yet still does not have implementation across the board:
Implement Multi-Factor Authentication (MFA) in Google Workspace
We don’t really need to explain why multi-factor authentication is a best practice, right? All you need to do is look at the SaaS data breaches where the entry point was an account that didn’t have MFA enabled. That could have been SOOO easy to prevent. Enough said.
FAQs
What are Google Workspace admin best practices for managing user access?
Google Workspace admin best practices for managing user access include:
- Implement role-based access control, assigning the least privilege necessary for each user.
- Use multi-factor authentication.
- Regularly review user permissions and revoke access for former employees.
- Monitor user behavior and investigate anomalies.
- Utilize organizational units to manage settings and access based on user roles.
- Deploy apps and extensions through approved channels only, and monitor third-party app access.
What is the importance of mobile device management (MDM) in Google Workspace?
Mobile device management (MDM) in Google Workspace ensures secure access to company data on mobile devices. It helps enforce security policies, protect data through remote wipe capabilities and manage device compliance. This minimizes risks of data breaches, especially in BYOD environments, while maintaining productivity and security for remote and mobile users.
How can I secure Google Drive in Google Workspace?
To secure Google Drive in Google Workspace, use the following best practices:
- Do not allow/heavily restrict public sharing
- Heavily restrict organization-wide sharing; use smaller units or groups when necessary to increase convenience without compromising security
- Enable Google AI data classification labels
- Watch your users’ behavior and look into anomalies
- Monitor the level of access that connected apps have to your Google Drive and remove unnecessary permissions
DoControl: SaaS Data Protection for Google Workspace
DoControl was designed expressly for the multiple layers and attack surfaces of Google Workspace: data, identities, configurations and connected apps. The DoControl platform and solutions can help your organization easily implement all the Google Workspace security best practices enumerated in this post.
DoControl’s Data Access Governance and Data Loss Prevention secure your data all across your Google Workspace ecosystem. Advanced data classification methods mean that no sensitive data goes undiscovered, and automated workflows mean that any detected threat can be mitigated in near real-time.
DoControl’s Identity Threat Detection & Response (ITDR) and Insider Risk Management secure your Google Workspace user identities, protecting you from external threat actors or insider threats. Data from multiple business-critical SaaS applications and behavior benchmarking for individuals and groups, along with important contextual information from HRIS, EDR and IdP systems enable smart differentiation between normal business activity and suspicious actions.
DoControl’s Shadow App Discovery & Remediation secure your third-party OAuth connected apps by monitoring app behavior and removing unnecessary apps and app permissions.
DoControl’s SaaS Misconfiguration Management secures your Google Workspace admin configurations, checking them against industry standards like CIS and offering remediation guidance.
You Can Attain Google Workspace Security
Organizations that use Google Workspace can achieve the dream of seamless productivity without compromising on security. It takes awareness, commitment and the right tools - and then you’ve got it.