As a Google Workspace admin for your organization, you have to balance security and productivity. Fortunately, Google Workspace offers plenty of ways to increase your data security and simultaneously enable the business. And for any critical security function that Google Workspace doesn’t offer built-in, a dedicated Google Workspace SSPM (SaaS Security Posture Management) solution can fill in the gap.
What exactly are those critical security functions? This checklist outlines the Google Workspace security areas you should be focusing on, along with the individual actions you should make sure you did or can do. First, however, let’s take a step back and understand the big picture of Google Workspace security.
What is Google Workspace Security in 2024?
Google Workspace security is the protection of Google Workspace’s attack surfaces from access and manipulation by bad actors. Bad actors can be either external to your Google Workspace (e.g. hackers) or insiders (e.g. employees using their legitimate access to cause problems).
The attack surfaces of Google Workspace can be defined as four separate areas:
- Data: the information stored as assets in your Google Drive, Gmail, etc.
- Identities: the user accounts
- Connected Apps: third-party OAuth apps, add-ons and integrations
- Configurations: the high-level Workspace settings, usually controlled by admins
Google Workspace Security Checklist for Admins: Essential Steps
The checklist is intended to be practical and immediately usable. It is therefore set up in a series of “I did…”-style statements, sorted according to eight different areas of Google Workspace security. Any explanations for the items are added in italics under the statement itself.
Check each box if you can; if not, correct the situation and go back to check the box. Good luck!
Check Account Access
❒ I have implemented a strong password requirement.
❒ I have made MFA required.
❒ I have set up Google Workspace’s identity management solutions.
❒ I have a way of identifying suspicious login attempts.
Check Identities
❒ I have more than one super admin, but less than five.
Only one super admin may disrupt business if that admin account is compromised. More than five can expand your attack surface to wider than necessary.
❒ I have a way of knowing if admin privileges are granted or increased.
❒ My employee offboarding process effectively removes all access to corporate Google Workspace accounts, assets and apps.
This includes access employees may have granted to their own personal accounts.
Check User Behavior
❒ I can assess if a user is interacting with Google Workspace assets or identities in a manner that is unusual for them.
This will require benchmarking normal behavior for individual users, departments or groups.
❒ I can differentiate between normal business actions and suspicious behavior.
This will require benchmarking normal behavior plus contextual business information (e.g. new projects or situations that may require different resources or activity patterns).
Check Asset Access Control and Permissions
❒ I have checked that the only publicly shared assets are those which must be public for their business function.
And not set as publicly shared simply to avoid future inconvenience for the asset owner.
❒ I have checked that the only organization-wide shared assets are those which must be accessible to my entire organization for their business function.
And not set as shared organization-wide simply to avoid future inconvenience for the asset owner.
❒ I have set up small organizational units (departments, sub-departments, role-based groups) within Google Workspace, based on groups that logically need to share information with each other - and made the most limited but logical unit be the default sharing option.
This will balance the consideration of convenience for the asset owner and the security consideration of limited unnecessary exposure.
Check Data Loss Prevention (DLP) Capabilities
❒ I have enabled Google Workspace AI Data Classification Labels.
❒ I have configured Google Drive DLP rules.
And I am aware of the limitations of built-in Google Drive DLP.
❒ I have a way of securing comments in Google Drive assets, audio and video files, and assets that may have sensitive information, but only after the first 1MB of the asset.
These are not covered by built-in Google Drive DLP and require a separate, advanced DLP solution.
Check Configurations
❒ I have compared all my admin configurations to the information security standards relevant for my industry (e.g. CIS, HIPAA, GDPR).
❒ I review my configurations at least once a week or on an automated, continuous basis.
Because configuration drift happens.
❒ I remediate configuration drift as soon as it occurs.
Check Third-Party Apps
❒ I am aware of all the apps installed in my Google Workspace ecosystem.
❒ I know all the apps currently installed are legitimate and secure.
❒ I have removed any apps that have not been used in the past 90 days.
Stale apps increase your attack surface unnecessarily.
❒ I have checked that all apps have only the permissions they need for their business function.
If an app’s purpose is to convert Google Sheets details into Calendar appointments, it should not need write permissions to your Google Drive.
❒ I have removed any unnecessary app permissions.
❒ I can ask a user directly for the reason why they installed an app, to get an idea of the business picture and function.
User involvement can help in delegation of app risk assessment.
Check Security Threat Remediation Capabilities
❒ I can disable or suspend user accounts that are acting suspiciously.
❒ I can remove permissions to assets or applications at the per-user level.
❒ I can remove permissions for users or applications at the per-asset level.
❒ I can automate any of the above remediations, so that they happen as soon as the security threat is identified.
In Google Workspace, and any SaaS ecosystem, data exposure and loss can happen in the blink of an eye. Automated remediation enables potentially big issues to be caught and dealt with before they become actual issues.
Protecting Against External Threats in Google Workspace
One of the major productivity benefits of Google Workspace is the ability to share and collaborate with external parties. But the same benefit can become a detriment if not monitored and secured. The following are two of the major threats that come from external parties - and how to secure your Workspace against them.
Managing External Collaborations and Sharing
What kinds of corporate SaaS assets are shared with parties external to your organization? Plenty:
- Marketing and sales collateral with an external agency or consultant
- Proposals with customers
- Spreadsheets with a corporate entity considering an acquisition of your company
- Business strategy documents with partners
Google Workspace assets, by default, retain their sharing permissions until those permissions are actively changed. All too often, projects are completed, the access is no longer needed… but no one remembers to remove the access. Unnecessary retained access increases the amount of sensitive data vulnerable to exfiltration by malicious actors.
Additionally, it is not unusual for third-party collaborators to share your data assets with their own contractors (e.g. the corporate entity considering an acquisition, who shares your financial spreadsheets with their own external consultant for analysis). While this may be justified, it exposes your data to unauthorized accounts who have not passed your security risk assessments. Your control over your data passes out of your purview. But Google Workspace does not make it easy (or even possible) to enable third-party sharing while restricting fourth-party sharing.
When it comes to external collaborations and sharing in Google Workspace, it is important to find a solution that gives you control without impairing business. Necessary elements of such a solution include:
- Identification of all external accounts given access to your SaaS environment
- Automated alerts and/or automated access removal when a project with external collaborators comes to a close
- Bulk removal of external collaborators from previously shared assets
- Automated alerts and/or automated remediation when sensitive assets are shared with external collaborators
Preventing Phishing Attacks in Google Workspace
A “successful” phishing attack gives an external bad actor access to insider account access credentials. This makes their subsequent access of your Google Workspace environment and the actions they perform there much harder to detect.
Phishing attacks can be prevented through:
- Turning on Google Workspace’s advanced phishing and malware protection
- End-user education on what a phishing attack looks like
- Prompt notification of users if there has been a data breach anywhere that could have exposed your users’ contact details and other personal information (i.e. anything that could make a phishing email possible or more convincing)
The consequences of a successful phishing attack can be mitigated with an insider threat detection and response (ITDR) solution that monitors the activity of all user identities and identifies behavioral anomalies. Even if an external bad actor is impersonating a legitimate user, if they start interacting with your assets and applications in an unusual way, the ITDR solution will be able to detect and deal with it.
FAQs
What should I do if there is a security breach in Google Workspace?
If there's a security breach in Google Workspace, immediately notify your IT/security team, change all passwords, enable two-factor authentication and review access logs for suspicious activity. Remove unauthorized users, revoke access tokens and conduct a security review of connected apps. Report the breach to Google and follow their guidelines. Finally, inform affected parties and assess data loss to implement improved security measures.
Can I monitor user activity in Google Workspace?
You can monitor user activity in Google Workspace through the Admin Console. Use the Audit and Investigation Tool to review user actions, such as file access, email activity and login events. You can set up alerts for suspicious behavior, generate reports and track changes across various services. For more advanced user activity monitoring and automated responses to suspicious behavior patterns, you will need a third-party Insider Risk Management solution.
How often should I review Google Workspace security settings?
Ideally Google Workspace security settings should be reviewed continuously by an automated Misconfiguration Management solution. Configuration drift can happen at any time, and leaving settings in an insecure configuration leaves you vulnerable to security threats.
How does Google Workspace help with compliance requirements?
Google Workspace helps with compliance by offering built-in security features like data encryption, access controls and audit logs. It supports compliance standards like GDPR, HIPAA and ISO/IEC 27001, providing tools for data loss prevention (DLP), eDiscovery and information governance. Admins can manage data retention, monitor user activity and set custom security policies, ensuring adherence to regulatory requirements and industry standards.
DoControl: SaaS Data Protection for Google Workspace
DoControl was designed expressly for the multiple layers and attack surfaces of Google Workspace: data, identities, configurations and connected apps. The DoControl platform and solutions can help your organization easily implement all the Google Workspace security best practices enumerated in this post.
DoControl’s Data Access Governance and Data Loss Prevention secure your data all across your Google Workspace ecosystem. Advanced data classification methods mean that no sensitive data goes undiscovered, and automated workflows mean that any detected threat can be mitigated in near real-time.
DoControl’s Identity Threat Detection & Response (ITDR) and Insider Risk Management secure your Google Workspace user identities, protecting you from external threat actors or insider threats. Data from multiple business-critical SaaS applications and behavior benchmarking for individuals and groups, along with important contextual information from HRIS, EDR and IdP systems enable smart differentiation between normal business activity and suspicious actions.
DoControl’s Shadow App Discovery & Remediation secure your third-party OAuth connected apps by monitoring app behavior and removing unnecessary apps and app permissions.
DoControl’s SaaS Misconfiguration Management secures your Google Workspace admin configurations, checking them against industry standards like CIS and offering remediation guidance.
Check? Check!
Does your Google Workspace security check out? If so, congratulations! You’re a Workspace security pro. If there are still items that need to be implemented or shored up, it’s time to get to work. Dot your i’s, cross your t’s - and check those boxes!