If your enterprise uses Google Workspace, chances are you have sensitive data hidden in your Google Drive files. If you lack expertise in how to secure Google Drive, however, then chances are it’s not hidden well enough.
A recent analysis we did of our larger clients (1000+ employees) revealed that companies possessed, on average, 3.7K publicly exposed Google Drive assets that contained sensitive data. Anyone with the link could get to this sensitive enterprise data. The situation was even worse when it came to internally exposed sensitive data assets. These organizations had, on average, 186K sensitive Google Drive assets that were accessible to every user in the organization - from the CEO to the summer intern.
Earlier this year we wrote a comprehensive post about Google Drive security. But we know that moving from understanding principles to taking practical action is sometimes trickier than it looks. That’s the purpose of this post.
We’ll cover the following key steps in how to secure Google Drive for your organization:
- Configure Google Workspace information rights management
- Make MFA a requirement
- Educate end users on how to secure Google Drive
- Set up email-based security alerts
- Consider endpoint management
- Regularly review your Google Drive third-party apps
- Implement a CASB
Configure Google Workspace information rights management
Google Workspace provides an interface for information rights management: configuring global Google Drive settings limiting re-sharing, downloading, printing, copying, or changing permissions to prevent accidental or intentional data exposure. This configuration is the responsibility of your organization’s Google Workspace administrators, who are usually part of the IT or information security department.
There’s no one ideal configuration. This set of Google Workspace security settings includes their recommended configurations for Google Drive and reasons behind the recommendations, which is great to get you thinking, but the best configuration for you will depend on your organization’s business needs, compliance requirements and other factors.
Make MFA a requirement
Since the days of “open sesame!”, passwords have been discovered, guessed and stolen. Phishing scams, brute force attacks and users who insist on choosing “password123” as their password (sigh) increase the chances that your Google Drive assets are at risk from a threat actor who can simply sign in.
MFA (Multi-Factor Authentication) enhances security by requiring multiple forms of verification before granting access to systems or data. Even if an unauthorized party gains access to a user’s credentials, the likelihood that they will also have access to the user’s phone (security token via SMS) or index finger (biometric validation) is small.
Educate end users on how to secure Google Drive
As effective as your InfoSec team is, the burden of securing Google Drive cannot rest solely on their shoulders. Ignorant or negligent end users will continue to overexpose files, drawing your InfoSec team into a resource-draining game of Whack-a-Mole.
The key to more effective Google Drive security that actually demands less of your InfoSec team is empowering and educating your end users on how to secure Google Drive assets. SaaS security best practices education programs are one popular way of doing this, but more effective in the long-term is education in real time, as a risky action is performed.
Using this approach, a user attempting to share a Google Doc with a personal email address, or to set a Google Sheet with “Budget” in the file name to ‘Anyone with the link can view’, would receive a message informing them of and explaining the issue, and requesting them to remediate. A CASB (cloud security access broker - see further on for more details) is often the tool of choice for this end user involvement.
Set up email-based security alerts
Google Workspace provides administrators with tools like audit logs, security reports about user behavior that may indicate a security risk, and a security center with information about how files have been shared. If a Google Drive security risk is only discovered when you go in to check your security center console, however, it could be way too late to contain the damage. Setting up email-based alerts enables you to be more proactive about identifying potential security issues and addressing them promptly.
Consider endpoint management
Another domain in which Google Workspace admins can secure Google Drive is in controlling aspects of the end user devices used to access the corporate Google Drive accounts and assets. Endpoint management capabilities include device encryption, screen lock, password enforcement, remote signout and remote wiping of corporate accounts should devices be lost or stolen.
While endpoint management can be implemented on either corporate or personal devices, it is more realistic in a situation where users only access corporate Google assets through a dedicated corporate device. Where productivity considerations create a culture encouraging users to work remotely and access Google Workspace through whatever device is at hand, endpoint management may be more of a liability than an asset. When thinking about how to secure Google Drive, endpoint management should be considered in the context of your company priorities.
Regularly review your Google Drive third-party apps
Your Google Workspace users and the parties with whom they share assets aren’t the only ones who can access your Google Drive data. One of the reasons why companies use Google Drive is the productivity boost that comes from Google Drive apps and add-ons. These third-party apps create connections between Google Drive and the other SaaS applications your organization uses, such as Box, Salesforce, DocuSign, Zoho - and many, many more. While this is wonderful for productivity, it also opens up a new channel through which your Google Drive data can be exposed.
The exposure risk is exacerbated by the fact that many third-party OAuth apps ask for permissions that they don’t even need for their function. In our recent analysis of DoControl client data, we found that out of 29K OAuth apps used by our clients in 2023, approximately 65% of them were over-permissioned!
Additionally, apps tend to stick around much longer than they should. 90% of all installed apps hadn’t been used at all in the 30 days preceding our analysis! That is an unnecessary addition to your attack surface.
In order to minimize your exposure and security risk, you need to conduct regular reviews of your Google Drive app inventory to make sure you don’t have unnecessary or over-permissioned apps.
(It is worth noting that while making sure apps aren’t unauthorized or over-permissioned is the foundation of how to secure Google Drive against third-party app data leakage, monitoring the actual data that third-party apps are sharing is an independent function.)
Implement a CASB
A CASB (cloud access security broker) is a security policy enforcement solution for data moving through cloud applications. A CASB would secure your Google Drive data by protecting against data exfiltration or exposure using DLP (data loss prevention) components coupled with user context (and ideally business and security context as well). They also protect against over-permissioned or data-leaking OAuth apps. CASBs should be able to both alert InfoSec team members about problems discovered and implement automated remediation workflows.
When it comes to choosing a CASB for Google Drive, you could use either Google’s native CASB, Google Command Center, or a third-party independent CASB, such as DoControl. Each type of CASB solution has advantages and disadvantages.
Use Your Google Drive - and Secure It Too
Google Drive should be your key to organizational efficiency and productivity. But it shouldn’t provide a key to bad actors looking to take advantage of your data. Implement the above steps and you’ll be well on the way to a secure corporate Google Drive.