Ever since Microsoft suffered some significant and embarrassing data breaches, Google has been promoting Google Workspace as “a more secure alternative.”
Certainly Google takes security seriously; its own data centers have six different levels of security. But is Google Workspace secure? And is it more secure than the alternatives?
This post will take a look at factors one should take into consideration when evaluating Google Workspace or any other platform that manages important enterprise data. We’ll also discuss prevalent risks that can threaten your Google Workspace security and what to do about them.
Is Google Workspace Secure? Key Considerations
When it comes to securing your physical valuables, how safe they are depends on the answers to questions like these:
- Do you have an accurate record of all your valuables?
- Have you locked the door of the place where your valuables are kept?
- Who has the keys to - and the ability to let other people into - your secure space?
- How is the decision made to let those other people in?
- What are those people allowed to see or do once they are in?
- How fast can you find out if there’s an issue?
No one needs to tell you that your business data stored in Google Workspace is valuable and demands protection. Data loss or exposure can result in negative financial, legal, reputational or strategic consequences.
It follows that the same kinds of questions need to be asked about Google Workspace in general, and your implementation in particular. When it comes to data, the questions sound as follows:
- Do you have an accurate record of all your sensitive data?
- Which users are allowed to access sensitive data, and how are they allowed to interact with it?
- How can you ensure that access is not given to users who shouldn’t have it?
- How can you ensure that a user providing access credentials is who their credentials claim they are?
- How fast would you know if unusual or threatening actions were taken regarding your data assets?
Use of Google Workspace has the potential to provide satisfactory answers to these questions, but only if you’re aware of the potential dangers and the way they manifest, plus the steps to take and solutions to implement in order to prevent those dangers. Let’s first touch on some of the common dangers that could cause a “no” answer to the question “is Google Workspace secure?” Then we’ll go over some security best practices that are musts to implement.
7 Common Mistakes of Google Workspace Security
Risk #1: Falling for phishing attacks and other credentials mistakes
Like all SaaS applications, Google Workspace access is dependent on identities and credentials. If you hold the access credentials for John Doe, then from the point of view of Google Workspace, you ARE John Doe.
This makes identities and credentials into a top attack vector for threat actors, making it risky to rely on access credentials alone for your Google Workspace security. Phishing, vishing, smishing, you-name-it-ishing: these social engineering tactics work often enough to fool users into entering their credentials on spoofed login pages.
Multifactor authentication goes a long way to preventing standard credential stealing from providing entry to your systems, but it’s not foolproof. Social engineering tactics can convince enterprise support staff to “help” with MFA tokens after “losing a phone” - or trick users into authorizing an MFA request that they didn’t ask for themselves.
Risk #2: Oversharing with users
The ease of sharing and collaboration among users is one of the top reasons organizations choose Google Workspace. If users are not careful, however, this plus can turn into a minus.
When users share a corporate asset with “everyone in the organization” or “anyone with the link”, it is rarely because such a large group of people actually need to access the asset. Most often, these wide sharing settings are used purely out of convenience, so that the user won’t have to go back and update the sharing settings every time another person needs access. Unfortunately, every unnecessary person who has access to a corporate Google Workspace asset presents a security risk.
This risk is exacerbated when the asset contains sensitive information. And if you assume that users are more careful with their sharing settings for a sensitive asset… we wish it were so! But a 2023 analysis we did of companies with over 1000 employees found that the average company had 35K sensitive assets shared publicly and 2.1M sensitive assets exposed organization-wide. Even if users are more careful with sensitive assets, they are certainly not careful enough.
Risk #3: Giving unnecessary permissions to apps
Lack of thought about the extent of sharing isn’t only an issue when it comes to sharing with human users. It’s also an issue when it comes to installing third-party addons to your Google Workspace. oAuth apps always ask for a certain set of permissions. For example:
Whoa! That’s a lot of permissions you’re giving this particular addon! And some of them are pretty extensive: See and download all your Google Drive files?
Now, this may be absolutely fine. Your addon may need these permissions in order to fulfill the function for which you’re adding it.
The problem is when addons ask for unnecessary permissions - which does happen. It’s not necessarily out of malicious intent; it may be out of convenience (as in our oversharing user above). But it does unnecessarily expand your attack surface, and make your Google Workspace less secure without any material benefit.
Risk # 4: Adding malicious apps
There are malicious apps and app developers out there.
Even if they’re not the majority, it takes only one mistake to open your Google Workspace up to data ransoming, loss, or corruption. So it’s definitely something that should be on your mind when you’re considering an addon.
Risk # 5: Misconfigurations
Having the right high-level security configurations are the difference between locking your doors and leaving them unlocked. Locking a door doesn’t make it impossible for a determined thief, but leaving it unlocked makes it so easy that even a casual trespasser can walk right in.
It takes extensive information and effort to know both where all the relevant Google Workspace security settings are, and what they should be set to. In addition, updates and other events can cause initially secure configurations to change. If you’re not on top of your configurations, your Google Workspace security level can drop considerably.
Risk # 6: Assuming that Google Drive DLP protects everything
You’ve implemented Google Drive Data Loss Prevention (DLP)? Fantastic! That’s a great step in the direction of data security. But assuming that you have now prevented the loss of any and all sensitive data in your Google Drive would be premature.
Aside from a limited ability to accurately identify sensitive data (regular expressions and exact match word lists tend to turn up false positives and false negatives, respectively), Google says outright that there are many of your assets that they may not even check. Those include:
- Comments in Docs, Sheets and Slides
- Anything after the first 1 MB of each file
- Files larger than 50 MB (and sometimes even larger than 10 MB)
- Audio or video files
- Earlier revisions of files
So if sensitive data resides in any of the above, Google Drive DLP will not find out about it, precluding the possibility of protection.
Risk # 7: Ignoring historical data exposure
Implementing DLP and other Google Workspace data security measures may protect data going forward - but it won’t go backward in time. Any sensitive assets that were shared indiscriminately will still be exposed.
If you’re reading this article before starting to use Google Workspace, you don’t have to worry about historical data exposure. But if you’ve been using Google Workspace for some time already, then you do. And if you don’t take measures to remediate this historical exposure, then you leave a gaping hole in your Google Workspace security.
Strengthening Google Workspace Security: Best Practices for 2025
Now that you have a general idea of what can make Google Workspace insecure, let’s go over several best practices that can help your to secure your Google Workspace implementation.
Best practice #1: Strong credential and identity security
Identity security breaks into two parts: keeping bad actors out of your Google Workspace, and detecting them quickly if they have gotten into your Google Workspace.
What keeps them out is strong credential security: strong password policies, multi-factor authentication, catching and filtering out phishing attempts, user education, and anything else that prevents bad actors from obtaining valid credentials and posing as a valid user.
What detects them is strong identity security: user behavior analytics that focuses on behavioral anomalies, risk scoring, automated workflows that react immediately to perceived identity threats and any other identity threat detection and response (ITDR) method.
Best practice #2: Least privilege access for human users and apps
Eliminate oversharing. This applies to data assets shared by and with other human users, and data and permissions granted to oAuth connected apps.
The only users that should have access to a Google Workspace asset are those who need that access to do their job. Additionally, they should only have the level of access they need. If a user only needs to view the data on a Google Sheet, for example, they should be given “Viewer” status, not “Editor” status.
Check the permissions granted to your apps. Remove unnecessary permissions. Remove unnecessary or unused apps altogether. If you have so many apps that this is not feasible to do manually (which is typical for enterprises), utilize an app discovery and remediation solution.
Best practice #3: Take care of historical data exposure
Clean up any past oversharing of sensitive assets. This can be done manually, although it can take hundreds of hours (or more!). If you have been using Google Workspace for a while and have accumulated a significant number of assets, invest in a historical bulk remediation solution that can let you take care of all overexposure in minutes.
Best practice #4: Use Google AI labels for classifying data
Google offers AI-based classification of your Drive assets. Once you enable this feature, Google starts a training process in which specific users you designate evaluate Google’s automatically generated labels for your assets. This helps train the model and improve accuracy. Based on users’ examples and responses, Google learn how to similarly classify sensitive files.
While Google’s AI classification isn’t 100%, we always recommend to our clients that they use it as part of their Workspace security measures, because it’s more accurate, covers more use cases, and requires significantly less maintenance than other Google DLP classification. We also enable the use of Google AI labels as part of our DoControl workflows.
Best practice #5: Make sure configurations are up to spec
Be on top of your Google Workspace security configurations. Google does provide a general view of potential Workspace misconfigurations, but the view is often too high-level to be helpful. A SSPM solution like DoControl that directly and continuously compares Google Workspace configurations to accepted compliance standards like CIS, and also provides remediation guidance for any detected misconfiguration, can be invaluable here.
FAQs:
How often should I back up Google Workspace data?
Google Workspace data should be backed up at least weekly, but more frequent backups (daily or real-time) are ideal for businesses with critical data. Regular backups help prevent data loss from accidental deletion, cyberattacks or system failures. Automating backups ensures consistency and minimizes risk.
Can phishing attacks affect Google Workspace?
Definitely. The effects of phishing on their users was actually the reason cited by the University of Nevada, Reno in their decision to switch student “email for life” accounts from Google Workspace to Microsoft 365. That said, phishing attacks are not unique to Google Workspace and can affect other providers as well.
Does Google Workspace provide data encryption?
Yes, Google Workspace provides data encryption. It encrypts data both in transit and at rest using industry-standard protocols like TLS and AES. For Google Workspace Enterprise Plus, Education Standard and Education Plus, Google also provides the option for Client-side encryption (CSE), where you can encrypt your data before Google ever transmits it to or stores it in their cloud-based servers.
What happens if I don't update Google Workspace security settings?
If you don't update Google Workspace security settings, your organization becomes vulnerable to data breaches, unauthorized access, phishing attacks and compliance violations. Outdated settings may not address new threats, increasing the risk of data loss, compromised accounts and potential financial or reputational damage.
Meet DoControl SaaS Data Protection for Google Workspace
DoControl was designed expressly for the multiple layers and attack surfaces of Google Workspace: data, identities, configurations and connected apps. The DoControl platform and solutions can help your organization easily avoid the risks and implement all the Google Workspace security best practices enumerated in this post.
DoControl’s Data Access Governance and Data Loss Prevention secure your data all across your Google Workspace ecosystem. Advanced data classification methods mean that no sensitive data goes undiscovered, and automated workflows mean that any detected threat can be mitigated in near real-time.
DoControl’s Identity Threat Detection & Response (ITDR) and Insider Risk Management secure your Google Workspace user identities, protecting you from external threat actors or insider threats. Data from multiple business-critical SaaS applications and behavior benchmarking for individuals and groups, along with important contextual information from HRIS, EDR and IdP systems enable smart differentiation between normal business activity and suspicious actions.
DoControl’s Shadow App Discovery & Remediation secure your third-party OAuth connected apps by monitoring app behavior and removing unnecessary apps and app permissions.
DoControl’s SaaS Misconfiguration Management secures your Google Workspace admin configurations, checking them against industry standards like CIS and offering remediation guidance.
And the answer to “Is Google Workspace secure?” is…
It can be.
Google puts in the groundwork for data security, but it is up to you to implement strong identity security, prevent oversharing and extraneous access permission, take care of historical data exposure and stay on top of your security configurations.
Put in the effort, and you’ll be able to answer “Yes!”