Google Workspace Security: A Guide for Admins

As a Google Workspace admin, you have a critical role in ensuring the security of your organization’s Google Workspace. 

It’s not a responsibility to be taken lightly - and we’re sure you relate to it seriously. In order to help you in this endeavor, we’ve put together this guide to securing the different aspects and areas of Google Workspace.

Why Securing Your Google Workspace Environment is Crucial

Before we get into the nitty-gritty of what to do, let’s step back and get a high-level view of security in the Google Workspace environment. Google Workspace has four main aspects to its attack surface:

• Identities
• Data
• Apps
• Configurations

Identities covers your user accounts and access. Identity security can be threatened either by external bad actors who try to hijack your user identities through brute force or social engineering tactics like phishing - or by genuine users who are misusing their legitimate Google Workspace access. 

Data covers all the information assets stored within your Google Workspace environment. The primary place data is found is within Google Drive. Data security can be threatened by data loss, corruption or exposure to unauthorized parties. 

Apps covers all the third-party oAuth apps connected to your Google Workspace ecosystem: integrations, addons, you name it. App security can be threatened by malicious apps or by legitimate apps that have more permissions than they really need for their function, unnecessarily increasing risk. 

Configurations covers all the high-level settings for your Google Workspace environment. Configuration security can be threatened by misconfigurations that expose data or user accounts, or otherwise leave your environment open to risk.

Let’s discuss how to secure each of those areas.

Steps to Securing Your Google Workplace Identities

The first step to securing your Google Workspace identities is securing users’ access credentials. This is the basis for identity security because in SaaS applications like Google Workspace, a user is defined by and only by their access credentials. So you definitely want to keep access credentials from falling into the wrong hands; otherwise, you’re giving outsiders the equivalent of legitimate identity papers. 

Steps for securing Google Workspace credentials include:

• Requiring 2-step verification (= multifactor authentication)
• Requiring strong passwords
• Implementing SSO (single sign-on)
• The Advanced Protection Program (usually reserved for individuals with very high privileges whose accounts are likely to be targeted by bad actors) 

The second step to securing identities is to ask: what happens if credentials are exposed, stolen or otherwise manipulated so that a bad actor succeeds in gaining access to your Google Workspace environment? A similar situation arises when legitimate users turn bad and use their privileges for personal gain or malicious action. How can you catch these seemingly valid but dangerous identities?

The answer lies in the identity’s behavior: is the user identity acting in a suspicious or problematic manner? Judging an identity by its actions, not only by its access information, lets you pick out both insider threats and external actors who have hijacked user accounts.

For this you will likely need a Identity Threat Detection and Response (ITDR) tool that can:

• Monitor user interactions with applications and assets
• Enrich its understanding of the actions with context from IdP and HRIS systems
• Compare user behavior with relevant benchmarks from users in similar roles or groups
• Identify behavioral anomalies

Ideally your ITDR tool should be able to then take action to remediate problematic user behavior, such as removing access to defined applications or assets for the user in question.

Steps to Securing Your Google Workplace Data

One of the primary things that puts your Google Workspace data at risk of exposure is oversharing assets. This can (and usually does) happen without anyone intending to cause risk. It’s simply easier to share an asset broadly (e.g. “anyone with the link can view” or “anyone in the organization can view”) than to give access only to those you know need it right now, and then keep giving access one by one to other collaborators as it becomes necessary. 

But this broad exposure of data increases your Google Workspace attack surface and risk of exposure to eyes that should not be seeing the data in question. This problem is exacerbated by the integration of Gemini and other GenAI apps into Google Workspace. Because GenAI apps rely on existing access permissions to know what data they can draw on for a response, too-wide access permissions can lead directly to inappropriate data exposure. 

In order to secure your Workplace data assets from the negative effects of oversharing, you need tools that can:

• Correct real-time oversharing with automated workflows that remove permissions or ask the sharing user to remediate
• Correct historical oversharing by removing extraneous permissions in bulk

Apart from oversharing, another data security issue is risky sharing. Risky sharing can be even the sharing of one Google Sheet with one other user account. For example, picture a Sheet that contains a list of 500 sales prospects, shared with the personal Gmail of a competitor’s sales team head. One asset, one user - but very, very bad news.

In order to secure your Workplace data assets from the consequences of risky sharing, you need to have the ability to identify risky shares and exposure accurately, with minimal false positives and false negatives. This requires a more sophisticated analysis than standard Google Drive DLP rules, which are based on regular expressions or exact word match. Advanced analytical tools, such as NLP-based ones, and tools that provide more context to the share (like the HR status of the sharer or the account shared with) are needed here.

You also need to have the ability to immediately remediate risky shares once identified. SaaS moves fast, and a shared document can be copied and taken out of your organization’s control in minutes.

Steps to Securing Your Google Workplace Apps

The first step to securing your Google Workspace apps is to know exactly which apps are connected to your Google Workspace environment. SaaS empowers users to add integrations and addons, which is great for productivity but can be risky for security. A tool that provides visibility of every single connected app, whether officially sanctioned or shadow app, is the necessary prerequisite to any app security plan.

Once you have a comprehensive list of your connected apps, the next step is to identify each app’s level of risk. Risk may stem from:

• Inherent issues (e.g. apps created with malicious intent or where the developer was negligent in securing it)
• Permission scope issues (e.g. upon installation the app was given permission to change data in your Google Drive, even though it only needs to read that data)

The final step to app security is to remediate any risk. Removing entire apps, revoking specific app permissions: either may be an appropriate course of action.

Steps to Securing Your Google Workplace Configurations

To achieve the basis of Google Workspace configuration security, you can use the Google Security Health Page. This is a general configuration check page which lists all the security-related admin settings and whether they are enabled or disabled for different organizational units in your Workspace. You can change those settings directly on the Security Health Page. 

This is the basis, but it’s not enough to fully secure your configurations, especially if you need to achieve compliance with regulatory standards. For that, you need a tool like DoControl’s Misconfiguration Management module that checks Google Workspace security-related configurations against industry-leading compliance frameworks (e.g. CIS). 

A misconfiguration management tool of this level should tell you:

• the nature of the misconfiguration
• the exact entities affected by the misconfiguration, from users to repositories to any other type of record
• how to correct the misconfiguration

Configuration security is not a one-off. Monitoring needs to be ongoing in order to avoid configuration drift and unwanted ramifications.

FAQs:

How do I limit user access to sensitive information in Google Workspace?

To limit user access to sensitive information in Google Workspace, use Admin Console to manage permissions. Set up organizational units, apply custom access controls, and utilize features like Data Loss Prevention (DLP), context-aware access, and secure sharing settings to restrict sensitive data access based on roles. You may need to supplement Google’s built-in DLP with more advanced DLP tools that are more accurate in their detection of sensitive information.

Is it necessary to audit Google Workspace regularly even if no issues arise?

Yes, regular auditing of Google Workspace is essential even without apparent issues. It helps identify potential security gaps, ensures compliance, tracks unauthorized access and maintains data integrity. Proactive monitoring reduces risks by addressing vulnerabilities before they become critical problems.

How do I conduct a security audit in Google Workspace?

To conduct a Google Workspace security audit with built-in Google Workspace tools, access the Admin Console, review security settings and analyze reports from the Security Dashboard. Audit user activities, data access logs and DLP policies. Regularly check permissions, two-factor authentication and sharing settings to ensure compliance and identify vulnerabilities. In order to conduct a more thorough and/or automated security audit, you will likely need external tools of the type described in this article.

Meet DoControl Workspace Data Protection

DoControl was designed expressly for the multiple layers and attack surfaces of Google Workspace: data, identities, configurations and connected apps. The DoControl platform and solutions can help your organization easily avoid the risks and implement all the Google Workspace security strategies enumerated in this post.

DoControl’s Data Access Governance and Data Loss Prevention secure your data all across your Google Workspace ecosystem. Advanced data classification methods mean that no sensitive data goes undiscovered, and automated workflows mean that any detected threat can be mitigated in near real-time. 

DoControl’s Identity Threat Detection & Response (ITDR) and Insider Risk Management secure your Google Workspace user identities, protecting you from external threat actors or insider threats. Data from multiple business-critical SaaS applications and behavior benchmarking for individuals and groups, along with important contextual information from HRIS, EDR and IdP systems enable smart differentiation between normal business activity and suspicious actions.  

DoControl’s Shadow App Discovery & Remediation secure your third-party OAuth connected apps by monitoring app behavior and removing unnecessary apps and app permissions.

DoControl’s SaaS Misconfiguration Management secures your Google Workspace admin configurations, checking them against industry standards like CIS and offering remediation guidance.  

Save the (Google Workspace) Environment

Your Google Workspace is a delicately balanced environment that needs wise oversight in order to achieve the goals of productivity without endangering the underpinnings of the environment itself. As an admin, it’s your job to provide that oversight.

If you’ve gotten to the end of this guide, we commend you: you’re obviously dedicated to the job, and that will take you a long way in securing your Google Workspace environment. The next (and critical!) step is to implement what you now know. If you like when to-dos are clearly laid out, check out this handy admin security checklist.

We wish you much success!