The Admin’s Google Drive Management Playbook

Make Google Drive management a whole lot simpler 

Google Drive Management is a wide umbrella that many sysadmins can occasionally feel lost under.

However, when you keep your eyes on the most important areas and develop best practices for them, you’ll be far from lost.

In this playbook we’ll cover the TOP 10 Google Drive management areas and provide admins with best practices there.

With these practices not only will you FULLY cover your organisation’s Google Drive management operations, but you’ll also learn to do so with minimal effort. 

 

1. Google Drive Storage: NEW Limits 

On June 1, 2021, Google started deploying a new storage policy for Drive. With that, any newly created Drive files from that date count toward the storage limits for users in your domain. 

Existing files have not been counted, unless they were modified on or after June 1, 2021. (See the Usage section for Business and Enterprise editions)

With that your organisation may want to adopt new storage-friendly practices — and it starts with clearing out Drive clutter or debris.

What users can do:

Clear out ‘My Drive’ Clutter.

Share our blog post ‘Organize your Google Drive Marie Kondo Style in 5 Simple Steps post’ with your users and show them how to clear out Drive clutter and keep ‘My Drive(s)’ using a simple minimalist approach.

What Admins can do:

1.View and monitor domain storage quota in the admin console here.
(Look for a graph called ‘Storage used by apps’ in reports, under accounts).

2. View how much storage each user have used and which user(s) have most storage here.
(You’ll see a column that shows this information for Drive, Gmail and Photos).

3. Identify and delete duplicate files. These alone can eat up a huge chunk of your Drive storage quota.
(Use GAT+ to dig beyond the Admin console for things like file types and more).

 

 

2. Shared Drive Structure

So what’s your organisation’s Shared Drive structure like?

If your Google Drive management operations constantly prompt you to re-examine your Shared Drive structure for improvements, it’s time to get it sorted then. 

This is also important for Drive Data Loss Prevention (DLP) as it largely determines who has access rights to what, and allows you to better customise your Drive DLP rules accordingly.

Once you’ve got the best Drive structure in place, you can apply any needed tweaks and move files and folders to the right place easily.

One final option to consider is restricting users from moving content outside your organization. That of course may not be feasible for every organisation, but it’s an option worth exploring.

SEE: How to choose the best Shared Drive structure for your domain

 

3. Drive File Ownership

File ownership permissions are another important part of your Google Drive Management operations. After all, file owners enjoy some of the most powerful Drive privileges of all.

File ownership is also core to security goals like Drive Data Loss Prevention (DLP) and information security. That’s why, how well you handle file ownership and sharing at your organization is ESSENTIAL.

SEE: Manage Google Drive File Ownership like a Security PRO 

 

4. Drive File Sharing Exposure Audit

This one goes at the top of your priority list. 

Over the past few years alone your file sharing activities have most likely multiplied. Over time, the number of shared files (internal and external) accumulates and becomes tricky to manage. 

Also, sometimes sensitive data may be accidentally shared or added later on to folders already shared externally to unauthorised parties — Exposing data this way can have BIG data security repercussions.

I. Secure External File Sharing

1. Review external file sharing using the Google Workspace File Sharing Exposure report available in the Business edition.
2. Set different sharing permissions for different Organizational Units if you have the Business (or higher) edition. 

These options, however, provide limited flexibility and require regular manual reviews of shared items and sharing permissions.

A better and easier way is to automate your file sharing exposure audit. This will save you plenty of time and effort.

How to automate the Google Drive file sharing exposure audit task?

Use GAT’s toolset to automate your file sharing exposure audit and take corrective actions:

• Assign granular sharing policies, monitor file sharing using pre-built aggregated reports, and configure file sharing exposure triggers in a fully automated way. Thus, saving plenty of time and effort.
• Create a DLP alert rule every time any given user, selected OU or group shares or downloads ‘x’ number of files with GAT+. You can also stop files that contain sensitive information from being shared out.
• Create a policy for any given document to make sure that even if it’s shared out, external users will be automatically removed.

 

II. Secure Internal File Sharing

Let’s not forget about those insider data threats. 

• Is there any information that NOT all users should be sharing or have constant access to?
• What access rights do users have for sensitive files?
• What would you consider unusual internal sharing activities indicating potential malicious threat or compromised user account(s)?

One more thing to pay close attention to is sharing to personal accounts such as gmail.com, yahoo.com, hotmail.com, etc.

 

Finally, remember, you can never be fully sure of who can view your most sensitive Drive files without conducting a comprehensive file sharing exposure audit.

(Internal resource: Checkout our post how to replace all current file permissions on your files using GAT)

 

6. Google Drive Downloads and more

Drive data doesn’t get leaked or transferred through ‘file sharing’ only. There’s also downloading, copying and printing of sensitive files — that’s just DLP 101.

To manage those things you need to Audit Event Activity in the admin Console, that includes download, print and related actions. Here’s how:

1. Go to Reports > Audit > then Drive (Drive audit log).
2. Use the Filters section on the side of the page to create a filter for the event (ex. users downloading files). That will give you details, including the user’s name, IP address, exact date, and more.
3. You can also use GAT+ to view  Event Activity on Files, Folders or Shared Drives Across Google Drive.

You may also want to disable downloading, printing and copying  of Drive files containing sensitive information that you don’t want to be shared broadly or leaked.

Also, don’t forget to audit linked Google Drive Apps, they’re another backdoor from which sensitive Drive data can get leaked.

 

7. Google Groups and Drive

Now let’s dig a little into Google Groups.

While Groups allow users to share content more efficiently and collaborate better, there are a few things you need to look after to ensure better Google Drive management:

1. Identify External Members within Google Groups

Drive vulnerabilities can be introduced when a Group has many or one EXTERNAL member. Therefore, you need to audit your groups and investigate whether these members should still be present.

(To do that using GAT+ simply follow these steps.)

2. Tweak Access rights

Say you want to share a file with a group without giving all group members the same access permission to shared files? Easy, break those permissions up by creating different groups with different permissions. 

Example: Create a group of beta readers, a group of editors, and a group of proof-readers. Assign the beta readers ‘viewing-only’ rights, the editors ‘editing rights’, and the proof-readers ‘commenting’ rights.

This will give you more control over who can do what with the collaboration file/folder.

 

8. Target Audience

Target audiences are another way to control users’ Drive file sharing within your organization – or sharing directly between users or within groups.

They can improve the security and privacy of your Drive data using admin-recommended audiences, while making it easier for users to share appropriately.

Target Audience VS Groups

You might be wondering, so what’s the difference between Groups and Target Audience then?

Unlike groups, target audiences can’t be used for any other purposes, such as mailing lists, forums, or configuring access to services.

Target audiences can only be used as sharing options in users’ sharing settings for a Google service (for example, link-sharing options for Drive). 

You can’t use target audiences as members of other groups or target audiences. You also can’t specify owners and set group access options directly for target audiences.

HOWEVER, target audiences have benefits over regular groups for sharing with broad audiences — Below are a few examples for Google Drive management:

• Limiting link-sharing to employees only.
• Deploying target audiences across multiple Google Workspace accounts.
• Recommending progressively broader link-sharing options.
• Deploying target audiences according to your organization’s hierarchy.
• Recommending how broadly to link-share across multiple secondary domains.

Note: Target audiences are currently available only for Google Drive and Docs. 

Checkout Google’s recommended best practices for deploying target audiences.

 

9. Data Loss Prevention (DLP) Alerting

You know the expression ‘saved by the bell’ — that’s exactly what DLP alerting does.

Make sure your DLP alerts are configured correctly, that will save you a lot of time and stress.

Google’s data loss prevention (DLP) allows you to create and apply rules to control Drive content that users share outside your organization. 

What kind of Drive DLP rules should you set?

You want to set DLP rules for sensitive Drive information you don’t want shared outside your organization, such as:

1. Social Security numbers (SSNs) and Credit Card details.
2. Sensitive data, such as internal project names, employee details, Employer Identification Number (EIN), etc.
3. Other personally identifiable information (PII).

Once you create rules for such information, DLP enforces those rules and violations trigger actions, such as alerts. 

Use Google Drive DLP to:

1. Audit the usage of sensitive content in Drive. 
2. Warn end users not to share sensitive content outside your  domain.
3. Prevent sharing of sensitive data with external users.
4. Alert admins or other users on policy violations or DLP incidents.
5. Investigate an incident with information on the policy violation.

*Currently, DLP rules can be found in the Admin console under Security> Data protection*

How to set Drive DLP rules?

1. For Enterprise; Enterprise for Education editions, you can scan and protect Drive files using DLP rules, covering Google Sheets, Docs and Slides. Read more.
2. You can also set up more granular Drive DLP alerts, including Regex Alert Rules, for files shared outside your organisation using GAT+.

Note: As of March 2021, Google started providing recommended data loss prevention (DLP) rules personalized for each organization. These can help up your DLP rules game by knowing where necessary adjustments or additional investigation is needed.

 

10. Google Drive Data Compliance and GDPR

When speaking of Data Loss Prevention (DLP) our minds must always go to data compliance.

Ever since the introduction of GDPR and CCPA in 2018 the way we process and share data has never been the same, no matter what industry you work in. These regulations are also complex and impact every sector of the economy.

With Drive being your company’s main data storage and collaboration space, you want to make sure these regulations are well-observed (and enforced) throughout your Drive operations.

The best way to do this is by getting granular and looking into CONTENT, which is where creating predefined content detectors comes in.

A Comprehensive Drive Data Compliance approach requires:

1. Proper workflows to ensure only approved access to sensitive and protected content.
2. Real-time content monitoring of all sensitive information being typed, copied or pasted anywhere in your Google Workspace environment.

Looking for a Complete Data compliance solution for your domain? — Checkout GAT Lab’s powerful Google Workspace GDPR Compliance capabilities.

 

BONUS: User onboarding and offboarding in Drive

User onboarding and offboarding is usually not a big Google Drive management issue when you’ve got just a few people leaving and joining your organisation every year.

But when you have dozens of departing employees and new joiners across different departments, it can be challenging to manage the drive onboarding and offboarding operations of such a large number.

What are the documents involved? Which documents are sensitive or important? How do you transfer file Ownership of suspended users? — the list is long and can get quite repetitive and time consuming if you observe the many ins and outs required  for every department or OU.

How to Safely Offboarding Google Workspace users?

They say ‘Watch out for angry leavers’! — We say ‘Watch out for ALL leavers’, especially when it comes to Google Drive.

One of the most important Google Drive management practices you’ll want to adopt is deploying a bullet-proof offboarding process for leavers. Here’s why:

1. Suspended accounts of leavers can result in the loss of important data. This is a common DLP scenario.
   Also, wrongfully suspended accounts typically cause approximately 70% of data availability issues.
2. You need to ensure that leavers can no longer access important corporate Drive resources once they leave.
   This can bring in significant DLP hazards, especially if they choose to act on it in malicious ways.
   
   

Automating Users’ Onboarding and Offboarding:

As an admin you need a standard process for onboarding and offboarding users across different OUs. 

Some admins carry this process out manually, which can be messy and time consuming. Other admins use scripts to automate the process (a few of them are available on GitHub). 

However, DIY and manual approaches often result in data loss and business interruptions when the data archival and forwarding steps don’t happen on time — That’s where an onboarding/ offboarding tool can significantly help.

---

GAT Labs for Google Drive Management 

As an admin, Google Drive management can be one of those nagging and painful tasks  — there’s a lot of administrative effort needed there to feel fully in control of your Drive management game. 

HOWEVER, putting proactive measures in places like monitoring and automation can relieve a bulk of that stress and offer you peace of mind when it comes to securing the areas that matter the most.

1. Replace current sharing permissions on your Google Drive files.
2. Removing all permissions on Google Drive shares with an exception of a single user.
3. Find publicly shared Google files.
4. Search for specific File types in your domain and change their ownership in Google Drive.
5. Manage files owned by leaving users easily.
6. Remove All permissions to all sensitive folders and their sub-folders.
7. Understand Google Group activity email and file sharing.
8. Remove external shares when files haven’t been accessed for a certain number of days.
9. Prevent MP3 files and other file types from being downloaded.
10. Detect a sharing Policy Violation in Google Drive.

 

Well, That’s it for your Google Drive Management Playbook. We hope you have found it helpful.

Have a specific Google Drive management question that we didn’t cover in this guide? Send it over to our experts at hello@gatlabs.com— We’ll be happy to help you out.