Google Workspace Security: Drive, Gmail, Calendar and more…
Google Workspace (formerly G Suite and Google Apps) is one of the most powerful cloud collaboration and productivity tool sets today, with 3 billion users worldwide.
Of course, with great power comes great responsibility — and that’s where Google Workspace admins and super admins arrive.
Admins are responsible for ensuring users can easily and securely collaborate everyday in Google Workspace.
With so many features and possibilities, a small Google Workspace misconfiguration can mean big security concerns for a company.
In this guide we’ll go through each area of your Google Workspace suite and provide effective tips on how to best secure it all the way through.
GOAL: A bullet-proof Google Workspace security strategy that protects your domain from the inside out. |
How to make Google Workspace (G Suite) more secure?
Start by identifying the security risks associated with using Google Workspace at your organisation. This depends on your organisation’s size, industry, compliance requirements, etc.
For instance, do users normally share files externally? Do they save and process private data in Google Drive? Work remotely? Do you need to comply with HIPAA, PCI-DSS, GDPR or SOX? etc.
From there you can see which areas require the most attention and build your Google Workspace security strategy accordingly.
How to secure Google Drive?
If most of your organisation’s file collaboration happens in Google Drive, then special admin attention needs to be paid to the below areas.
Secure Drive File Sharing (and remediation)
It’s important to understand what your users are sharing outside your domain, as well as what’s being shared into (and within) your domain.
From there, you can take any necessary file remediation actions like replace or remove external file shares for violations.
The file sharing Exposure report in your admin console is a good place to start.
You can also use a third party tool like GAT+ to automate Drive audits, set up file sharing policies, real-time alerts and dig beyond the admin console.
Manage Drive File Ownership
File ownership is one of the most common causes behind Drive file recovery puzzles like orphaned files and permanent deletions of important files.
That’s why it’s important to secure this area and transfer file ownership to the right users accordingly.
See: Manage Google Drive File Ownership like a Security PRO
Deploy Google Drive Data Loss Prevention (DLP)
DLP ensures that sensitive Drive data is not lost, misused, or accessed by unauthorised parties.
This can be achieved using DLP policies, user behaviour alert rules, and closely auditing your Drive activities as discussed above.
To get a general sense of your Drive DLP operations check the DLP incidents report in your admin console.
From there you can identify what actions need to be taken to secure sensitive files. For instance, you can create a sharing policy for any given file or folder to restrict access to certain users only and automatically remove external shares.
Remember, DLP is crucial when working in shared Drives where there are usually multiple collaborators working on files.
See our 6 Google Drive Data Loss Prevention Practices for the full Drive DLP scoop.
Audit Google Drive Downloads
Drive data can also get leaked or transferred via downloading, copying and printing activities.
To look after this bit Audit Event Activity that includes download, print and related actions in the admin console.
You may also disable downloading, printing and copying of Drive files containing sensitive information.
See: The Admin’s Google Drive Management Playbook
How to secure Gmail?
Now let’s look at the type of cyberthreats that can target your domain users via Gmail.
Secure Gmail Against Phishing
Phishing is one of the most common cybersecurity threats organisations face today — whereby 96% of phishing attacks arrive by email.
Poor security practices and lack of user phishing awareness make users more vulnerable to email phishing.
See: 6 Ways Google Admins can Increase Gmail Security Against Phishing
Review Email Auto-forwarding
Suspicious email auto-forwarding activity is an important Gmail security red flag to keep an eye on.
That’s because, if an account is compromised (via phishing or credential theft), threat actors commonly enable auto-forwarding on the mailbox to an external account.
They can then send spear phishing messages to other users, access and/or leak sensitive data, or spoof emails to re-route payments to bank accounts.
Gmail auto-forwarding can also be a sign of an internal DLP threat, whereby a user can be leaking out private company data to a personal account.
One simple way to secure your domain against these threats is to disable external Gmail auto-forwarding for your users.
Find and Delete Spam, Inappropriate or Accidental Emails for Users
Filtering and deleting risky emails from users’ inbox has become a Gmail security priority.
Whether it’s an email accidentally sent to the wrong user or group, an email that contains inappropriate or sensitive content, or a phishing email that got through.
SEE: How to delete Phishing, Spam or inappropriate emails from users’ inboxes using GAT+
Turn on Gmail DLP
Gmail DLP uses predefined content detectors to scan inbound or outbound email for sensitive data (such as credit card numbers, SSNs, or passport numbers).
That way you can detect sensitive data and private information and keep it from leaking outside your organisation via Gmail.
Read more on creating a DLP setting with predefined content detectors using the admin console here.
Set up Gmail Alert Rules
Finally, Gmail alerts rules can be your first whistle-blowers of malicious activity.
For instance, an alert on external email auto-forwarding or a large number of external emails sent within a 24-hr period can be a sign of DLP or a compromised account.
How to secure Google Calendar?
You need to audit the security and exposure of your users’ calendars.
That’s because hackers have been using malicious Google Calendar invites and exploiting public Calendars to compromise companies’ cybersecurity.
The problem with Public Google Calendars:
Calendars can include sensitive information such as meeting notes, slides, personal or customer information, etc.
When a user sets their Calendar to “public” and enables “can see all event details”, it can be found by anyone (including via Google search). This, in return, can lead to company information being leaked.
Phishing Links in Google Calendars:
Google Calendar phishing is hard to detect because the entries and notifications come from a trusted source, Google Calendar.
Hackers add phishing links to fake events that prompt users to divulge private information, enter bank details, login credentials, etc.
To secure your Google Workspace domain against Calendar threats we recommend:
- Restrict how much Calendar information users can share externally.
- You can also turn off public Calendar sharing for your domain, and ask users to use tools like Calendly instead.
Also, make sure users:
- Exercise extra vigilance with how they share work calendars.
- Turn off the Google Calendar feature that automatically adds invitations to Calendars.
- Be mindful of the Calendar invites they accept.
- Refrain from adding private or sensitive information to Google Calendars.
Remember, Google Calendar auditing is an important part of your Google Workspace security strategy.
How to secure Google Meet?
Google Meet is one of the most secure video conferencing tools today with approximately 100M active participants per day.
As an Admin, there are a few things you can do to make your organisation’s Google Meet activities more secure:
Audit Google Meet Activity
This is a good way to get an overall sense of your users’ virtual operations, as well as stay on top of any related insider threats.
Turn Google Meet recording on/off wisely
Turn meeting recording on recording for very specific accounts and always be aware of which meetings are being recorded.
Remember, as an admin you can run searches related to Meet recordings in Drive log events.
See: 6 Tips to Make Google Meet Meetings More Secure
How to secure Google Chat?
Google Chat uses Transport Layer Security (TLS) and Chat content protection, which makes it safer than many Chat applications today.
However, given its wide adoption by users for everyday communication, you can make Google Chat more secure using a few simple practices:
Google Chat auditing
Google Chat auditing should be an indispensable part of your Google Workspace strategy.
Set up a Warning alert for External Chat
This will notify users when they’re chatting with users outside your organisation to make sure they’re more vigilant.
You can set it up from here.
Also, ensure users are not signed into Google Chat from public or unsecure devices.
How to secure Google Groups?
Google Groups make content sharing faster and easier, which makes reviewing Group access essential for safer collaboration there.
Identify External Members in Google Groups
Groups with one (or many) external members can bring in Drive security vulnerabilities. Make sure to carefully audit your groups and review whether all members should still be there.
(You can easily do that with GAT+ by following these steps)
Tweak Group Access rights
Share sensitive files with a group without giving all group members the same access permission to shared files.
This can be done by breaking those permissions up through creating different groups with different permissions.
Audit Google Group Activity
Review Groups log events from your Google Workspace admin console to track changes to groups, group memberships, and group messages.
You can also use a third party tool to find and delete inactive groups for additional security.
How to secure Google Workspace identity management?
Deploying strong user identity authentication methods (while ensuring log-in ease) is literally like securing the front doors of your organisation.
Only authorised personnel are allowed in. And of course, these are the first doors hackers will attempt.
Enable 2-Step verification (2FA)
As credential theft becomes more common, 2FA provides an additional layer of login security, especially for more ‘at-risk’ users.
Combine 2FA with a managed company phone for better protection.
Consider Zero Trust authentication methods
Zero Trust authentication extends the user identity verification process from being a ‘once at login’ act, to an ongoing event as users work.
Usually based on biometric verification, it’s impossible for hackers to get past Zero Trust verification methods, even if they steal a users’ login credentials or manage to disable 2FA.
Use Security Keys
If you’re looking for a more ‘physical’ method to ensure additional login security, checkout Google’s Security Keys. Prices start at $6 per key and there are different options to choose from.
Audit failed log-in attempts
Always check your Login attempts report and review the Login audit log.
SEE: 8 Google Workspace User Password Security Practices for Admins
How to secure Google Workspace against Third Party Apps?
Third party apps can open up a backdoor for hackers to exploit and access your domain data.
That’s because some apps involve risky access permissions into a user’s domain or sensitive data.
Before granting such permissions users need to ask themselves whether an app really needs that much access into their account.
Audit and manage access to third-party Apps in Google Workspace:
- View Apps installed by users and review their permissions.
- Ban risky third party apps in real-time.
- Define which apps can access Google Workspace data.
You can also set policies for apps running in your domain using a
third party Google Workspace security tool like GAT+.
How to secure devices in Google Workspace?
Using unsecured devices can also bring in multiple security hazards and allow intruders into your domain.
That’s why you need to audit and secure the devices users use to access their Google Workspace accounts. That includes mobile devices and other company or personal devices.
Make sure to:
- Review synced devices from the admin console.
- Set up advanced mobile management.
How to protect PII in Google Workspace?
Enterprises today are required to have appropriate technical and organisational measures in place to protect personally identifiable information (PII).
That’s why restricting access to certain Google Workspace features or Drive files to specific employees with ‘’the need to know’’ can be essential.
A few ways to protect PII in Google Workspace:
|
Remember, timely detection and response are crucial to protecting PII and preventing more damage.
See: 6 Ways to Improve HR Data Privacy Compliance in Google Workspace
How to secure user offboarding in Google Workspace?
User Offboarding is an important part of any Google Workspace security strategy because of the security implications it involves.
Think of potential angry leavers and data protection obligations.
To safely offboard departing Google workspace users you need to have a comprehensive process in place. Checkout our recommended 5-step workflow below:
Read our post Safely Offboard Google Workspace Users Leaving your Company in 5 Steps for the FULL scoop.
How to secure Remote Work in Google Workspace?
Remote and hybrid work practices have become a big part of the way we work in the post-pandemic world.
And while these flexible work models provide amazing perks, new security vulnerabilities and requirements emerge every day.
To make remote work security checks more organised we’ve created a map of the most important areas to audit (and secure) in your Google admin console.
SEE: Remote Work Security in Google Workspace: 5 Admin Console Areas to Check
FINALLY, EXPLORE GOOGLE WORKSPACE ENRYPTION AND DATA BACKUP METHODS
Google Workspace now offers Client-side encryption across Gmail, Meet, and Calendar.
This can help you strengthen the confidentiality of sensitive data while addressing a broad range of data security and compliance needs in Google Workspace.
Also, don’t forget to develop a Data backup plan for important areas of your Google Workspace domain.
This can be done using Google Vault, Google Workspace backup tools or an external company drive stored in a safe place.
Closing thoughts
Building a bullet-proof Google Workspace security strategy requires some foundational administrative groundwork at first.
From setting up the right DLP policies and alerts, to enforcing user log-in security measures and restricting access to certain files and features — there are a few essential bricks there.
However, once you identify and secure the right areas, your day-to-day admin operations will run smoother and you’ll be able optimise admin time and effort.
Google Workspace is your virtual office space, so don’t skimp on securing it.
Looking for more content on Google Workspace Security? — Checkout our 10 Google Workspace Security Practices of World-Class Admins.
Stay in the loop
Sign up to our newsletter to get notified whenever a freshly baked blog post is out of our content oven.