Enterprise Solutions [Go to GAT Labs for Education solutions here]

Google Workspace Security: The Admin’s Complete Guide

Google Workspace Security guide for admins

See GAT Labs
in action

Table of Contents

Google Workspace Security: Drive, Gmail, Calendar and more…

Google Workspace (formerly G Suite and Google Apps) is one of the most powerful cloud collaboration and productivity tool sets today, with 3 billion users worldwide.

Of course, with great power comes great responsibility — and that’s where Google Workspace admins and super admins arrive. 

Admins are responsible for ensuring users can easily and securely collaborate everyday in Google Workspace.

With so many features and possibilities, a small Google Workspace misconfiguration can mean big security concerns for a company.

In this guide we’ll go through each area of your Google Workspace suite and provide effective tips on how to best secure it all the way through.

GOAL: A bullet-proof Google Workspace security strategy that protects your domain from the inside out.


How to make Google Workspace (G Suite) more secure?

Google Workspace security

Start by identifying the security risks associated with using Google Workspace at your organisation. This depends on your organisation’s size, industry, compliance requirements, etc.

For instance, do users normally share files externally? Do they save and process private data in Google Drive? Work remotely? Do you need to comply with HIPAA, PCI-DSS, GDPR or SOX?  etc.

From there you can see which areas require the most attention and build your Google Workspace security strategy accordingly.


How to secure Google Drive?

How to secure Google Drive

If most of your organisation’s file collaboration happens in Google Drive, then special admin attention needs to be paid to the below areas.

Secure Drive File Sharing (and remediation)

It’s important to understand what your users are sharing outside your domain, as well as what’s being shared into (and within) your domain.

From there, you can take any necessary file remediation actions like replace or remove external file shares for violations.

The file sharing Exposure report in your admin console is a good place to start.

You can also use a third party tool like GAT+ to automate Drive audits, set up file sharing policies, real-time alerts and dig beyond the admin console.

Manage Drive File Ownership

File ownership is one of the most common causes behind Drive file recovery puzzles like orphaned files and permanent deletions of important files.

That’s why it’s important to secure this area and transfer file ownership to the right users accordingly.

See: Manage Google Drive File Ownership like a Security PRO

Deploy Google Drive Data Loss Prevention (DLP)

DLP ensures that sensitive Drive data is not lost, misused, or accessed by unauthorised parties.

This can be achieved using DLP policies, user behaviour alert rules, and closely auditing your Drive activities as discussed above.

To get a general sense of your Drive DLP operations check the DLP incidents report in your admin console.

From there you can identify what actions need to be taken to secure sensitive files. For instance, you can create a sharing policy for any given file or folder to restrict access to certain users only and automatically remove external shares.

Remember, DLP is crucial when working in shared Drives where there are usually multiple collaborators working on files.

See our 6 Google Drive Data Loss Prevention Practices for the full Drive DLP scoop.

Audit Google Drive Downloads

Drive data can also get leaked or transferred via downloading, copying and printing activities.

To look after this bit Audit Event Activity that includes download, print and related actions in the admin console.

You may also disable downloading, printing and copying of Drive files containing sensitive information.

See: The Admin’s Google Drive Management Playbook


How to secure Gmail?

How to secure Gmail?

Now let’s look at the type of cyberthreats that can target your domain users via Gmail.

Secure Gmail Against Phishing

Phishing is one of the most common cybersecurity threats organisations face today — whereby 96% of phishing attacks arrive by email. 

Poor security practices and lack of user phishing awareness make users more vulnerable to email phishing.

See: 6 Ways Google Admins can Increase Gmail Security Against Phishing

Review Email Auto-forwarding

Suspicious email auto-forwarding activity is an important Gmail security red flag to keep an eye on. 

That’s because, if an account is compromised (via phishing or credential theft), threat actors commonly enable auto-forwarding on the mailbox to an external account.

They can then send spear phishing messages to other users, access and/or leak sensitive data, or spoof emails to re-route payments to bank accounts.

Gmail auto-forwarding can also be a sign of an internal DLP threat, whereby a user can be leaking out private company data to a personal account.

One simple way to secure your domain against these threats is to disable external Gmail auto-forwarding for your users.

Find and Delete Spam, Inappropriate or Accidental Emails for Users

Filtering and deleting risky emails from users’ inbox has become a Gmail security priority.

Whether it’s an email accidentally sent to the wrong user or group, an email that contains inappropriate or sensitive content, or a phishing email that got through.

SEE: How to delete Phishing, Spam or inappropriate emails from users’ inboxes using GAT+

Turn on Gmail DLP

Gmail DLP uses predefined content detectors to scan inbound or outbound email for sensitive data (such as credit card numbers, SSNs, or passport numbers).

That way you can detect sensitive data and private information and keep it from leaking outside your organisation via Gmail.

Read more on creating a DLP setting with predefined content detectors using the admin console here.

Set up Gmail Alert Rules

Finally, Gmail alerts rules can be your first whistle-blowers of malicious activity. 

For instance, an alert on external email auto-forwarding or a large number of external emails sent within a 24-hr period can be a sign of DLP or a compromised account


How to secure Google Calendar?

How to secure Google Calendar?

You need to audit the security and exposure of your users’ calendars.

That’s because hackers have been using malicious Google Calendar invites and exploiting public Calendars to compromise companies’ cybersecurity.

The problem with Public Google Calendars:

Calendars can include sensitive information such as meeting notes, slides, personal or customer information, etc.

When a user sets their Calendar to “public” and enables “can see all event details”, it can be found by anyone (including via Google search). This, in return, can lead to company information being leaked.

Phishing Links in Google Calendars:

Google Calendar phishing is hard to detect because the entries and notifications come from a trusted source, Google Calendar.

Hackers add phishing links to fake events that prompt users to divulge private information, enter bank details, login credentials, etc.

To secure your Google Workspace domain against Calendar threats we recommend:

Also, make sure users:

  • Exercise extra vigilance with how they share work calendars.
  • Turn off the Google Calendar feature that automatically adds invitations to Calendars.
  • Be mindful of the Calendar invites they accept.
  • Refrain from adding private or sensitive information to Google Calendars.

Remember, Google Calendar auditing is an important part of your Google Workspace security strategy.


How to secure Google Meet?

How to secure Google Meet?

Google Meet is one of the most secure video conferencing tools today with approximately 100M active participants per day.

As an Admin, there are a few things you can do to make your organisation’s Google Meet activities more secure:

Audit Google Meet Activity

This is a good way to get an overall sense of your users’ virtual operations, as well as stay on top of any related insider threats.

Turn Google Meet recording on/off wisely

Turn meeting recording on recording for very specific accounts and always be aware of which meetings are being recorded.

Remember, as an admin you can run searches related to Meet recordings in Drive log events.

See: 6 Tips to Make Google Meet Meetings More Secure


How to secure Google Chat?

How to secure Google Chat?

Google Chat uses Transport Layer Security (TLS) and Chat content protection, which makes it safer than many Chat applications today.

However, given its wide adoption by users for everyday communication, you can make Google Chat more secure using a few simple practices:

Google Chat auditing

Google Chat auditing should be an indispensable part of your Google Workspace strategy.

Set up a Warning alert for External Chat

This will notify users when they’re chatting with users outside your organisation to make sure they’re more vigilant.

You can set it up from here.

Also, ensure users are not signed into Google Chat from public or unsecure devices.


How to secure Google Groups?

How to secure Google Groups?

Google Groups make content sharing faster and easier, which makes reviewing Group access essential for safer collaboration there.

Identify External Members in Google Groups

Groups with one (or many) external members can bring in Drive security vulnerabilities. Make sure to carefully audit your groups and review whether all members should still be there.

(You can easily do that with GAT+  by following these steps)

Tweak Group Access rights

Share sensitive files with a group without giving all group members the same access permission to shared files. 

This can be done by breaking those permissions up through creating different groups with different permissions. 

Audit Google Group Activity

Review Groups log events from your Google Workspace admin console to track changes to groups, group memberships, and group messages.

You can also use a third party tool to find and delete inactive groups for additional security.


How to secure Google Workspace identity management?

How to secure Google Workspace identity management

Deploying strong user identity authentication methods (while ensuring log-in ease) is literally like securing the front doors of your organisation. 

Only authorised personnel are allowed in. And of course, these are the first doors hackers will attempt.

Enable 2-Step verification (2FA)

 As credential theft becomes more common, 2FA provides an additional layer of login security, especially for more ‘at-risk’ users.

Combine 2FA with a managed company phone for better protection.

Consider Zero Trust authentication methods

Zero Trust authentication extends the user identity verification process from being a ‘once at login’ act, to an ongoing event as users work.

Usually based on biometric verification, it’s impossible for hackers to get past Zero Trust verification methods, even if they steal a users’ login credentials or manage to disable 2FA.

Use Security Keys

 If you’re looking for a more ‘physical’ method to ensure additional login security, checkout Google’s Security Keys. Prices start at $6 per key and there are different options to choose from.

Audit failed log-in attempts

 Always check your Login attempts report and review the Login audit log.

SEE: 8 Google Workspace User Password Security Practices for Admins


How to secure Google Workspace against Third Party Apps?

Third party apps can open up a backdoor for hackers to exploit and access your domain data.

That’s because some apps involve risky access permissions into a user’s domain or sensitive data.

Before granting such permissions users need to ask themselves whether an app really needs that much access into their account.

Audit and manage access to third-party Apps in Google Workspace:

  • View Apps installed by users and review their permissions.
  • Ban risky third party apps in real-time.
  • Define which apps can access Google Workspace data.
You can also set policies for apps running in your domain using a 
third party Google Workspace security tool like GAT+.


How to secure devices in Google Workspace?

Using unsecured devices can also bring in multiple security hazards  and allow intruders into your domain.

That’s why you need to audit and secure the devices users use to access their Google Workspace accounts. That includes mobile devices and other company or personal devices.

Make sure to:


How to protect PII in Google Workspace?

Enterprises today are required to have appropriate technical and organisational measures in place to protect personally identifiable information (PII).

That’s why restricting access to certain Google Workspace features or Drive files to specific employees with ‘’the need to know’’ can be essential.

A few ways to protect PII in Google Workspace:

  • Apply ‘Role-based’ access controls: Create different OUs to separate users who manage PII and users who don’t.
  • Deploy time-out access to documents including PII.
  • Review the file sharing exposure of files that contain PII (and audit how they’re being shared across your domain).
  • Make sure your DLP alert rules and policies cover the type(s) of PII your company gathers and processes.
  • Use Google Vault retention policies to determine how long PII files should be retained.

Remember, timely detection and response are crucial to protecting PII and preventing more damage.

See: 6 Ways to Improve HR Data Privacy Compliance in Google Workspace


How to secure user offboarding in Google Workspace?

User Offboarding is an important part of any Google Workspace security strategy because of the security implications it involves. 

Think of potential angry leavers and data protection obligations.

To safely offboard departing Google workspace users you need to have a comprehensive process in place. Checkout our recommended 5-step workflow below:

Read our post Safely Offboard Google Workspace Users Leaving your Company in 5 Steps for the FULL scoop.


How to secure Remote Work in Google Workspace?

Remote and hybrid work practices have become a big part of the way we work in the post-pandemic world. 

And while these flexible work models provide amazing perks, new security vulnerabilities and requirements emerge every day.

To make remote work security checks more organised we’ve created a map of the most important areas to audit (and secure) in your Google admin console.

SEE: Remote Work Security in Google Workspace: 5 Admin Console Areas to Check



Google Workspace now offers Client-side encryption across Gmail, Meet, and Calendar.

This can help you strengthen the confidentiality of sensitive data while addressing a broad range of data security and compliance needs in Google Workspace.

Also, don’t forget to develop a Data backup plan for important areas of your Google Workspace domain.

This can be done using Google Vault, Google Workspace backup tools or an external company drive stored in a safe place.


Closing thoughts

Building a bullet-proof Google Workspace security strategy requires some foundational administrative groundwork at first. 

From setting up the right DLP policies and alerts, to enforcing user log-in security measures and restricting access to certain files and features — there are a few essential bricks there.

However, once you identify and secure the right areas, your day-to-day admin operations will run smoother and you’ll be able optimise admin time and effort.

Google Workspace is your virtual office space, so don’t skimp on securing it.


Looking for more content on Google Workspace Security? — Checkout our 10 Google Workspace Security Practices of World-Class Admins.


Stay in the loop

Sign up to our newsletter to get notified whenever a freshly baked blog post is out of our content oven.

Don´t miss any updates!

Enter your email address to be kept up to date with content that helps you manage, audit and secure your entire Google Domain.