Lepide Blog: A Guide to IT Security, Compliance and IT Operations

Google Workspace Security Best Practices and Tips

Google Drive Security Best Practices

Google Drive has become an invaluable data storage facility for many organizations, as it enables employees to collaborate on projects, regardless of where they are located in the world.

Is It Safe to Store Sensitive Files in Google Drive?

Over the years, Google has experienced various security breaches, such as the leakage of millions of Gmail account passwords in 2014 and a bug in the Google+ API that exposed user data in 2018. Additionally, hackers employ scams like creating fake Google Drive websites, embedding malware in files, and leaving comments with phishing links, all of which aim to obtain account credentials. Once hackers have access to an account, there’s no telling what damage they can do. However, providing you take the necessary precautions (as listed below), it is safe to store sensitive files on Google Drive.

What Encryption Measures Does Google Employ?

Google Drive uses strong encryption measures to protect files during transmission and storage. It employs 256-bit SSL/TLS encryption when files are being uploaded or downloaded, and 128-bit AES keys for files at rest. This ensures high levels of security. However, Google Drive uses server-side encryption, meaning that the decryption keys are managed by Google. While Google does offer options for customer-managed encryption keys, it is recommended to implement additional encryption methods, particularly if dealing with confidential information.

Best Practices for Google Drive Security

If you use Google Drive for storing valuable data, you will naturally want to keep it secure. Let’s explore some common ways to enhance the security of Google Drive and prevent any unauthorized access to your files.

Use Strong and Unique Passwords

To ensure the safety of your files stored in Google’s encrypted servers, it is crucial to focus on protecting your account. One way to do this is by using a strong password, which should include a combination of letters, numbers, and symbols. Additionally, it is recommended to make your password at least 12 characters long to enhance its strength. Avoid using personal information or common words when creating a password.

Use Two-Factor Authentication

There are many different ways that an attacker can steal your credentials. They can try brute force attacks, social engineering and keylogging. In many cases, people use the same credentials on multiple platforms. Were an attacker to gain access to those credentials, they will likely try to use them to gain access to other accounts that use the same credentials.

Two-Factor authentication is more robust that the standard username and password approach, as it includes additional factors, such as something you have or something you are. To setup 2FA on you Google Drive account you will need to login to your Google Account, select Security from the navigation panel, and then under Signing in to Google, select 2-Step Verification, and follow the steps.

Once setup, you will be asked to enter a code in addition to your username and password, which Google will send to your phone via text message.

Encrypt Your Data before Transfer

As mentioned, Google takes security very seriously. For example, when they store your data, the data itself is broken up into chunks and spread across multiple data centres around the world. Each chunk is encrypted with its own key, which means that in the unlikely event that an attacker manages to get access to your Google Drive account, they would need all of the decryption keys to fully retrieve the data.

Google Drive provides 256-bit SSL/TLS encryption for files in transit, which includes uploading, downloading, or accessing the files, and 128-bit AES keys for files at rest. This is great; however, the problem is that Google owns the decryption keys.

In most cases, this is not a problem, but if you are storing large amounts of sensitive data, you will probably want an additional layer of protection. Not only that, but Google obviously cannot provide an encryption service for files that are transferred from your local network or device, to Google Drive.

This opens up a large security risk, as hackers are often looking to intercept files in transit. In which case, you will need to ensure that your files are encrypted before they are uploaded to Google Drive. This may seem like a lot of unnecessary hassle, however, there are various third-party tools available which can streamline the process, providing all the benefits of data encryption with minimal effort, such as Boxcryptor or Cryptomator.

Discover and Classify Your Sensitive Data

The data that organizations store on Google Drive is unstructured, meaning it doesn’t fit in a traditional relational database. Examples of unstructured data include photos, videos, mp3s, spreadsheets, Word documents, PowerPoint presentations, and so on.

The problem with unstructured data is that it is not easy to identify which files contain sensitive data within them. To help with this, there are solutions available that scan your unstructured data for sensitive data and classify the data accordingly.

They can automatically identify a wide range of data types, such as PII, PHI, PCI, IP and so on. Knowing exactly what data you have, where it is located, and how sensitive the data is, will help you make a better decision about whether you should store the data in the cloud, and the level of encryption that is required if you do.

In most cases, it wouldn’t be a good idea to store customer’s credit card numbers on Google Drive. If you really need to do this, make sure that you have a very robust encryption strategy in place.

Use Endpoint Management in G Suite

Organizations who have upgraded to G Suite Basic will have access to endpoint management tools, which come with a centralized dashboard to help organizations manage which devices have access to company data.

You can set password requirements for managed mobile devices, wipe a user’s account from a mobile device and manage apps for Android devices. You can also control which laptops and desktops can access your organization’s data and get details about those devices. You can block devices, sign them out remotely, require screen locks, and keep track of who, what, where and when, users are logging in, and what they are doing.

Naturally, it is a good idea to have as much control as possible over which devices can access to your sensitive data, and how.

Choose Your Account Recovery Options

If a user accidentally leaves their Google Drive account open, it can be vulnerable to unauthorized access. This can happen if the account is left open on a public computer, if a hacker guesses the password, or if the user leaves their computer unlocked. Thankfully, Google Drive offers account recovery options that allow users to quickly and easily secure their account again. These options include answering security questions, logging in with a mobile phone, or verifying an alternate email address.

Back Up Your Data

Even-though many users use Google Drive to backup data from their local hard drive, companies will need to keep regular backups of any business-critical data they store in Google Drive. You can use the Drive File Stream service to automate the backup process, which allows you to sync your local hard drive with Google Drive.

Restrict Access to Your File Shares

To ensure the security of your Google Drive files, it is recommended to only share access with the necessary individuals. When sharing files, you have two options: ‘Restricted’ or ‘Anyone with the link’. If you choose the latter, the person you share the file with can easily share the link with others. To maintain control, it is best to add their email address to the file, restricting their access to only view the file while signed into their Google account, preventing them from spreading the link to others. It’s always a good idea to review your file shares and revoke access when it is no longer required.

Control Permissions to Apps, Services and Data

Regardless of where you store your sensitive data, you should always try to adhere to the principal of least privilege (PoLP), which stipulates that users should be granted the least privileges they need to adequately carry out their role.

As an administrator, it is possible to control which users can access which apps, services and data. Controlling access to files is relatively straight forward. For example, to stop sharing a file with someone, you simply select the file or folder, click the Share icon, select the relevant user, and then remove them from the list.

Likewise, to prevent users from downloading, printing and copying a certain file, you can uncheck the option that says Viewers and commenters can see the option to download, print, and copy. You even have the option to set an expiry date of up to one year on file shares.

Watch Out for Suspicious Links or Downloads

It is important to be cautious when browsing the internet and avoid clicking on suspicious links or downloading risky files and programs. Phishing is a significant threat, where cyber criminals attempt to deceive people into sharing sensitive information through fraudulent messages. Offer training to the relevant employees to ensure they know how to identify possible Phishing attempts.

Use Endpoint Management Tools

Endpoint management tools offer complete control over all devices that access your Google Drive data. They enable you to enforce screen locks, delete sensitive information, and delete accounts selectively in case of device theft or compromise. Additionally, these tools allow you to instantly block access from desktop sessions. You can also monitor login details, activity logs, and timings to track user actions. Endpoint management aims to safeguard every possible entry point that hackers could exploit to reach your Google Drive data. By using these tools, your data will be better secured, and you can obtain valuable insights for decision-making through monitoring.

Manage & Monitor Google Drive Apps

Google Drive allows for the integration of third-party apps to improve productivity. However, it is crucial to regularly review and manage these linked apps to ensure data security. To do this, access your Google Drive settings, select Manage Apps, and delete any unnecessary apps by choosing Options and Disconnect from Drive.

Don’t Allow Other Editors to Change Permissions

To have full control over the editing rights of your Google Drive files, ensure that others cannot change the permissions and add more editors. Google Drive offers various options for user permissions. For example, you can limit file-sharing to within the organization to prevent outsiders from accessing shared Google Docs by mistake. Additionally, you can restrict access to users belonging to specific domains, adding an extra level of control. As always, it is recommended to implement a least-privilege access approach, where users are only given access to the necessary files, data, and systems required for their job.

How Lepide Helps Secure Google Drive

The Lepide Data Security Platform can aggregate event data from a variety of cloud platforms, including Google Drive. Via a user-friendly dashboard, you can monitor any changes made to your valuable information and receive real-time notifications when any suspicious activities are detected. Additionally, our integrated data classification feature will thoroughly scan your Google Drive for sensitive data and classify it accordingly. By knowing where your sensitive data is located, you can easily enforce appropriate access controls. Our platform also makes it simple to generate reports that summarize all incidents related to your sensitive data, which can be shared with the relevant authorities to demonstrate compliance. Our software uses machine learning models to establish a baseline of user activity, making it easy to identify any anomalies. It can also identify and respond to events that meet a predefined threshold condition.

If you’d like to see how the Lepide Data Security Platform can help to secure your Google Drive, schedule a demo with one of our engineers.