Over 8 million organizations use Google Workspace as part of their tech stack.
However, out of those 8 million, companies still rely on native features that don't fully protect their sensitive data.
Data loss prevention in 2025 is fragmented, complex, and seems hard to manage - especially in Google Workspace.
In this post, you'll learn the top 10 Google Workspace security best practices, how to implement them into your environment, get tangible takeaways on how to achieve a secure SaaS data security posture.
Do Not Allow/Heavily Restrict Public Sharing
The average mid-market sized company has 35K sensitive assets shared publicly. This number skyrockets when you get into the enterprise.
Be honest: when was the last time you saw a Google Drive file that really, truly needed to be shared publicly so that “anyone with the link can view”?
I can count on one hand the files l’ve seen that match that description: they were all public facing spreadsheet templates that the organization was providing as a public service.
In all other cases, a user who shares their Google Workspace assets publicly is basically saying: “I’m not sure exactly who is going to need access to this file, and I don’t really want to be bothered by share requests...so, I’ll just make it publicly accessible that wayI won’t have to think about it anymore.”
Convenient? Definitely.
Secure? Definitely not.
DoControl’s clients, like Unqork, use DoControl’s automated workflows to remove any public sharing access as soon as it is managed and given.
Even if that level of crackdown doesn’t fit your organization, you’re certainly going to want to heavily restrict the impact of public sharing to only what is necessary for business. You might want to auto-expire public sharing links, for example. Or check with end users as to the business justification of the public share.
However you slice it, public sharing increases your organization’s SaaS attack surface and makes it an easy target for phishing and malware, cloud data exfiltration, spam, and supply chain attacks.
Heavily Restrict Organization-Wide Sharing
Organization-wide sharing is not as bad as public sharing, but it’s still often unnecessary. Negative consequences include:
- Lack of ethical walls
- Increased insider risk
- Unintended sensitive data exposure
The risks of data exposure and leakage have only become more relevant, serious, and real-world with the widespread integration of Gemini in Google Workspace.
Gemini, like most generative AI assistants, uses access permissions to know what data assets it can access in its responses to users. If a Google Workspace user has access permissions for a sensitive Drive document, then Gemini can and will use that asset’s data in responses, exposing sensitive data that otherwise the user might never realize they had access to.
While Google Workspace security best practices suggest its restriction, organization-wide sharing is sometimes necessary. In a perfect world, there should be granular access controls that grant custom policies and enforce zero trust principles - ensuring that only the people who need to access files can (and, all automated!)
Overall, organization-wide sharing shouldn’t be the default sharing option. Users need nuanced DLP policies so that way they can collaborate freely with each other without rigid sharing policies blocking business productivity.
If using native Google Workspace controls, one approach is to set up smaller organizational units (departments, sub-departments, role-based groups) within Google Workspace, based on groups that logically need to share information with each other. Have the most limited but logical unit be the default sharing option.
{{cta-1}}
Enable Google AI Data Classification Labels
AI isn’t just a security risk. Like anything else, it's not all bad. AI is the future, and there are some native capbailities within Workspace that enable teams to use it for good. Google’s AI Data Classification Labels are a prime example of that.
Once you enable Google Workspace AI Labels (it’s not enabled by default), Google will use AI to automatically generate labels for your Drive assets (e.g. confidential, sensitive, intellectual property, PII, PCI, PHI, etc.). Specific users you’ve designated review and respond to those labels, thereby training the model and improving its accuracy for your data.
Like any AI-based assessment, Google’s AI classification labels aren’t 100% accurate, but we recommend that our clients who use Google Workspace do leverage the AI labels as a central part of their security posture. It’s more accurate, covers more use cases, and requires significantly less maintenance.
Be Aware of What Google DLP Does and Doesn’t Cover
If you augment your Google Workspace security by using Google Workspace Data Protection, you should be aware of its limitations. Even for Workspace Enterprise, Data Protection is limited in the size and type of file content that it can handle. For example, it can’t check and classify any content in audio or video files, or in the comments on text or spreadsheet files. It also only scans the first 1MB of the content, and makes its data classification of the entire asset based on that content.
Additionally, it takes time (from hours to days) to scan and change classifications on all your Drive assets after you make an update to a Data Protection rule. During this time, your cloud data is still vulnerable, but since you made the rule already, you may be under the impression it is protected.
Being aware of these limitations is the first critical step in security Google Workspace. To actually overcome these limitations, however, you’ll need a third-party solution like DoControl for Google Workspace, a trusted partner that can enhance trust in your data security measures.
For all the capabilities and limitations on Google's Native DLP, read our full article on what Google DLP does and doesn't cover.
Don’t Forget to Fix the Past (Historical Remediation)
If your organization has become gradually, increasingly aware of Google Workspace security issues, you may have significant numbers of unprotected assets.
Google Workspace’s Data Protection remediation actions are limited to new cases that trigger existing policies. Meaning, assets created before you implemented Data Protection remain exposed.
With no way to retroactively go back and clean up files causing past exposures, you're still vulnerable and left at risk.
Google Workspace does not have a built-in way to clean up historical exposure at scale. That’s why DoControl’s bulk historical remediation capability is so valuable.
No matter when your company started its Google Drive data security initiatives, you can use DoControl to remove public sharing links or specific types of user permissions from millions of cloud files in minutes.
You can’t change the past… except when you use DoControl.
Watch Your Users’ Behavior
Google Workspace offers some helpful identity management solutions, like SSO (single sign-on). This is definitely worth implementing to raise the default level of your identity security. Identity management on its own, however, cannot protect against insider threat: legitimate Google Workspace users who decide to take advantage of their privileged access to steal or corrupt your organization’s valuable data.
Identifying insiders who have gone from innocent to insidious requires keeping a careful eye on their behavior within your Google Workspace account, especially their access to data.
Are they downloading or sharing more data assets than usual? Are they interacting with google docs or other users in a way that is atypical for them or for the organizational unit they are a part of? Are they sharing sensitive data to personal gmail accounts?
Protecting your organization from insider threats requires monitoring of user behavior and analyzing it for anomalies that could suggest security issues. Make sure you set up an insider risk management solution that can accomplish this, ensuring trust in your security processes and maintaining a high level of confidence in your Google Workspace environment.
Involve Your End Users
Aside from intentional threat, another way that end users can jeopardize your Google Workspace security is through lack of awareness or serious thought about the consequences of their actions:
- Sharing publicly, organization-wide, or with personal email addresses, such as their gmail account, because it’s convenient
- Installing shady third-party add-ons and apps
Just blocking or preventing users from carrying out these actions doesn’t necessarily help them understand what they did wrong, and you’ll probably need to deal with the exact same situation in the future.
Security education programs are one way of raising user awareness of your Google Workspace security posture, but detached “education” is often in-one-ear, out-the-other. A more effective way - that mitigates security risks and decreases work for your information security team, now and in the future - is user involvement in remediation, in real time, as the risky action is performed.
When it comes to risky interaction with Google Workspace data assets, users can be called upon to remediate their action, with an explanation of why it was a problem.
When it comes to app installation, user involvement can help understanding of the business context for the app and delegation of app risk assessment.
End-user involvement is a Google Workspace security best practice that yields results in both the short- and the long-term.
Stay on Top of Your Connected Apps
Speaking of third-party apps brings us to a Google Workspace security best practice that relates directly to them: don’t lose track of your Google Workspace apps!
It’s so common:
- The app installed by a marketing agency you used for a project months ago.
- The app installed by a user, used once, then abandoned.
- The app installed by another app.
It’s like an episode of Where Are They Now?, but less exciting, and with more serious consequences if you can’t give an answer.
Keeping on top of your Google Workspace apps, integration and add-ons really has two separate components:
- Determining whether your organization actually (still) needs the app: maybe it was never necessary; maybe you needed it months ago but no longer.
- Determining whether the app needs all of its permissions: for the app’s business function, does it really need to read and write to your Drive, Gmail and Calendar? If not, it shouldn’t have that permission scope.
Make sure you have a granular solution for managing your Google Workspace apps, one that can both discover and evaluate the apps, and then take remediate action for problem, such as:
- Suspending an app
- Removing specific app permissions
- Remediating any extant oAuth tokens
- Preventing access to Google app reinstallation in the future
Make Sure Your Admin Configurations are (and Stay) up to Spec
Configurations deserve a “best practices” article all on their own. The challenge is determining which configurations settings are actually the best practices for your organization (it will depend on your industry) and, once you’ve set them, making sure they stay that way to maintain security and privacy. Configurations have a tendency to… drift.
Compare your Google Workspace account security-related configurations against industry-required or suggested compliance frameworks (e.g. CIS). Correct any misconfigurations within the Google admin console, such as settings for Google Meet to prevent unauthorized access and meeting disruptions. Then, set up a process by which you can monitor configurations for unintended changes and fix them before they open doors to threats. An automated misconfiguration management tool can be very useful here.
And speaking of configurations, we’re going to end our list of best practices with the security setting that everyone agrees you should have for Google Workspace - and yet still does not have implementation across the board:
Implement Multi-Factor Authentication (MFA) in Google Workspace
We don’t really need to explain why multi-factor authentication is a best practice, right? All you need to do is look at the SaaS data breaches where the entry point was an account that didn’t have MFA enabled. That could have been SOOO easy to prevent. Enough said.
DoControl: SaaS Data Protection for Google Workspace
DoControl was designed expressly for the multiple layers and attack surfaces of Google Workspace: data, identities, configurations and connected apps. The DoControl platform and security solutions will help your organization easily implement all the Google Workspace security best practices enumerated in this post, ensuring that our security features meet the evolving needs of your business.
DoControl’s Data Access Governance and Data Loss Prevention secure your cloud data and accounts across your Google Workspace services ecosystem. Advanced data classification methods mean that no sensitive data or accounts go undiscovered, and automated workflows mean that any detected threat can be mitigated in near real-time.
DoControl’s Identity Threat Detection & Response (ITDR) and Insider Risk Management secure your Google Workspace user identities, protecting you from external threat actors or insider threats. Data from multiple business-critical SaaS applications and behavior benchmarking for individuals and groups, along with important contextual information from HRIS, EDR and IdP systems enable smart differentiation between normal business activity and suspicious actions.
DoControl’s Shadow App Discovery & Remediation secure your third-party OAuth connected apps by monitoring app behavior and removing unnecessary apps and app permissions.
DoControl’s SaaS Misconfiguration Management secures your Google Workspace admin configurations, checking them against industry standards like CIS and offering remediation guidance.
You Can Attain Google Workspace Security
Organizations that use Google Workspace can achieve the dream of seamless productivity without compromising on security. It takes awareness, commitment and the right tools - and then you’ve got it.
FAQ'S:
What are the biggest security risks for Google Workspace users?
The biggest security risks for Google Workspace users are data exfiltration and data exposure, which can happen in many ways. The main ones include oversharing of files, lack of visibility into third-party app access, identity threats or insider misuse, and misconfigured sharing permissions. Additionally, the growing adoption of AI tools and shadow AI increases the risk surface. Without proper controls and automation, security teams can’t scale with the pace of collaboration happening in Google Workspace.
How do you stop employees from oversharing files in Google Workspace?
Stopping file oversharing starts with visibility. You need a real-time, granular view into who is sharing what, with whom, and how, especially when links go public or external. From there, implement automated policies to detect risky behaviors and remediate them quickly. Educating employees helps, but scalable enforcement via automation ensures protection without blocking collaboration.
What are Google’s AI Data Classification Labels and should we use them?
Google’s AI-powered Data Classification Labels automatically tag files based on content sensitivity, like “confidential,” “internal,” or “restricted.” These labels help teams apply native Google DLP, but it doesn't help protect data. Simply labeling a file doesn't protect it's content. Native Google Labels are a great step forward, but they’re only part of the solution. You still need historical visibility, granular access control policies, and the ability to remediate prior and future data exposure.
How can I manage and secure third-party apps connected to Google Workspace?
Start by identifying all OAuth-connected apps across your environment, many of which are likely installed by users without IT oversight. From there, assess the risk each app poses: what scopes does it have? What data can it access? You should be able to automatically block, revoke, or quarantine risky apps based on policy. Continuous monitoring is key.
Why is historical remediation important for Google Drive security?
Many data leaks originate from decisions made months or even years ago. Most of the time, when employees publicly share files, they never go back and eliminate access after the fact, meaning that those files are exposed indefinitely. While most security tools focus on future threats, they often overlook legacy exposures. Historical remediation gives you the ability to go back, identify outdated or risky access, and correct it before it becomes a problem. It’s a critical step toward comprehensive Google Drive security and lasting peace of mind.
How does DoControl help organizations secure Google Workspace more effectively?
DoControl provides a modern SSPM solution meant for today's organizations using Google Worspace. We solve for data access governance, data loss prevention, insider risk management, shadow apps, misconfigurations, and more. We offer automated, no-code security workflows that give you complete control over data access in Google Workspace. With policy-based remediation and historical scanning, DoControl closes the gap between collaboration and control. It’s not just about alerts; it’s about action at scale, without slowing down your business.
.png){kind=small}
