Google Workspace Security: Best Practices, Settings & Checklist for 2026

TL;DR: Google Workspace (formerly G Suite) is used by over 8 million organizations – but Google only secures the infrastructure, not your configuration. Default settings leave your data exposed. This guide covers the top 12 security best practices, the Admin Console settings every admin must change, the full security risk landscape, and a categorized checklist you can put to work today.

Is Google Workspace Secure?

The short answer: Google's infrastructure is extremely secure. 

The longer answer: that's not the whole picture.

Google invests billions in the physical and logical security of its data centers, network architecture, and platform availability. Workspace data is encrypted at rest and in transit, and Google maintains certifications across SOC 2, ISO 27001, HIPAA Business Associate Agreements, and GDPR compliance frameworks. 

So, at the infrastructure level, Google Workspace is one of the most secure platforms available to enterprise organizations.

But, Google operates under a shared responsibility model – a framework that defines the boundary between what the vendor secures and what the customer must secure. 

Google is responsible for the infrastructure. Your organization is responsible for everything built on top of it: who has access to your data, how files are shared, which third-party apps are connected, how user accounts are protected, and how Admin Console configurations are maintained.

This distinction matters, because most Google Workspace security incidents don't happen because Google got hacked. They happen because an organization misconfigured a setting, overshared a file, left a legacy OAuth app connected, or failed to enforce multi-factor authentication. 

Default Workspace settings are built for ease of collaboration – not for security. Out of the box, public sharing is enabled, external email forwarding in Gmail is allowed, and any org member can read Google Group messages they're not even a member of.

The real question is not whether Google Workspace is secure, but whether your individual environment of Google Workspace is secure.

Top Security Risks in Google Workspace

Before diving into best practices, it's worth understanding the threat landscape you're configuring against. These are the five most common attack vectors in Google Workspace environments today.

‍1. Phishing and Email-Based Attacks 

Gmail is the highest-attack-surface application in Google Workspace. 94% of organizations experienced phishing attacks in the past 12 months. Phishing remains the leading cause of credential compromise, account compromise, and account takeover in SaaS environments.

2. Misconfigured Sharing Permissions 

The average mid-market organization has 35,000 sensitive assets shared publicly or externally. Oversharing – whether public links, organization-wide access, or unmanaged external shares – creates an attack surface that grows invisibly over time.

3. Insider Threats and Identity Abuse 

Insider attacks increased sharply, with 95% of security incidents happening due to human error or actions. DoControl research shows 94,000 assets remain exposed to former employees on average across enterprise organizations – individuals who can still access, modify, or share critical company data.

4. Third-Party OAuth App Risk 

Employees install third-party apps that request broad OAuth scopes – read/write access to Drive, Gmail, and Calendar – often without IT's knowledge. 61% of organizations experienced a third-party data breach in 2024, with the percentage increasing by a steady 10% each year. Each connected app is a potential supply chain attack vector.

5. AI Tools and Gemini Data Exposure 

The growing adoption of Gemini in Google Workspace has introduced a new and often overlooked risk: AI tools inherit the access permissions of the user. If a sensitive Drive document is accessible to a user – even through permissive org-wide sharing they never consciously requested – Gemini can surface that content in its responses. 

The financial stakes are real. The average cost of a data breach reached $4.88 million dollars. And 66% of consumers say they would not trust a company after a breach.

‍

Built-In Google Workspace Security Features

Google Workspace includes a meaningful set of native security tools, depending on which Google Workspace tier your organization is using. Understanding what's available (and where its limits are) is the foundation of a sound security posture.

Multi-Factor Authentication and Identity Controls 

Google’s 2-Step Verification enforcement is available across all tiers, with options including security keys, authenticator apps, and Google prompts. Admins can enforce MFA at the organizational unit level via Admin Console. The Advanced Protection Program provides the strongest account security for high-risk users.

Google’s Native Data Loss Prevention (DLP) 

Workspace's Data Protection rules allow admins to scan Drive, Gmail, and Chat for sensitive content and apply enforcement actions. However, native DLP has significant limitations in file type coverage, scan depth, and rule latency – covered in detail in Best Practice #5 below.

Security Center and Alert Center 

Available on Enterprise tiers, Google’s Security Center provides a unified view of security health, threat investigations, and audit log analysis. Alert Center surfaces pre-built alerts for suspicious login, domain data export, leaked password detection, and admin password resets – and can be extended with custom audit log rules and integrated with your SIEM.

Context-Aware Access and Zero Trust 

Google's Context-Aware Access feature enforces Zero Trust principles by allowing admins to define access policies based on user identity, device posture, IP address, and geographic location. It integrates with third-party IdPs like Okta and Azure AD via SSO.

Encryption 

All data in Google Workspace is encrypted at rest (AES-256) and in transit (TLS). For organizations with stricter regulatory requirements, Google offers Client-Side Encryption (CSE), which allows your organization to hold its own encryption keys.

‍

Google Workspace Security Best Practices

1. Implement Multi-Factor Authentication in Google Workspace

Multi-Factor Authentication is the single most impactful security control you can implement in Google Workspace – and the most consistently recommended control across every security framework. 

Organizations that enforce MFA are 99% less likely to be compromised. Yet, MFA enforcement is still not universal. A single phished password without MFA gives an attacker unrestricted access to Drive, Gmail, Calendar, and every connected app. With MFA enforced, a stolen password is effectively worthless on its own.

How to enforce MFA in the Google Workspace Admin Console: 

1. Navigate to Admin Console → Security → Authentication → 2-Step Verification. 
2. Set enforcement to "On" for all users – not just "Allow," which leaves the choice to users.

Where possible, exclude SMS-based codes, which are vulnerable to SIM swapping attacks. Require security keys or authenticator apps as the preferred second factor.

For high-risk accounts – executives, finance, legal, and IT admins – enroll users in Google's Advanced Protection Program, which mandates physical security keys and provides the strongest available phishing resistance. 

For organizations moving toward passwordless authentication, Workspace also supports passkeys as a primary authentication method, and legacy Less Secure Apps (LSA) access should be disabled for all users.

Beyond immediate security, MFA also strengthens compliance posture. Frameworks including ISO 27001, SOC 2, HIPAA, and GDPR treat MFA as an essential safeguard – and auditors increasingly treat it as a non-negotiable baseline.

2. Restrict Sharing Permissions (Public and Organization-Wide)

Public sharing is the highest-risk sharing configuration in Google Workspace. 

DoControl data found some riveting findings. Out of a study we conducted with enterprise and midmarket customers across SaaS, Healthcare, FinTech, Media, and more, there was an average of about of 1.2M company assets. Out of that 1.2M, 710,000 are exposed to parties that shouldn’t have access. 

Out of that number, there’s an average of 104,000 public shares – meaning anyone with the link can access them, no authentication required. Out of these, 35,000 are extremely confidential, sensitive files.

The worst part about this type of exposure is that most companies are completely unaware that sensitive files are publicly shared.

In nearly every real-world case, public sharing is a convenient decision. Employees want to get work done quickly, and don’t want their colleague to go through a million approvals to collaborate on a document, so they set the document to ‘Anyone with the link’ can edit sharing permissions. 

Organization-wide sharing is less risky than public sharing, but still frequently unnecessary. Internal data-exposure is also a security liability. Remember that study we were talking about? Out of that 710,000 exposed files, 601,000 were internally over exposed – meaning that employees or insiders were over-permissioned.

Internally overexposed data has its own slew of problems: it creates a lack of ethical walls, increases insider risk, and produces unintended sensitive data exposure. 

These risks are significantly compounded by the adoption of Gemini in Google Workspace. Gemini, like most generative AI assistants, uses already-existing access permissions to determine what data it can surface in responses.

If a user has access to a sensitive document through org-wide sharing they never consciously set up, Gemini can and will use that asset's data in its responses. This exposes data to employees that they never should even have access to in the first place.

What to do:

• Disable public sharing by default or auto-expire public sharing links at the OU level.
• Reconfigure the default sharing option to the smallest logical unit – department or role-based group – rather than the full organization.
• Implement granular access controls that enforce zero trust sharing principles: only the people who need access should have it, and access should be automated and policy-driven rather than left to individual users.
• Deploy nuanced DLP policies so that collaboration remains productive without blanket restrictions blocking legitimate business work.

DoControl can automatically detect and remediate public and org-wide sharing across millions of files in minutes. 

Take our FREE SaaS Risk Assessment →

3. Enable Google AI Data Classification Labels

AI isn't just a security risk – like anything else, it's not all bad. AI is the future, and there are native capabilities within Workspace that enable teams to use it for good. Google's AI Data Classification Labels are a prime example.

Once you enable Google Workspace AI Labels in Admin Console (not enabled by default), Google uses AI to automatically tag your Drive assets with sensitivity classifications – confidential, PII, PCI, PHI, intellectual property, and more. Designated reviewers respond to those labels, training the model over time to improve accuracy for your specific data environment.

Like any AI-based tool, it isn't 100% accurate – but we recommend that Google Workspace users leverage the AI labels as a central part of their security posture. It covers more use cases, requires significantly less manual maintenance, and becomes more accurate over time.

One critical caveat: labeling a file does not protect it. Google labels identify sensitive data; they don't control access to it, remediate sharing, and ultimately keep the data safe. Simply labeling a file as "confidential" doesn't prevent it from being publicly shared. 

You still need enforcement: granular access controls, DLP policies, and automated remediation workflows – to act on what the labels surface.

4. Secure Your Gmail Environment

Gmail is a critical attack vector in Google Workspace, and it's entirely absent from most organizations' Workspace security checklists. Here are the key settings every admin should configure.

What to do:

• Enable SPF, DKIM, and DMARC: These three email authentication protocols are the foundation of Gmail security. SPF (Sender Policy Framework) verifies that mail claiming to be from your domain is actually sent from authorized servers. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing messages. DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving mail servers what to do when either check fails – and sends you forensic reports. 

Configure all three in Admin Console → Apps → Google Workspace → Gmail → Authenticate Email.

• Enable Security Sandbox: Google's Security Sandbox (Enterprise Plus) detonates email attachments in a virtual environment before delivery to the recipient, catching zero-day threats that traditional signature-based scanning cannot detect. 

Enable it under Admin Console → Apps → Google Workspace → Gmail → Safety → Enhanced pre-delivery message scanning.

• Configure Attachment Scanning: Block or quarantine encrypted attachments and scripted file types from untrusted external senders. 

Under Gmail Safety settings, enable "Attachments" protection to scan and automatically handle malicious content before it reaches inboxes.

• Disable Automatic External Email Forwarding: This is one of the most dangerous default settings in Google Workspace. When an account is compromised, attackers routinely configure a forwarding rule to silently copy all incoming email to an external address – often going undetected for weeks. 

By default, users can create these rules freely. Disable it at Admin Console → Apps → Google Workspace → Gmail → End User Access → Automatic Forwarding.

• Enable Anti-Spoofing and Anti-Phishing Protections: Under Gmail Safety settings, enable protection against spoofing of your domain name, spoofing of employee names in the "From" field, and inbound email from unauthenticated sources. These settings are off by default and take only minutes to enable.

5. Educate Yourself on What Google DLP Does and Doesn't Cover

If you augment your Google Workspace security using their native DLP – Google Workspace Data Protection – you need to understand its limitations. Assuming you're covered when you're not is worse than knowing the gaps exist.

Even for Workspace Enterprise, Google’s native DLP has its shortcomings. Data Protection is limited in the size and type of file content it can handle. It cannot check audio or video files, cannot read content in the comment threads of Docs or Sheets files, and only scans the first 1MB of any file – then classifies the entire asset based on that partial content. Large files, multimedia, and inline comments are effectively invisible to native DLP.

Equally important: after you create or update a Data Protection rule, there is a latency window – anywhere from hours to days – before the rule is enforced across all existing Drive assets. During that window, your data may be exposed while you believe it's protected.

Being aware of these limitations is the first critical step. 

To actually overcome them, you'll need a third-party solution like DoControl – a trusted partner that can provide the coverage, depth, and speed that native DLP cannot. 

For the full breakdown of capabilities and gaps, read our detailed analysis on what Google DLP does and doesn't cover.

6. Don't Forget to Fix the Past (Historical Remediation)

Organizations that have gradually evolved their Google Workspace security posture often have a hidden problem: years of accumulated exposure from decisions made before policies existed.

Google Workspace's Data Protection only remediates new cases that trigger existing policies. Files created before your DLP rules were implemented – including files shared publicly years ago that nobody has touched since – remain exposed with no native path to remediation. There is no built-in mechanism to retroactively scan and clean up historical exposure at scale.

This is one of the most underappreciated risks in cloud data security. DoControl data found that 94,000 assets remain exposed to former employees alone on average across enterprise organizations. 

Over 35,000 assets were shared with employee personal emails, and 120,000 assets had been shared with a personal email and then downloaded – gone forever.

Organizations need to be able to revoke permissions, remediate access, and remedy past issues before an incident occurs or a compromise happens.

DoControl allows you to remove public sharing links or specific user permissions from millions of Drive files in minutes, regardless of when those files were created. 

DoControl customer Stackadpt saved 2,800 hours worth of manual cleanup by running a bulk remediation of all sensitive data that was exposed. One of our privately owned FinTech customers saved $612,400 in remediation efforts and clean up through our remediation engine.

You can't change the past… except when you use DoControl.

7. Watch Your Users' Behavior

Google Workspace offers helpful identity management solutions, including SSO via third-party IdPs and 2-Step Verification enforcement. But identity management alone cannot protect against insider threats: legitimate users who decide to take advantage of their access to steal, leak, or corrupt sensitive data.

DoControl data found that on average, an organization has 172 alerts from former employees accessing company data, and 129 current employees sharing data with their personal emails.

Identifying the moment a trusted insider becomes a threat requires contextual behavioral monitoring. Not just access logs, but a continuous analysis of whether behavior deviates from what's normal for that individual, their role, and their peer group. 

Watch for signals such as unusual download volume, bulk exfiltration activity, sharing sensitive data to personal Gmail accounts, accessing files outside normal working hours, or interacting with data in departments outside their typical scope.

‍What to do:

• Alert Center and Security Center setup: In Admin Console → Security → Alert Center, configure pre-built rules for suspicious login, leaked password detections, and unusual data export events. In the Security Center (Enterprise tiers), create custom investigation rules to surface anomalous behavioral patterns and trigger automated responses.

Make sure you have an insider risk management solution that can correlate behavioral signals across Workspace applications alongside HRIS, EDR, and IdP context – enabling smart differentiation between legitimate business activity and security incidents in near real-time.

8. Engage Your End Users

Beyond intentional threats, end users and employees jeopardize Google Workspace security through lack of awareness about the consequences of their actions: sharing publicly because it's convenient, installing unvetted third-party add-ons, or forwarding sensitive files to personal email addresses.

Simply blocking these behaviors doesn't help users understand what they did wrong – you'll encounter the same situation again. 

Security awareness training has value, but passive education tends to be forgotten quickly. The more effective approach is real-time user involvement in remediation: when a risky action is detected, involve the user directly in addressing it, with a clear explanation of why the action was flagged.

When it comes to risky sharing or data handling, users should be prompted to justify or reverse their action in the moment. When it comes to app installation, users can contribute business context and help assess risk. 

This approach improves security outcomes immediately and builds lasting security culture over time.

9. Stay on Top of Your Connected Apps and OAuth Access

Third-party apps are one of the most overlooked attack surfaces in Google Workspace. Every OAuth-connected app that a user installs – even once, even briefly – retains access until explicitly revoked. 

The marketing agency's tool from eight months ago. The app installed by another app. The trial tool a user signed up for and forgot. All of these may still hold read/write access to your Drive, Gmail, and Calendar.

DoControl data found that on average, an enterprise organization has 730 shadow apps, of which 13% are risky and 14% are abandoned (which is worse – forgotten about AND still serving as an active attack surface!)

Managing this effectively requires two things: knowing which apps exist, and ensuring each app only has the permissions it actually needs for its business function.

What to do:

• Navigate to Admin Console → Security → API Controls → Manage Third-Party App Access. 
• Enable the Configured Apps allowlist to block unapproved apps from accessing Workspace data. 
• Review existing app permissions and revoke access for apps that are unused or hold unnecessary OAuth scopes.

Make sure you have a granular solution for shadow app discovery and remediation that can surface apps installed outside IT's visibility, evaluate risk based on OAuth scopes, and automate remediation – suspending apps, removing permissions, and revoking OAuth tokens at scale.

Not sure which apps are connected to your Workspace? Get a free inventory → Start Your Free Risk Assessment

10. Enforce Device and Endpoint Management

Securing Google Workspace doesn't stop at the application layer – the devices your users log in from are part of your attack surface too. An unmanaged personal laptop with no screen lock, or an unpatched mobile device accessing corporate Drive files, is a liability regardless of how well your Workspace settings are configured.

What to do:

• Mobile Device Management (MDM): Enable Google's built-in MDM policies through Admin Console → Devices → Mobile & Endpoints. Require screen lock PINs, enforce device encryption, enable remote wipe capability for lost or stolen devices, and set minimum OS version requirements.

• Blocking Unverified Devices: Context-Aware Access (covered in the next section) allows you to restrict Workspace application access to managed, compliant devices – ensuring that users can only reach sensitive applications from devices that meet your defined security baseline. This is especially critical for remote and distributed workforces.

• Endpoint Verification: Deploy Endpoint Verification to managed devices to provide real-time device posture data. This feeds directly into Context-Aware Access policies, enabling you to make access decisions based on whether a device is encrypted, has a screen lock, and is running an approved OS version – all enforced automatically.

11. Implement Context-Aware Access (Zero Trust)

Zero Trust is the dominant security architecture for enterprise Google Workspace deployments – and Google has built a native implementation directly into the platform: Context-Aware Access.

The Zero Trust principle is: never trust, always verify. Access to any resource should be continuously evaluated based on context, not granted permanently because a user authenticated once. Context-Aware Access implements this by allowing admins to define access policies based on:

• User identity and group membership
• Device posture (managed, compliant, encrypted, OS version)
• Geographic location or IP range
• Time and session context

For example, you can require that access to sensitive Drive folders only be permitted from managed devices within approved geographic regions – and block access from personal devices or unrecognized IP ranges entirely. 

Combined with SSO integration with third-party IdPs like Okta and Azure AD, Context-Aware Access allows you to layer your existing identity stack onto Workspace's native controls.

What to do:

Admin Console setup path: Go to Admin Console → Security → Access and Data Control → Context-Aware Access → New Access Level. Assign access levels to specific applications (Gmail, Drive, Chat) at the OU or group level.

Context-Aware Access, paired with DoControl's Data Access Governance capabilities, forms the basis of a true Zero Trust SaaS data security posture for Google Workspace environments.

12. Make Sure Your Admin Configurations Are (and Stay) in Spec

Configurations in Google Workspace deserve their own guide. The challenge is two-part: knowing which settings represent best practices for your organization (this varies by industry and compliance framework), and ensuring those settings stay that way over time. 

Configurations have a tendency to drift – often invisibly, often because of a well-intentioned change made without understanding the security implications. This term is referred to as configuration drift, and it’s one of the biggest attack surfaces in modern organizations today because it's impossible to detect manually.

What to do:

Compare your Google Workspace Admin Console settings against the CIS Benchmark for Google Workspace – the industry standard for configuration hardening. Key areas to audit quarterly include:

• Authentication (MFA enforcement, admin role assignments, session duration)
• Sharing defaults (external sharing permissions, link-sharing defaults by OU)
• Gmail safety settings (SPF/DKIM/DMARC, attachment scanning, auto-forwarding)
• API Controls (third-party app allowlist, Marketplace settings)
• Alert Center rules (suspicious login, data export, leaked passwords)
• Google Meet settings (join permissions, external participant access, recording controls)

Correct any misconfigurations within the Google Admin Console, including Meet settings to prevent unauthorized access and meeting disruptions. Then set up an automated process to monitor configurations for unintended changes and remediate them before they open doors to threats. An automated misconfiguration management tool can flag drift in real time and provide guided remediation before an open door becomes a breach.

Google Workspace Security Checklist

Use this checklist to assess your current posture and track progress across the five core control areas. Each item maps directly to an Admin Console setting or policy you can configure today.

‍

How DoControl Protects Google Workspace

DoControl is a modern Google Workspace security platform. We specialize in SaaS DLP and SSPM – and we are purpose-built for the multiple attack surfaces of Google Workspace: data, identities, configurations, and connected apps. 

Unlike point solutions that address only one layer of risk, DoControl provides unified visibility and control across the entire Workspace ecosystem, helping security teams reduce exposure without disrupting productivity.

Our Data Access Governance and Data Loss Prevention capabilities provide real-time visibility and automated remediation across Drive, Gmail, and every Workspace service. Security teams can continuously identify sensitive data exposure, enforce least-privilege access, and automatically respond to risky sharing events before they become incidents.

Our Identity Threat Detection & Response (ITDR) and Insider Risk Management protect against both external threat actors and insider abuse. By monitoring identity activity and user behavior across Workspace, DoControl detects account compromise, privilege misuse, and anomalous actions that could lead to data loss or unauthorized access.

Our Shadow App Discovery & Remediation continuously monitors OAuth-connected apps and removes unnecessary permissions at scale. This helps organizations reduce third-party risk, uncover unsanctioned applications, and maintain a clean app ecosystem without relying on manual audits.

And, our SaaS Misconfiguration Management checks your Admin Console configurations against CIS benchmarks and guides remediation. Security teams receive prioritized recommendations, continuous compliance monitoring, and actionable guidance to strengthen their Google Workspace security posture over time.

‍

For the full picture, visit docontrol.io/saas-ecosystem/google-workspace.

Conclusion

Organizations using Google Workspace can achieve the dream of seamless productivity without compromising on security. It just takes awareness, the right configurations, and the right tooling.

{{cta-1}}

FAQs

What are the biggest security risks for Google Workspace users?

The biggest security risks for Google Workspace users are data exfiltration and data exposure, which can happen in many ways. The main ones include oversharing of files, lack of visibility into third-party app access, identity threats or insider misuse, and misconfigured sharing permissions. Additionally, the growing adoption of AI tools and Gemini in Google Workspace increases the risk surface – AI tools inherit access permissions, meaning overshared data can be surfaced through AI responses without users realizing it. Without proper controls and automation, security teams can't scale with the pace of collaboration happening in Google Workspace.

How do you stop employees from oversharing files in Google Workspace?

Stopping file oversharing starts with visibility. You need a real-time, granular view into who is sharing what, with whom, and how – especially when links go public or external. From there, implement automated policies to detect risky sharing behaviors and remediate them quickly. Educating employees helps, but scalable enforcement via automation ensures protection without blocking collaboration.

What are Google's AI Data Classification Labels and should we use them?

Google's AI-powered Data Classification Labels automatically tag files based on content sensitivity – "confidential," "internal," "restricted," and similar categories. These labels can inform native Google DLP enforcement rules, but labeling alone doesn't protect data. A labeled file that's still publicly shared is still a public file. Native labels are a meaningful step forward, but they're only part of the solution. You still need historical visibility, granular access controls, and the ability to remediate past and future data exposure.

How can I manage and secure third-party apps connected to Google Workspace?

Start by identifying all OAuth-connected apps across your environment – many were likely installed by users without IT oversight. In Admin Console → Security → API Controls, review all third-party app access and enable the Configured Apps allowlist. Assess the risk each app poses based on its OAuth scopes and whether access is still needed. You should be able to automatically block, revoke, or quarantine risky apps based on policy. Continuous monitoring is essential – new apps are connected constantly.

Why is historical remediation important for Google Drive security?

Many data leaks originate from decisions made months or even years ago. Most of the time, when employees publicly share files, they never go back and remove access – meaning those files remain exposed indefinitely. Most security tools focus on future threats while overlooking legacy exposures. Historical remediation gives you the ability to go back, identify outdated or risky permissions at scale, and correct them before they become a problem. It's a critical step toward comprehensive Google Drive security and lasting peace of mind.

How does DoControl help organizations secure Google Workspace more effectively?

DoControl provides a modern SSPM solution built for today's organizations using Google Workspace. We solve for data access governance, data loss prevention, insider risk management, shadow apps, misconfigurations, and more – through automated, no-code security workflows that give you complete control over data access. With policy-based remediation and historical scanning, DoControl closes the gap between collaboration and control. It's not just about alerts; it's about action at scale, without slowing down your business.

How do I conduct a Google Workspace security assessment?

A Google Workspace security assessment involves reviewing four areas: authentication settings (MFA enforcement, admin roles), data access (external sharing, DLP rules), connected apps (OAuth scopes, unused apps), and monitoring (Alert Center rules, audit logs). Conduct a full review quarterly and after any significant personnel changes. DoControl's Free Risk Assessment can give you an immediate snapshot of your current exposure.

What is the shared responsibility model for Google Workspace?

Google secures the infrastructure – physical data centers, network security, encryption in transit and at rest, and platform uptime. Your organization is responsible for everything built on top: who has access, how files are shared, which apps are connected, how accounts are protected, and how configurations are maintained. Many breaches in Google Workspace environments result not from Google failures but from misconfigured settings or overprivileged users.