%20(1).jpg)
As a Google Workspace admin for your organization, you have to balance security and productivity. Fortunately, Google Workspace offers plenty of ways to increase your data security and simultaneously enable the business. And for any critical security function that Google Workspace doesn’t offer built-in, a dedicated Google Workspace SSPM (SaaS Security Posture Management) solution can fill in the gap.
What exactly are those critical security functions? This checklist outlines the Google Workspace security areas you should be focusing on, along with the individual actions you should make sure you did or can do. First, however, let’s take a step back and understand the big picture of Google Workspace security.
What is Google Workspace Security in 2024?
Google Workspace security is the protection of Google Workspace’s attack surfaces from access and manipulation by bad actors. Bad actors can be either external to your Google Workspace (e.g. hackers) or insiders (e.g. employees using their legitimate access to cause problems).
The attack surfaces of Google Workspace can be defined as four separate areas:
- Data: the information stored as assets in your Google Drive, Gmail, etc.
- Identities: the user accounts
- Connected Apps: third-party OAuth apps, add-ons and integrations
- Configurations: the high-level Workspace settings, usually controlled by admins
Google Workspace Security Checklist for Admins: Essential Steps
The checklist is intended to be practical and immediately usable. It is therefore set up in a series of “I did…”-style statements, sorted according to eight different areas of Google Workspace security. Any explanations for the items are added in italics under the statement itself.
Check each box if you can; if not, correct the situation and go back to check the box. Good luck!
Check Account Access
❒ I have implemented a strong password requirement.
❒ I have made MFA required.
❒ I have set up Google Workspace’s identity management solutions.
❒ I have a way of identifying suspicious login attempts.
Check Identities
❒ I have more than one super admin, but less than five.
Only one super admin may disrupt business if that admin account is compromised. More than five can expand your attack surface to wider than necessary.
❒ I have a way of knowing if admin privileges are granted or increased.
❒ My employee offboarding process effectively removes all access to corporate Google Workspace accounts, assets and apps.
This includes access employees may have granted to their own personal accounts.
Check User Behavior
❒ I can assess if a user is interacting with Google Workspace assets or identities in a manner that is unusual for them.
This will require benchmarking normal behavior for individual users, departments or groups.
❒ I can differentiate between normal business actions and suspicious behavior.
This will require benchmarking normal behavior plus contextual business information (e.g. new projects or situations that may require different resources or activity patterns).
Check Asset Access Control and Permissions
❒ I have checked that the only publicly shared assets are those which must be public for their business function.
And not set as publicly shared simply to avoid future inconvenience for the asset owner.
❒ I have checked that the only organization-wide shared assets are those which must be accessible to my entire organization for their business function.
And not set as shared organization-wide simply to avoid future inconvenience for the asset owner.
❒ I have set up small organizational units (departments, sub-departments, role-based groups) within Google Workspace, based on groups that logically need to share information with each other - and made the most limited but logical unit be the default sharing option.
This will balance the consideration of convenience for the asset owner and the security consideration of limited unnecessary exposure.
Check Data Loss Prevention (DLP) Capabilities
❒ I have enabled Google Workspace AI Data Classification Labels.
❒ I have configured Google Drive DLP rules.
And I am aware of the limitations of built-in Google Drive DLP.
❒ I have a way of securing comments in Google Drive assets, audio and video files, and assets that may have sensitive information, but only after the first 1MB of the asset.
These are not covered by built-in Google Drive DLP and require a separate, advanced DLP solution.
Check Configurations
❒ I have compared all my admin configurations to the information security standards relevant for my industry (e.g. CIS, HIPAA, GDPR).
❒ I review my configurations at least once a week or on an automated, continuous basis.
Because configuration drift happens.
❒ I remediate configuration drift as soon as it occurs.
Check Third-Party Apps
❒ I am aware of all the apps installed in my Google Workspace ecosystem.
❒ I know all the apps currently installed are legitimate and secure.
❒ I have removed any apps that have not been used in the past 90 days.
Stale apps increase your attack surface unnecessarily.
❒ I have checked that all apps have only the permissions they need for their business function.
If an app’s purpose is to convert Google Sheets details into Calendar appointments, it should not need write permissions to your Google Drive.
❒ I have removed any unnecessary app permissions.
❒ I can ask a user directly for the reason why they installed an app, to get an idea of the business picture and function.
User involvement can help in delegation of app risk assessment.
Check Security Threat Remediation Capabilities
❒ I can disable or suspend user accounts that are acting suspiciously.
❒ I can remove permissions to assets or applications at the per-user level.
❒ I can remove permissions for users or applications at the per-asset level.
❒ I can automate any of the above remediations, so that they happen as soon as the security threat is identified.
In Google Workspace, and any SaaS ecosystem, data exposure and loss can happen in the blink of an eye. Automated remediation enables potentially big issues to be caught and dealt with before they become actual issues.
Want to learn how to best action this checklist? Check out our guide Google Workspace security.
See DoControl in Action
See a demo - click here
Get a FREE Google Workspace Risk Assessment - click here
See our product in action - click here
.png)
.png){kind=small}
