google-workspace-securityI’m sure by now you or your clients are thinking about different cloud platforms to work in. I’ve been getting a lot of requests from MSPs to talk about Google’s Workspace from a security standpoint. As I talk with them, I find that most are not using any standard when it comes to securing Google’s Workplace environment. Many using Google Workspace simply assuming that everything is set or aren’t given any specifics to base their security efforts. Unfortunately, that’s not the case.

Today I want to walk through three main areas within Google Workplace that you should be thinking about. Even if you have no intention of using Google’s tools, I strongly suggest you apply these steps to whatever platform you support.

Email Security

Why worry about Email?

I’m sure I’m preaching to the choir here. It’s the number one way attacks get into networks, by distributing malware through phishing attacks or by exfiltrating sensitive information out of the company through innocent team members.

As an administrator within Google Workspace, you will be able to set custom rules to protect incoming emails from phishing and malware.

You can enable email spoofing protection for select groups or all users within your workspace. For instance, Google is attempting to protect users from attacks where a hacker impersonates someone within your organization.

To make sure you are getting the most out of your Google Workspace email security, Google recommends that emails within your workspace are signed and encrypted using Secure/ Multipurpose Internet Mail Extensions (S/MIME)—which is available on all Enterprise plans.

User Login Security

Why worry about logins?

I’m sure you can appreciate that email isn’t the number one tool for every employee within a business. You might support users that do not use or hardly use their email BUT use other aspects of Google’s platform. Maybe these users don’t need professional email accounts and utilize other standalone applications for their jobs. Whatever the case, these users need access to the platform and by giving them access, shouldn’t you make sure you’re protecting your client’s environment?

Authentication within Workplace starts with the fundamental 2-factor authentication.

As an administrator, you can set up notifications to detect suspicious logins to user accounts. For instance, a login from a suspicious location or IP address. Google allows for single sign on for its entire Workspace.

Google suggests that in addition to having a 2FA set up, you enforce a strong password policy that both enforces complexity and length (number of characters, type of characters and password length).

You may also want to consider how devices are being managed. For instance, if using a device for work, you can enforce a policy requiring that all devices managed by an employer to have a screen lock or password requirement. These controls can also be specific to geolocation, device security status, or IP address, all in effort to reduce the chances of unintended device access.

Sensitive Information and Data Security

Why worry about data security?

Would you ever recommend your clients use a tool that doesn’t protect the data it stores? Over the past few years, Google’s security controls have been inspected under a fine-tooth comb. Here are a few things that you probably will want to look for if supporting this platform:

As an administrator on a cloud account, one of your priorities is keeping your data secure. Just like in local environments, Data Loss Prevention (DLP) will be necessary.  You will need to choose what data is sensitive and how to protect it within Workspace.

You can specifically set Workspace up to detect common information types (for instance credit card numbers) and can configure policy to prevent such data from being emailed or sent within files.

One way Google’s Workspace attempts at containing sensitive data is through Google Vault. You can set up retention rules and save documents and control who has access and what permission are available to a user. Vault controls for authorized users to access specific organization data.

Best way to get your clients involved in security? Show them how attackers get onto networks and why they need to take security seriously.