Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

Google Workspace Data Protection Guide & Resources

Data Security

illustration of a shield

Google Workspace, formerly known as G Suite, dominated the office productivity suite space in 2020, with a 59 percent US market share. Businesses worldwide continue to trust Google’s productivity and collaboration suite to store organizational information, work across teams, and take advantage of an all-inclusive office platform. In addition, IT administrators cite Google Workspace data protection as their top priority to secure and manage their org landscape. 

If your company uses Google Workspace, this guide will help you understand all the avenues that Google provides to secure and manage your instance while still enabling all the powerful features Google Workspace offers.

How Secure is Google Workspace?

Google has been one of the early adopters of cloud computing. They own the entire infrastructure stack of their cloud ecosystem and have optimized each aspect of the hardware stack over the years. They have also been very proactive about using their technological prowess to stay in tune with how the world of security is changing around them. Let us dive into the key assurances Google provides to keep the Google Workspace ecosystem secure.

Comprehensive Compliance and Audit Control

As a designated processor of data, Google complies with the strictest of security standards globally. Google has earned the ISO/IEC 27017 standard for its data centers and ISO/IEC 27002 specifically for its cloud services. It also conforms to ISO/IEC 27018 for international privacy and data protection. In addition, it continues to serve and conform to several nationally accepted standards for payments (PCI DSS), financial information systems(FISC), and federal use (FedRamp).

Google Workspace is also compliant with several data processing and data protection regulations like HIPAA for Protected Health Information(PHI) processing and GDPR for European Data Protection compliance mandates. 

Complete Audit and Access Transparency

Google provides transparent and comprehensive access to audit logs across all products in Google Workspace. Each of these logs is available for you as an administrator to track suspicious activity. Logs are typically maintained for as long as six months and can vary from product to product. In keeping with its commitment to transparency, Google also provides complete review logs of actions taken by Google staff while providing support in accessing any user content across many of its products. 

Data Region Provisions

Following national and local data processing mandates, Google Workspace also enables data storage and processing by region. As an administrator, you can choose data regions for specific users or specific teams depending on how you build your organization or configure your user groups. Google Workspace allows you to apply data region choices to the entire organization or by group by enabling you to select the following options to ‘The United States’ or ‘Europe’ at this time. 

Note: Only specific editions of Google Workspace enable the data region feature. 

Elements of Google Workspace Data Protection

Authentication

Google Workspace provides several robust options for authentication on the user level by providing multi-factor authentication methods and the option to mandate hardware keys for authentication. It can also securely open up access to third-party apps and services through OAuth 2.0, which provides the ability to whitelist apps and open up access selectively. 

The BeyondCorp implementation from Google Workspace takes authentication further by providing context-aware access without a VPN or agent. BeyondCorp provides a zero trust model on Google Workspace by providing granular controls based on a user’s identity and contextual attributes like IP address and security enrolment. Integrated with Google’s Cloud Identity, this implementation would allow comprehensive authentication anywhere to access your company data and assets securely. 

Data Loss Prevention

Data Loss, primarily through malicious methods like phishing, is an ever-present threat online. We at Varonis have covered phishing prevention on several Google products in detail before. Google Workspace protects against phishing and spoofing by using Domain-based Message Authentication, Reporting, and Conformance (DMARC) mechanisms. In simple terms, Google Workspace allows you as an administrator to ensure that emails arriving from legitimate sources by using a couple of methods, namely:

  • Sender Policy Framework (SPF): Authorized by a set of IP addresses
  • Domain Keys Identified Mail (DKIM): Authorized by digital signatures

The DMARC Google guide describes how to set these methods in detail.

Google Workspace takes data loss prevention further by allowing you to detect standard patterns for sensitive company data in outbound content and detect them at scale. For instance, Google Workspace enables you to set Data Loss Prevention (DLP) rules on specific products like Google Drive to scan, detect, and report actions or events which probe for sensitive content in organization content and report violations. 

As an additional security measure, Google Workspace also provides client-side encryption as an option. Google already provides for the latest standards to encrypt data at rest and in transit. As an administrator, if you choose, you can further secure your data by using your own encryption keys by using an external encryption key service and identity provider before storing it in Google Storage. In this scenario, Google cannot access your keys or your data and you have complete control.

Note: Client Side Encryption (CSE) is only available in specific editions. 

Data Reporting

Google provides a detailed Data Protection Insight Report, providing details on sensitive content stored and shared externally depending on the data type. It also provides recommendations on Data Loss Prevention (DLP) Rules to prevent sharing of sensitive data. As an administrator, you can use this report to review and possibly expand on the review of additional data types that you want to be informed about in the event of data loss. 

In addition to this report, Google provides several interactive reports to assess your exposure to data security issues. You could also analyze Google Workspace logs using your third-party analytical tools through the BigQuery integration. 

Google Workspace: A Strong Arsenal  

Google Workspace provides a great robust set of controls and reports to secure and monitor your organizational data. Like most cloud platforms, Google adheres to a shared security responsibility model. It is important to understand which security tasks are handled by the platform and which tasks are your responsibility. Google provides a great arsenal of tools to help you stay ahead of the curve when securing customer data. But it also requires a steady commitment from your end as an administrator to assess, audit, and act on continuously evolving the security of your Google Workspace instance. Most data loss incidents happen as an outcome of user behavior. As an administrator, you could preempt such scenarios by being watchful of your Google Workspace data at all times. With the tools that Google Workspace provides, you are now capable of securing your most precious asset – your organization’s data. 

Take Google Drive as an example—it’s one of the most widely used data storage platforms available. On top of it likely storing sensitive information—much of which you may not even know where it exists—it has built-in collaboration capabilities, which make securing data exceptionally challenging. 

Users can grant access to data on their own, creating complex permission structures hidden from admins that make it nearly impossible to answer the question “Who has access?”.  Professional and personal account interfaces look almost identical to the end-user, making it easy to accidentally grant access to personal accounts, creating over-privileged, unmanaged shadow identities that leave your sensitive data at risk.

Varonis’ DatAdvantage Cloud helps organizations secure their data in Google Drive. We simplify Google Drive’s complex permission sets with a real-time view into who can access what data. We monitor how data is accessed and shared, alerting when behavior appears risky to proactively stop threats. When investigations are necessary, we help you see what happened across cloud apps without requiring any correlation or extra work.

At Varonis, we have deep expertise in providing data protection solutions across all cloud platforms. Schedule a call with us today to know more.

Renganathan Padmanabhan

Renganathan Padmanabhan

Renga is a product manager and a digital experience leader with 15 years in tech. He writes exclusively on product, design, technology, and content on www.rengawrites.com. The content and views expressed are his own alone and do not necessarily reflect the views of his employer.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.