Google Workspace
Google Workspace security features every business should know about
Is Google Workspace secure? That is a valid question that almost every business asks!
The suite of office tools is built from the ground up to comply with even the strictest security requirements of industries, such as finance, healthcare, education, and others, out of the box.
Google has its products audited and verified regularly, for example for SOC 2, FISC, PCI DSS, ISO 27001, ISO 27017, ISO 27018, HIPAA, GXP, HITRUST CSF, and many more. (Full list of compliance resources can be found here.)
Why is there still so much distrust toward a cloud environment, especially in security-sensitive industries? Well, the bad news is, technology unfortunately isn’t everything. It all comes down to people. Let me explain.
Google offers layer upon layer of security
Google provides the option to have layer upon layer of security from any angle you can think of so that your business stays compliant with the requirements of your industry. Let me emphasize the word “option” again.
It also gives you full control over your own data and your domain settings. It’s up to you as the domain admin to decide how many layers of the “security onion” your business needs and then press the button and switch them on. Google won’t do it for you.
The good news is that your Google Workspace license probably already includes all the features you need. Depending on the type of license you currently have, it may cost you nothing. Or you may even discover that the fancy software you were planning to deploy next month won’t be needed after all, because you can find the same features within Google Workspace.
All in all, knowledge is power, and we believe that knowing some of the features that Google Workspace offers out of the box can save you many headaches. With this article, we’d like to bring you closer to the security topic and introduce you to the most important security features that every company should implement.
There are 3 important pillars that cover most security solutions:
- Access and authentication
- Asset protection
- Operational control
Access and authentication
Multi-factor authentication (MFA)
MFA helps mitigate the risks associated with poor password quality of your employees. If someone knows the correct password, they have the same access as your users.
To protect it, MFA provides a number of ways to increase the level of security. You can force it or recommend it. The key here is setting up two-factor authentication, which authenticates users with a password and an additional second layer.
There are different options to choose from:
- Google prompt (pop-up window on an already connected phone)
- SMS code
- Phone call
- Authenticator app generating codes
- Fido2 compatible hardware key (USB/NFC/Bluetooth)
Single sign-on (SSO)
Google single sign-on lets employees work from virtually anywhere, on any device. It’s one-click access to all in-house apps with the same corporate login credentials. It saves time and increases security by reducing the number of passwords your employees have to come up with.
Context-aware access
Using context-aware access gives you the ability to choose what context each user must meet to access applications. You can control the policies for corporate data based on identity, device security status, IP address, and location. You can create any number of layers; one or all at once. Some examples of policies are:
- Allow access to selected apps only from devices issued by the company
- Allow access to Drive only if a user storage device is encrypted
- Restrict access to apps only from selected IP address
- Restrict access to apps from selected countries
- Allow access only from devices with the latest version of the OS installed
- Force Device policy like screen lock, latest OS, or visibility of lock screen messages
- And many more
You can still set other policies, such as 2-Step Verification, for all organizational units or group members.
Asset protection
Endpoint management
Improve device security across your business on Android, iOS, and Windows devices with a single console. Set up devices for new users in minutes and make your business data more secure with preconfigured security features and rules. You can enforce security policies, delete company data, deploy apps, view reports, and export details from all the devices your employees use.
Mobile Device Management
Mobile Device Management (MDM) combines endpoint management and context-aware access so your employees can use their own devices, such as mobile phones, for their daily work. A very commonly used acronym is BYOD (Bring Your Own Device). It allows your team to work from anywhere on their own devices and keep company data secure. You can force lock screens, the latest operating system, or if necessary, wipe data from devices. It allows you to have full control over your company data without compromising your employees’ privacy.
Operational control
Data Loss Prevention (DLP)
DLP is a more advanced service that provides cutting-edge solutions for discovering, classifying, and protecting the most sensitive data. You can easily control which files can be shared externally. It can apply to an entire domain, a group, or a single user. You also get a huge overview of who is handling sensitive data in what way, with the addition of clear notifications to users that they are working with sensitive data. It includes:
- Blocking external data sharing with contractors
- Applying the label “sensitive” to documents containing card numbers and blocking external sharing
- Warning user before sharing externally any sensitive documents containing a word you choose
Management console (Admin console)
As a company administrator, the Google Admin console will be your best friend. You can manage common Google Workspace settings, including adding or removing users, managing billing, setting up mobile devices, and most importantly, you have the ability to set up all the security rules, policies, and services described here in this article, plus many more of them. Find detailed instructions on the Google Workspace Admin support website.
Data regions
Select a geographic location for your data using the Data regions feature. There are many reasons why some industries care more than others about where their data is stored in the world. Google has servers all over the world, and as an administrator, you can use the Data regions policy to store your covered data in a specific geographic location. Your geographic location options are the United States or Europe.
Cloud Identity
“Users” no longer just means employees, but also suppliers, partners, contractors, and customers. Each of these groups has its own requirements for access to different information and applications. In an ever-evolving ecosystem of users, applications and devices, traditional approaches to identity, and access management are no longer sufficient. These approaches were built for an on-premise world (think cumbersome VPNs, limited device access, and inconvenient authentication) instead of today’s cloud-based world.
With cloud identity, you provide each user and group with a unique cloud identity account. It gives you a much simpler way to set up any security solution and policies for each group or user.
BeyondCorp
BeyondCorp is essentially a recommended approach to using Google security services to meet the zero-trust model. By shifting access control from the network to individual users, you can work from virtually anywhere without the need for a traditional VPN.
Summary
We hope this summary helps you understand Google Workspace’s portfolio of security features. If you would like advice on which security level to choose, please do not hesitate to contact us. We’ll be happy to answer any questions you may have. We can also provide you with a thorough security audit and security administrator training to make sure your Google Workspace is set up correctly.