7 Ways to Improve Your Google Apps Domain Security
August 19, 2015
6 minute read
A little more than two months ago, we hosted more than 700 individuals for our first webinar on cloud IT: How to Overcome the Top 7 Security Flaws of the Google Apps Admin Console. Today, we’re expanding on that webinar to provide helpful tips for improving your domain security.
The cloud is ushering in a new type of IT admin. Legacy office tools and practices are being replaced with cloud office systems and new philosophies.
The result: more opportunities and an entirely new set of challenges.
Cloud Office Systems: A Paradigm Shift
As we’ve said before, the rapid move to cloud office systems is the biggest change IT has faced in the last 20 years–the last comparable event being the introduction of Microsoft Exchange.
Today, the move to cloud office systems means your organization’s data is stored in the cloud; it’s accessible from any device, at any time. This is a huge departure from what IT admins are used to. Users can share data out of their organization much easier. Storage and up-time are outsourced to the cloud office system provider relieving IT teams of many routine tasks.
At first glance, the responsibility to secure the exponential amount of data being created and shared may appear to be an uphill climb. The good news is cloud management and security solutions have–and continue to be– developed to safely guide you on your journey to the cloud. Even more importantly, the vendors behind the cloud office systems we use today (Google and Microsoft) take security and management very seriously.
Google’s Dedication to Security
Google takes extraordinary steps to secure its data centers. The company has “450 full-time engineers—including some of the world’s foremost experts in computer security” that work to protect your information. Google Apps has also undergone a number of rigorous third-party audits and received several certifications to ensure that your data is safe.
However, Google does not dictate how you deal with your organization’s sensitive data. Google Apps security is an area where IT admins everywhere can constantly look to improve.
The Price of Fast-paced Innovation
Despite Google’s track record for securing data, the rapid pace of innovation doesn’t come without its detriments. Google releases hundreds of updates every year, mainly for consumers. This creates a problem for IT admins that must keep up with the constant changes and satisfy their end users desire to use the latest features.
Google tends to develop more for the consumer than for businesses, and often times, the capabilities to secure new updates come long after the release has been made available. This is not just a Google issue, this is a cloud application issue in general. Other well-known cloud applications didn’t launch with the security toolset they have today, it was developed over time as admin interactions and feedback helped paint a better picture of where security was lacking.
This can create some security gaps in the Google Admin Console that cloud IT admins need to be aware of.
Note: Cloud IT admins have the choice between Google’s Scheduled Release or Rapid Release tracks. The Scheduled Release track can help admins manage Google’s fast-paced release cycle and can help them mitigate risks; however, it isn’t an all-encompassing solution.
1. Managing Cloud Applications
When discussing cloud application management, you need to think beyond Google Apps. Cloud application usage in large enterprises will grow more than 185% in the next two years, inevitably increasing complexity.
Now is the time to prepare for your organization for the cloud application challenges ahead, not in two years.
One of the main benefits of the cloud is how easy it is to integrate applications with one another, simplifying the flow of data between them. However, this requires you to give cloud applications permissions to access to your organization’s Google Apps data. These permissions can range from basic account information to full access to read and write a document or email.
The Google Admin Console offers limited options to manage or control the installation of cloud applications on your domain and there are a number of ways this can be a risk to your organization.
You need the capability to view and take action on unnecessary third-party applications that have over-reaching access to your domain. If not, end users may unknowingly approve cloud applications that have malicious code or as cloud applications increase functionality, they may change their permission requirements.
2. Enforcing Passwords Updates and Complexity
In 2012, 80% of security incidents were due to the use of weak passwords. To prevent your organization from becoming a statistic, require alphanumeric passwords and schedule policies to automate the password reset process.
While Google Apps does allow admins to set a length requirement for end users’ passwords, it doesn’t give admins the ability to force users to create complex passwords or regularly update their passwords.
3. Preventing Data Loss
Google Apps simplifies sharing and collaboration, so much so that end users have the ability to share documents openly on the internet. Though this obviously can boost productivity, sharing with no policies in place can be reckless while total lockdown can be counterproductive.
Admins need the ability to identify sensitive documents that are shared unnecessarily. Whether it’s company or personal information, tools that can scan and correct these errors are becoming increasingly important.
As an admin, you should take a proactive stance to monitor and mitigate data loss by setting rules and policies around your organization’s Google Drive sharing.
A poll of 130 Google Apps admins revealed a wide range of Google Drive Sharing philosophies.
4. Controlling Google+ Sharing
For a Google Apps organization, Google+ can be a powerful tool for internal collaboration and sharing ideas, both inside and outside an organization. At BetterCloud, we use the social network internally and also to host a community for our BetterCloud for Google Apps customers.
As of August 2015, Google+ has 300 million active users. Despite a large number of active users, the social network is still somewhat of a mystery–many users are unaware of how Google+ posts are shared, often publically.
But through a combination of confusion around sharing and lack of Google+ controls for limiting what users are able to share, organizations can be at risk. Inadvertent public posts that contain sensitive or confidential information can be minimized by setting policies to control how they’re sharing.
5. Managing Mobile Devices (MDM)
Mobile device use continues to grow. We spend more time on our cell phones than on traditional PCs. Your end users may very well consider their mobile devices their most important work device.
Because end users often use their own devices (as opposed to company-owned), IT must straddle and manage a blurring line between personal and work data.
The Google Admin console only offers limited mobile device management (MDM) features, though it has come a long way in the last year. Still, when devices are lost or stolen, access to a user’s email, drive, calendar and other data must be protected.
MDM vendors like AirWatch by VMware and MobileIron offer solutions that are designed to take mobile device security to the next level.
6. Deprovisioning User Accounts
Employees come and go, it’s the nature of business. But a simple mistake, like not deprovisioning a user correctly, can have a devastating impact on your bottom line.
On April 27, 2009 a former employee of California Water Services used his company access, which was still active after his departure, to move $9 million USD to offshore bank accounts in Qatar.
Growing cloud application use means end users will have more accounts and more access to cloud applications. Organizations should develop a thorough and scalable user deprovisioning workflows to offboard end users and protect against data loss.
7. Detecting Last Login and Suspicious Activity
Google Apps does a great job alerting admins to suspicious user logins. But because Google Apps allows end users to access data from any device and any location, deciding which logins are false alerts or legitimate threats can be difficult.
As a cloud IT admin, you’ll need additional information to determine what’s real and what’s not. Investigating a suspicious login can be just as important as the alert itself and you can do so by using BetterCloud to view, audit and take actions on suspicious activity within your domain.
Security is a Collective Effort
Ultimately, the security of your company’s data is a collective effort.
Your end users, the cloud application vendors you use and trust, and most importantly, yourself, all play an important role. As an admin, the majority of the liability rests on your shoulders, but investing in the right tools and putting the right policies and controls in place can go a long way to keeping your domain secure.