Introduction to Google Drive Security
February 1, 2015
6 minute read
Editor’s note: This post was updated in September 2020 with new insights and tips about Google Drive security.
The thought of storing sensitive documents in the cloud can be a daunting one. It’s especially true if you are responsible for securing your organization’s data. Compared to the traditional on-premises solution, Google Drive is a paradigm shift. It’s a shift in both where files reside and how they are accessed. Learning more about high profile data leaks reinforce the need for Google Drive security.
Why Google Drive Security is Important
Over the past several years, data breaches have been big news. Target, Home Depot, Instagram, and Sony, just to name a few. Of course, it’s true that these kinds of headline-grabbing, coordinated attacks on consumer and employee data pose a big threat. Organizations are also at risk from a “slow leak” of content, such as intellectual property and other confidential documents.
According to a Ponemon Institute study, 80% of respondents considered loss of intellectual property a risk of insecure file sharing practices. Its study also pointed to a wide range of potential consequences, including:
-
- Loss of intellectual property
- Reputation and brand damage
- Disruptions to productivity
- Increased malware infections
- Regulatory actions
- Lawsuits
Data breaches can also be incredibly expensive. Although the total cost of a data breach is hard to estimate, a 2019 report by IBM found that the average cost of a data breach is $3.92 million. Additionally, IBM reported that the average size of a data breach is 25,575 records.
Needless to say, it’s well worth the additional time, effort, and money to implement the proper Google Drive security protocol compared to the repercussions of a data breach.
Is Google Drive Less Secure than On-Premise Solutions?
A common misconception among proponents of on-premises solutions is that “the cloud” is inherently less secure. According to Gartner contributor David Mitchell Smith,
Cloud computing is perceived as less secure. To date, there have been very few security breaches in the public cloud — most breaches continue to involve on-premises data center environments.
Smith recommends, however, that cloud vendors should be able to demonstrate that their specific solution meets necessary security requirements. With this advice in mind, you will be hard-pressed to find a solution to stands up to scrutiny better than Google Drive. Google is very open about their data security and compliance practices, which include:
- Encrypting your data both at rest (stored physically) and in transit (over public networks)
- Comprehensive background checks on all employees with access to data centers
- Multiple layers of redundancy
- Hardware tracking
- Comprehensive destruction of retired hard disks
- Regular third-party audits to maintain ISO, SOC, and FISMA certifications
The Human Equation of Google Drive Security
Having established that, due to extensive Google Drive security measures, the risk to data residing on Google servers is negligible, we arrive at the single largest risk factor for Google Drive data loss: the end users themselves.
According to Experian’s Data Breach Industry Forecast, 59% of security incidents in 2014 were attributable to human error or malicious employees. Furthermore, only 54% of organizations reported offering security training for employees with access to confidential information. Clearly then, there is a large gap between what IT leaders perceive as a major threat and the actual source of most data leakage.
The knee-jerk reaction to such statistics is to lock down Google Drive. Organizations either drastically restrict the ability of employees to share files externally, or completely disable it. However, this often proves counterproductive as users will organically reject a platform that is overly restrictive due to the inevitable inconveniences, as well as perceived lack of progress compared to existing on-premises data storage.
Raising employee awareness and providing training will pay large dividends in terms of reducing the amount of data lost due to negligence. Although many IT departments loathe expending precious budget on these services; the more open the sharing platform, the more vital this effort becomes.
Although securing Google Drive data takes planning and foresight, it is far from impossible. In fact, because Google Drive activity can be monitored, external sharing is actually more secure than sending email attachments.
Is Google Drive Secure? Three Google Drive Security Best Practices
Your goal should be to take necessary measures to properly implement Google Drive security. At the same time, you want to leverage the power of cloud-based collaboration. Whether you’re planning to conduct a review of your organization’s Google Drive security, or you’re migrating data to Google Drive and need to plan accordingly, adherence to these three best practices will help secure your organization’s data, without placing restrictions on sharing and collaboration.
Understand Google Drive’s Privacy Policy
Nobody enjoys reading Terms of Service documents, but it’s important for IT admins to understand how Google Drive tracks users and collects information from them. Fortunately, Google’s privacy policy isn’t very long—but it is fairly extensive. You can read the full document here, but let’s take a quick look at some of the most critical points:
- Google doesn’t claim ownership over any file saved in Drive. This includes any text, data, information, and files that you upload, share, or store in your Drive account.
- Users control who has access to their files. Google states that it won’t share documents on a user’s behalf, except “as described in its privacy policy.” When you dig into Google’s organization-wide privacy policy, you’ll find that if you work for an organization that uses Google services, an admin or reseller that manages your account will have access to your Google Account.
One thing to note is that this is a very general overview of Google Drive’s privacy policy; these terms apply to anyone on the planet that uses Google Drive. As you likely know, employees of an organization or students at a school that uses Google Drive may be subject to more specific terms and conditions based on each organization’s agreement with Google.
Design and Secure Your Organizational Structure in Google Admin Console
Google’s official documentation states that all users and devices are initially placed into one organizational unit, meaning that any changes you make apply to everyone. Suffice it to say that without any customization, this is far from an ideal Google Drive security plan.
Google strongly recommends creating separate child organizations and mapping them to your company’s structure. Within each of these child organizations, you can apply different settings to some users or devices based on their unique needs. For example, you would probably want to restrict access to sensitive accounting documents from anyone outside of your finance or executive teams.
Although designing an organizational structure requires you to have a deep understanding of each team’s needs, it ultimately creates an incredibly secure Google Drive environment.
INVEST IN EMPLOYEE AWARENESS
User training and education should be a central aspect of your plan. Money invested in training will return dividends in a more savvy and security-conscious user base. Proper training can also help users avoid phishing scams and better secure their accounts using 2-step verification. End users also need a clear understanding of what does or does not violate your organization’s Google Drive security policy.
Google takes this one step further with its employees by tailoring security training sessions to each role. For teams that frequently interact with people outside of your organization, consider placing additional emphasis on policies around acceptable email usage and link sharing within Google Drive.
Take Steps to Secure Endpoint Devices
Even the best training and data loss prevention software will not prevent a data breach if an unsecured device falls into the wrong hands. Thus, it’s always a best practice to enforce Google Drive security policies on mobile devices. For example, use password-protected screen locks and remote-wipe stolen devices. Your IT team should also have a clear and documented plan for securing any accounts at risk from a stolen phone or laptop.
Understand What Data is Being Shared, and to Whom
It is essential to conduct regular data audits to understand quantity of externally exposed data. If possible, you should also implement data loss prevention measures. This includes scanning Google Drive content for policy violations using an application such as BetterCloud. Knowing the volume and content of files being shared outside the company will provide you with valuable data, and you will be able to proactively adjust your Google Drive security policies accordingly.
Unsure if your Google Drive security plan is up to snuff? Download our free guide to see how yours measures up to the most secure instances on the planet.