There's been a great deal of talk this week about the security of the "cloud". iCloud is the current focus of cloud security as the service seems to be the source of leaked, private data of several high profile celebrities.
We think this is a great time to revisit the security of your Gmail and Google Apps accounts.
Review your Security Settings
You can find them here: https://www.google.com/settings/security
Review, confirm and update your 'Recovery & alerts' information as needed. This is a great opportunity to review these settings in detail to make sure everything is up to date.
Leverage two-factor authentication
Enable 2-Step Verification, commonly called Two-Factor Authentication. You can start the process here.
As Google explains:
2-Step Verification drastically reduces the chances of having the personal information in your Google Account stolen by someone else. Why? Because bad guys would have to not only get your password and your username, they'd have to get a hold of your phone.
Two-factor authentication foils phishing attacks, the most common attack you'll experience. Once your computer is authenticated you won't have to use two-factor authentication every time but anytime a new computer tries to access your account, two-factor authentication will be required. This strikes a good balance between convenience and security. Today many modern services offer two-factor authentication, you can learn more about other services offering this feature here.
Never trust an unknown or unexpected login page
If you're going about your business on the web and are unexpectedly asked to provide credentials, stop. Never login to a page you don't recognize or don't expect. Always review the URL of the site requesting credentials. If anything looks 'phishy' close the window and attempt to access the service as you normally would from a trusted URL like Gmail.com or Drive.Google.com
Leverage a good password
Keep your password secure. Don't share your password with others. In Gmail leverage Delegate Access rather than shared passwords. Don't have a single password for the whole office. If you ever think your password may have been exposed, be proactive and change it.
Never use your primary email address and password as a username/password combination for other sites.
Many services will allow (or require) an email address as a username, while convenient this can also be problematic if you use the same password for that site as the associated username for your email account. For example, Forbes was recently attacked by hackers who gained access to everyone's username.
THE SECURITY MESSAGE ON FORBES.COM, FEBRUARY 17TH, 2014.
If your email address here is your primary email address and you used the same password for that email account and Forbes, you're at a greater risk of having your account compromised. While Forbes states that passwords were encrypted we can't know the strength of the encryption or if it was fully implemented. Bottom line, we don't want our primary account password in more places than it has to be. Increased points of exposure and passwords don't mix.
For Google App Domain Admins
Know your Security options
As the Domain Admin you are all powerful. You should absolutely have two-factor authentication enabled for your account. Access to your Google Apps account provides access to the entire domain. Your security practices and the security of your domain are one in the same.
Visit the Security area of your Control Panel.
- Enable SSL (should be enabled by default for all new domains)
- Review your Password management settings
- Allow 2-Step Verification and consider requiring it for certain staff members if they interact with sensitive data
Review the Password Strength of your associates. Intervene on weak passwords and request your co worker leverage a stronger password.
Use caution here :) By definition, this is a complex area of your Control Panel. I would review the Manage OAuth Client access section. OAuth allows other applications to communicate with your Google Apps environment and is a tremendously valuable and powerful capability. Review the applications communicating with your domain and clean up any clutter by revoking their access. Make sure you communicate with other Admins in your domain prior to making any changes so you don't break functionality that is currently being used.
Know your Alerts & Reports
Did you know your Control Panel has a "Suspicious login activity" alert you can enable? Visit the Reports section of your Control Panel and select "Manage Alerts"
Review the rest of the Reports available to you as an Admin. Consider reviewing portions of this information on a regular basis.
Add Additional Capabilities
Given the nature of your operations, you may want to consider adding additional security capabilities to your environment. We can work with you to secure trials and great pricing for these platforms, please let us know if you'd like more information or to trial these solutions.
General Audit Tool for Google Apps
Scan, control and secure all Sites, Docs, Drive, Groups, Calendars, Google+, Third Party Apps, Printers and Users giving more security over the data that you own.
CloudLock for Google Apps gives organizations the ability to meet and enforce data loss prevention, cyber security, and regulatory compliance requirements in the Google Apps platform.
FlashPanel uses Google’s APIs to give Google Apps administrators more visibility, control and security over employees’ use of communication and collaboration tools like Gmail, Google Drive, Google Sites and more.
As more data, services and organizations migrate from local hard drives to the always-on cloud, Backupify is pioneering the protections and processes that will keep your irreplaceable online information safe, useful and under your control.
Spanning provides powerful, reliable, enterprise-class backup and recovery for organizations that would suffer significant business interruption as a result of lost data in SaaS applications
Today's data is better protected than ever. "Apple's iCloud was hacked" is a popular headline but it's incorrect. Several individuals were targeted for attack, likely via phishing, and the bad guys gained access to their usernames and passwords. Would 2-Step Verification have thwarted this criminal activity? We don't know for sure, but it probably would have made it much more difficult at the very least. Apple has stated they are increasing their use of two factor authentication and security alerts, like the ones reviewed above, and all Apple customers will benefit from these improvements. The internet is no different than the physical world, keep your guard up and use common sense.