5 Google Drive security measures


1. Training 

It's unfair to employees and the organization to roll out Google Drive without training. It's much better to start the team off with a strong base of knowledge. What does it mean to work in Drive vs. a local network share, their desktop, etc? How do the new capabilities enabled by Drive make life easier and what new considerations must be taken into account? What's a Google Doc link (place) vs a Word document file (thing)? What are the best practices we're going to use internally and externally? 

"We're not very good at using Google Drive." That's not a life sentence for the organization. The "training is too expensive" line doesn't work either. Boost eLearning and Synergyse are both excellent and only $10.

You have to know how to use a tool in order to use it safely.  

2. Google's 2-Step Verification

Every day someone asks me, "how do we make sure Google Drive is secure?" Every day I tell them to enable 2-Step Verification and everyday they tell me "well, we don't really need it to be that secure." 

I get it. Security vs convenience has always been a tradeoff. If you want to ensure your Google Drive is protected, 2-Step Verification is an excellent step to take. 

In case you lose your smartphone, Google provides a list of backup codes. 

In case you lose your smartphone, Google provides a list of backup codes. 

Google's also made 2-Step Verification easier to use by moving away from the super annoying 16 digit one-time app specific passwords and towards app specific "G-codes" sent to your smartphone. You will still want to save your backup codes to another service or keep a physical copy. 

3. Know your Sharing settings and controls

The Google Apps Super Admin has control over external sharing. For Google Apps Unlimited (and Education) domains, permissions for the ability to share externally can be controlled at the Organizational Unit level. Unlimited domains also have access to the Drive audit log, this reports items like: 

  • Event Description—A summary of the event, such as "Larry created an item."
  • User—The user who performed the activity.
  • Date—The date the event occurred (displayed in your domain's defaulttimezone).
  • Event Name—The action the user performed, such as View, Create, or Edit.
  • IP Address—The IP address from where the user performed the activity.
  • File Type—The type of Drive file the activity involves.
  • Owner—The user who owns the file.

What if your team uses free @gmail.com accounts? Get Google Apps for Work accounts. You don't have any control or ownership over data in free @Gmail.com consumer accounts. What if we share logins? Don't share logins, there's no transparency or accountability when changes are made. 

4. Audit and Enforce Policies

If the goal is to take Google Drive security to the next level, consider capabilities enabled by additional services. The BetterCloud service for example will allow you to audit the domain for all externally shared files and even take action to change Sharing Permissions when needed. The service also allows you to audit for personal information like Social Security Numbers, credit card numbers, or any other sensitive data. 

It's counterintuitive but Google Drive actually enables more control over data rather than less. When data is spread across dozens, hundreds, or thousands of desktops and laptops it's very difficult and expensive to audit. When data is centralized in the cloud, we can run audits almost instantaneously and enforce polices in real time

5. Backup Drive

Google does an excellent job of protecting Google Drive data ... protecting us from ourselves is a more complicated issue. We have full control over our Google Drive, including the ability to accidentally make changes rendering it unrecognizable. EMC's Spanning offers a nice solution. Spanning creates a daily snapshot of everything in Google Drive (including metadata like document directory structure, nested folders, sharing and permissions settings, etc) and saves this snapshot on Amazon Web Services (AWS). This enables a point-in-time restore to any point in time after the service was enabled.