Perception Point Announces Record Year, Protecting Over 2K Organizations & Expanding into Web Security.
Google Drive Security Concerns & 9 Advanced Security Features
What Is Google Drive Security?
Google Drive is a free cloud-based storage service, with a paid business version offered as part of Google Workspace (formerly G Suite). The service allows users to store any files in the cloud, sync them with mobile devices and personal computers, and easily share them with others.
While Google uses state of the art security practices when designing their data centers and services, the use of Google Drive raises multiple risks. The biggest risk is “shadow IT”—users storing corporate files in Google Drive without the knowledge or permission of the organization.
However, even if Google Drive is used in a controlled manner, as part of Google Workspace, there are concerns about users sharing sensitive data with unauthorized parties, which raises business risks as well as legal and compliance risks. We’ll cover security capabilities in Google Workspace, and provide best practices for improving security of your organization’s data.
This is part of a series of articles about cloud storage security.
In this article:
- What is Google Drive Security?
- Is Google Drive Secure?
- Google Drive Encryption
- Google Drive Security Best Practices
- Use Two-Factor Authentication (2FA)
- Setup Recovery on Your Account
- Control User Permissions in the Application
- Third-Party Apps
Is Google Drive Secure?
Google is a prime target for hackers and cybercriminals. One of the main reasons Google is so vulnerable to security risks is that it stores huge amounts of session data and personally identifiable information (PII). Because Google users usually don’t log out of their Google accounts, it becomes possible to track their behavior, even if they are using a VPN.
Google has access to email, files, documents, and more. In some cases, Google Drive users store bank account details, identification documents, and other sensitive information within their cloud storage.
One of the biggest risks associated with Google Drive is that attackers are developing specific scams around the service. There are many common Google Drive scams. These include an attempt to leave phishing links in Google Drive comments, fake Google Drive clone sites, and malware hiding in Google Drive files.
Another concern is that, while users own their intellectual property rights under the Google Terms of Service, the service may scan information and keywords in documents to improve ad targeting. Google also reserves the right to hand over private information if authorities issue a search warrant.
Google Drive Security Features and Encryption
While risks are significant, Google Drive has robust security features. It provides two-factor authentication and built-in security tools in its endpoint management area.
Google hosts every file on its own servers, and Drive encrypts every file it processes. Both 128-bit and 256-bit AES keys are used for encryption. This means that third parties who have hacked Google Drive servers cannot see the contents of the files.
However, with the free version of Google Drive, Google can use the encryption key to recover the data, meaning that hackers and government agencies could theoretically access an organization’s files. According to Google’s Workspace Security Whitepaper, this is not true for Google Workspace.
Another important consideration is what happens to the file during transfer. Google encrypts data stored on Drive, but the service is also a file-sharing and collaboration tool. In other words, data in transit is still vulnerable. This is why Google uses Transport Layer Security (TLS) for data in transit.
9 Additional Security Features in Google Workspace
Following are advanced security capabilities your organization receives if you use Google Drive as part of the Google Workspace suite of services. Note that Google Workspace has several editions, divided into Business Editions, Enterprise Editions, and Educational Editions. Some of these features may not be available in all editions.
1. Single Sign-On (SAML 2.0)
Google Workspace provides single sign-on (SSO) services, allowing users to access multiple services, including Google Drive, using the same login page and authentication credentials. It is based on SAML 2.0, an XML standard that allows secure web domains to exchange user authentication and authorization data.
For added security, SSO accepts public keys and certificates generated using RSA or DSA algorithms. Organizations can use the SSO service to integrate Google Workspace single sign-on with LDAP or other SSO systems.
2. Information Rights Management (IRM)
Most organizations also have internal policies governing the processing of sensitive data. Google Drive provides information rights management capabilities to help Google Workspace administrators manage sensitive data. Admins and users can use Google Drive permissions to protect sensitive content by preventing files from being reshared, downloaded, printed, copied, or changed.
3. Data Loss Prevention (DLP)
Data Loss Prevention (DLP) adds another layer of protection designed to prevent the leakage of sensitive personal information, such as payment card numbers, social security numbers, and protected health information.
DLP prevents users from sending sensitive data, by auditing how sensitive data flows within the enterprise and by enabling alerts or blocking actions. It provides predefined content detection capabilities, including global and regional identifiers, medical information, and credential detection, and provides the ability to define custom detectors. The DLP solution uses Google’s optical character recognition to detect text in images with improved range and quality.
Organizations can use the DLP feature to prevent users from sharing sensitive content on Google Drive or sharing Drive with people outside the organization. Customers can also automate IRM control and advanced DLP rule classification for Drive files.
4. Security and Alert Management
Organizations with multiple security and privacy controls need a centralized location to prevent, detect, and remediate threats. The Google Workspace Trust Center provides advanced security information and analytics to better understand and control security issues.
The Security Dashboard and Security Status page helps administrators and security teams better understand and manage security risks by reviewing admin console settings. They can also use security research tools to identify, classify, and address security and privacy issues within Google Drive deployments.
5. Trusted Domains for Google Drive Sharing
With trusted domains, administrators can control how users in your organization share Google Drive files and folders. Specifically, they can define if users can share files with people outside of your organization, and whether sharing is restricted to specific domains. It is also possible to set up alerts to remind users that they are sharing files outside the organization, and confirm that files are not confidential.
6. Endpoint Management
Protecting information on mobile and desktop devices is a primary concern for Google Drive users. Google Workspace customers can use endpoint management to protect corporate data on users’ personal devices and on their organization’s company-owned devices.
Enrolling devices for endpoint management allows users to securely access Google Workspace services, and allows organizations to set policies to protect devices and data through device encryption, screen lock, or password enforcement.
Administrators can also remotely wipe work accounts from a mobile device, and log out users remotely from a desktop device, including Windows 10 devices, if a device is lost or stolen.
7. Google Workspace Audit Logs
Companies that store data in the cloud want to understand data access and account activity. The Workspace audit log helps security teams maintain an audit trail in Google Workspace and view details about admin activity, data access, and system events. Google Workspace admins can access these logs using the admin console to customize and export logs as needed.
8. Ability to Restore a User’s Drive Data
Administrators can restore a user’s Google Drive data within 25 days after the data is deleted from the user’s Recycle Bin (this depends on the retention policy). After 25 days, even if admins contact technical support, the data cannot be recovered.
9. Retention and eDiscovery
Administrators can enable Google Vault to archive, archive, search, and export data from Google Drive to support an organization’s archiving and eDiscovery needs.
Administrators can also choose to store their data in specific geographic locations (US or Europe) using a data region policy. The data region policy covers the underlying data at rest (including backups) for Google Workspace core services, including Google Drive.
Related content: Read our guide to google cloud storage security (coming soon)
Google Drive Security Best Practices
Enforce Two-Factor Authentication (2FA)
Google Drive offers strong and secure sign-in options, including two-factor authentication. To enable 2FA in Google Drive, all users must provide two pieces of valid information before they can access their Google Account. This includes password combinations, SMS verification, and one-time passwords sent to a mobile device.
Enabling Google Drive’s 2FA feature makes it more difficult for hackers to access data, even if they have the correct username and password. This reduces the effectiveness of phishing and social engineering attacks. 2FA prevents many fraudulent login attempts, even if users do not have strong passwords.
Setup Recovery on Google Drive Account
In some cases, users may accidentally leave their Google Drive account open on a public computer, or might have their credentials compromised. This will require an immediate lockdown of the Google Drive account. Google Drive provides an account recovery option that can help.
Setting up account recovery provides a quick and easy way to protect an account in the above situations. Common methods for locking down and recovering an account include answering security questions, logging in by phone, and checking other email addresses.
Control User Permissions in the Application
Administrators can monitor and control which Google services and apps, such as Google Drive, each user can access. A least-privilege access model should be enforced. This means that users only have access to files, data, and systems sufficient to perform their job duties.
Google Drive offers a number of user permission options. For example, it is possible to limit file sharing within the organization, so if a Google Docs link is accidentally shared with outsiders, they won’t be able to access it. An additional layer of control is to restrict access to users in specific domains.
Finally, there are specially crafted third-party applications that can improve Google Drive access control and security. For example, there are third-party client-side encryption applications that use zero-knowledge encryption. This means that service providers like Google don’t have access to encryption keys.
Other applications to consider include endpoint protection, threat monitoring, cloud security, and email encryption. Third-party apps can be very useful as they tend to simplify and automate processes related to Google Drive security. They can fill in the blanks in Google’s G-Suite security offering.