Google Workspace Security Considerations

If you’re trying to get everyone literally on the same page, you may be considering using Google’s suite of tools for your team. Of course, as you delve deeper into your options, you do want to consider Google Workspace security. Let’s start with the basics. 

What Is Google Workspace?

Google Workspace is a collection of cloud-based productivity, computing and collaboration tools  that integrate popular Google  platforms like Gmail, Google Calendar, Meet, Drive, Currents and the Google Docs suite. While the majority of our clients use Microsoft Office 365, often highly collaborative organizations like creative agencies, school systems  or small businesses prefer Google Workspace. At Intrust, we often find  organizations  gravitate toward Google Workspace assuming it’s an easy, quick-fix  solution to secure their network.

In fact, it’s a common misconception that cloud platforms like Google have adequate security measures built in. The truth is, Google Workspace’s out-of-the-box security features are pretty sparse. The default setup leaves you significantly more vulnerable because even basic security controls, like multi-factor authentication, need to be manually switched on. 

With Google Workspace, it’s up to the user to configure settings correctly. You may  be wondering, “Why wouldn’t a  company as ubiquitous as Google make a workspace super-secure from the jump?” One reason is that many cloud platforms focus and market themselves as productivity tools, not security ones. Certain settings that slow down or interrupt user workflow are turned off to make the product feel more seamless.

The bottom line is that Google Workspace’s baseline security configurations will eventually lead to a breach.  Your company is vulnerable unless you or a managed services provider jumps in and manually adjusts the controls. If you’re not sure where to start, we’ve compiled an important list of  Google Workspace security settings to consider:

Google Workspace Security Considerations

1. Multi-factor authentication

Multi-factor authentication is the single most important thing we look for when assessing the baseline security of an online workspace. It is the defining and most critical control an organization has in their security arsenal. Why is MFA so crucial? While strong passwords are important, they’re  still vulnerable to brute force attacks and can be stolen by malicious third parties. Worst-case scenario,  if a hacker gets a hold of your password, they would still need your  physical phone to gain access. It’s important to note that MFA is NOT turned on out of the box in Google Workspace. 

Not all MFA methods are created equal. Some are more secure than others; here are  our top recommendations, ranked from  most to least secure: 

• A physical security key. Considered the strongest MFA type, this key resembles a USB stick small enough to hang off your keychain. After inputting your credentials, a unique and encrypted code is sent to the security fob for you to enter back into your computer for a super-secure login.  Pro-tip: Google uses these physical tokens internally.

•  Biometrics. By now you should be familiar with devices scanning your fingerprint, face or eyes to confirm your identity. This is another strong option  for MFA, as it’s hard for cybercriminals to recreate your biological data. 

• Authentication apps.  Apps like Duo offer another way to send encrypted authentication codes to verify genuine login attempts. 

• SMS codes. Perhaps the most common form of MFA, SMS ranks last on our list. Unfortunately, SMS codes are prone to getting leaked because the codes sent via text aren’t truly encrypted. Although this is the weakest form of MFA, text message codes are certainly better than nothing.

2. Make Sure DNS Records Are Configured Properly: SPF, DKIM, DMARC.

We listed a lot of acronyms here for a simple security control. SPF, DKIM, DMARC are the three pillars of email authentication. These tools provide proof that your emails are from who they claim to be (your organization, company, school, etc.) Email authentication controls are important because they help servers weed out phishing  emails that so-often clutter inboxes. 

How does SPF, DKIM and DMARC work? When a domain is created in a workspace, it’s assigned to a specific framework that tells the internet where your domain is allowed to originate from. In Google Workspace, enabling DKIM cryptographically signs emails from your server. When you own the domain, you essentially confirm for the receiving email system which senders are genuine and which are phony. These controls make our Google Workspace security list because companies often do not  have SPF, DKIM, DMARC configured correctly— meaning outsiders can potentially spoof your email address. Spoofed emails result in phishing scams more easily landing  in employee inboxes rather than spam folders. 

3. Configure anti-spam and phishing policies.

Another way to combat phishing is to set up anti-spam and phishing policies. In your Google Workspace, anti-spam isn’t enabled out of the box. One important control under this umbrella is configuring attachment-safety policies. You should set up  your attachment safety policies to  protect end-users from risky senders. Once enabled, extra and more specific actions are available like blocking emails that originate from users with zero prior Gmail history or a low sender reputation. 

You can also beef-up Google’s ability to identify suspicious content in emails with enhanced pre-delivery scanning. Typically, if Gmail suspects a phishing email, it will display a warning at the top of the message and move it  to spam. With enhanced scanning, the initial delivery of the email is slowed down, allowing Google to run additional security checks. 

4. Control third-party applications connecting to Google Workspace account.

Did you know you can control how third-party apps access your Google Workspace? In the settings of Google Admin console, you can govern access to your Google Workspace account through OAuth 2.0, an industry standard for authorizing web applications. 

Third-party applications should be strictly limited and monitored. Using outside apps only gives hackers another doorway into your organization. If there’s a clear value that an integrated application provides for your business, robust security measures need to be in place. While there are legitimate uses for third-party applications, attackers can exfiltrate your data to third-party accounts after a breach, so they usually aren’t  worth the risk. 

At minimum, a periodic audit should be conducted to review all third-party applications.

5. Configure context-aware access for VIPs  with Cloud Identity Premium.

Context-aware access control is an extremely granular way to approach login credentials. For example, you can configure policies that require logins to satisfy specific requirements like IP address, country, user identity and device security status. It may be a good idea to set up context-aware access for employees who  have sweeping access to your organization like administrators or managers. 

Plus, with Cloud Identity Premium, you can block international login attempts that you know wouldn’t originate from your company anyways. 

Note that these  features  are locked behind Cloud Identity Premium, which is an additional licensing you’ll need to purchase through Google. 

Get a Comprehensive  Google Workspace Security Audit

These considerations are just the tip of the iceberg for a secure cloud-based workspace environment. For a full Google workspace security assessment, contact Intrust. We are happy to help you work together easily and securely.