Google Workspace Security Considerations

Google Workspace Security Considerations

If you’re trying to get everyone literally on the same page, you may be considering using Google’s suite of tools for your team. Of course, as you delve deeper into your options, you do want to consider Google Workspace security. Let’s start with the basics. 

What Is Google Workspace?

Google Workspace is a collection of cloud-based productivity, computing and collaboration tools  that integrate popular Google  platforms like Gmail, Google Calendar, Meet, Drive, Currents and the Google Docs suite. While the majority of our clients use Microsoft Office 365, often highly collaborative organizations like creative agencies, school systems  or small businesses prefer Google Workspace. At Intrust, we often find  organizations  gravitate toward Google Workspace assuming it’s an easy, quick-fix  solution to secure their network.

In fact, it’s a common misconception that cloud platforms like Google have adequate security measures built in. The truth is, Google Workspace’s out-of-the-box security features are pretty sparse. The default setup leaves you significantly more vulnerable because even basic security controls, like multi-factor authentication, need to be manually switched on. 

With Google Workspace, it’s up to the user to configure settings correctly. You may  be wondering, “Why wouldn’t a  company as ubiquitous as Google make a workspace super-secure from the jump?” One reason is that many cloud platforms focus and market themselves as productivity tools, not security ones. Certain settings that slow down or interrupt user workflow are turned off to make the product feel more seamless.

The bottom line is that Google Workspace’s baseline security configurations will eventually lead to a breach.  Your company is vulnerable unless you or a managed services provider jumps in and manually adjusts the controls. If you’re not sure where to start, we’ve compiled an important list of  Google Workspace security settings to consider:

Google Workspace Security Considerations

1. Multi-factor authentication

Multi-factor authentication is the single most important thing we look for when assessing the baseline security of an online workspace. It is the defining and most critical control an organization has in their security arsenal. Why is MFA so crucial? While strong passwords are important, they’re  still vulnerable to brute force attacks and can be stolen by malicious third parties. Worst-case scenario,  if a hacker gets a hold of your password, they would still need your  physical phone to gain access. It’s important to note that MFA is NOT turned on out of the box in Google Workspace. 

Not all MFA methods are created equal. Some are more secure than others; here are  our top recommendations, ranked from  most to least secure: 

  • A physical security key. Considered the strongest MFA type, this key resembles a USB stick small enough to hang off your keychain. After inputting your credentials, a unique and encrypted code is sent to the security fob for you to enter back into your computer for a super-secure login.  Pro-tip: Google uses these physical tokens internally.
  •  Biometrics. By now you should be familiar with devices scanning your fingerprint, face or eyes to confirm your identity. This is another strong option  for MFA, as it’s hard for cybercriminals to recreate your biological data. 
  • Authentication apps.  Apps like Duo offer another way to send encrypted authentication codes to verify genuine login attempts. 
  • SMS codes. Perhaps the most common form of MFA, SMS ranks last on our list. Unfortunately, SMS codes are prone to getting leaked because the codes sent via text aren’t truly encrypted. Although this is the weakest form of MFA, text message codes are certainly better than nothing.

2. Make Sure DNS Records Are Configured Properly: SPF, DKIM, DMARC.

We listed a lot of acronyms here for a simple security control. SPF, DKIM, DMARC are the three pillars of email authentication. These tools provide proof that your emails are from who they claim to be (your organization, company, school, etc.) Email authentication controls are important because they help servers weed out phishing  emails that so-often clutter inboxes. 

How does SPF, DKIM and DMARC work? When a domain is created in a workspace, it’s assigned to a specific framework that tells the internet where your domain is allowed to originate from. In Google Workspace, enabling DKIM cryptographically signs emails from your server. When you own the domain, you essentially confirm for the receiving email system which senders are genuine and which are phony. These controls make our Google Workspace security list because companies often do not  have SPF, DKIM, DMARC configured correctly— meaning outsiders can potentially spoof your email address. Spoofed emails result in phishing scams more easily landing  in employee inboxes rather than spam folders. 

3. Configure anti-spam and phishing policies.

Another way to combat phishing is to set up anti-spam and phishing policies. In your Google Workspace, anti-spam isn’t enabled out of the box. One important control under this umbrella is configuring attachment-safety policies. You should set up  your attachment safety policies to  protect end-users from risky senders. Once enabled, extra and more specific actions are available like blocking emails that originate from users with zero prior Gmail history or a low sender reputation. 

You can also beef-up Google’s ability to identify suspicious content in emails with enhanced pre-delivery scanning. Typically, if Gmail suspects a phishing email, it will display a warning at the top of the message and move it  to spam. With enhanced scanning, the initial delivery of the email is slowed down, allowing Google to run additional security checks. 

4. Control third-party applications connecting to Google Workspace account.

Did you know you can control how third-party apps access your Google Workspace? In the settings of Google Admin console, you can govern access to your Google Workspace account through OAuth 2.0, an industry standard for authorizing web applications. 

Third-party applications should be strictly limited and monitored. Using outside apps only gives hackers another doorway into your organization. If there’s a clear value that an integrated application provides for your business, robust security measures need to be in place. While there are legitimate uses for third-party applications, attackers can exfiltrate your data to third-party accounts after a breach, so they usually aren’t  worth the risk. 

At minimum, a periodic audit should be conducted to review all third-party applications.

5. Configure context-aware access for VIPs  with Cloud Identity Premium.

Context-aware access control is an extremely granular way to approach login credentials. For example, you can configure policies that require logins to satisfy specific requirements like IP address, country, user identity and device security status. It may be a good idea to set up context-aware access for employees who  have sweeping access to your organization like administrators or managers. 

Plus, with Cloud Identity Premium, you can block international login attempts that you know wouldn’t originate from your company anyways. 

Note that these  features  are locked behind Cloud Identity Premium, which is an additional licensing you’ll need to purchase through Google. 

Get a Comprehensive  Google Workspace Security Audit

These considerations are just the tip of the iceberg for a secure cloud-based workspace environment. For a full Google workspace security assessment, contact Intrust. We are happy to help you work together easily and securely. 

Posted in
Chaim Black - Profile - Intrust IT Support Cincinnati

Chaim Black

Chaim Black is a Cyber Security Analyst, providing a full scope of IT and cybersecurity services to a wide range of businesses, municipalities and manufacturing plants.

Share this Blog

Enterprise Password Management Promo Wide

Is Your Name or Birthday a Part of Your Password?

If so, you’re a part of the 59 percent of people who don’t follow proper password hygiene. More than 70 percent of passwords are used for more than one system, meaning if cybercriminals crack one, they can access a lot more accounts.

Our free Enterprise Password Management Guide will give you the best password hygiene practices to help you secure your computer and your business.

Download the Guide

Explore the Latest Trends in IT

Fundamentals of Information Technology Management - Intrust

IT 101: What Is Information Technology Management?

When was the last time you stopped to think about how your business relies on technology? Information technology management is...
Avoid Pig-Butchering - Intrust IT

Pig-Butchering Scams: What They Are and How to Stay Safe

At Intrust IT, we understand that it may feel like the specter of cybersecurity is always breathing down your neck....
3 Reasons to Replace Aging Equipment - Intrust IT

Three Compelling Reasons Your Company Should Replace Its Aging Computers Before Year-End

As the end of the year approaches, businesses everywhere are evaluating their budgets and looking for strategic opportunities to invest...
What are managed services - Intrust IT

What Are Managed Services? And What Are the Benefits?

Running a business in today’s tech-driven world means you need reliable IT infrastructure. But let’s be honest, managing IT in-house...
Windows 10 End of Life How This Could Impact Your Business - Intrust IT

Windows 10 End of Life: How It Could Impact Your Business

As Microsoft officially plans to end support for Windows 10 on October 14, 2025, businesses need to begin thinking ahead....
AI implementation Roadmap Intrust IT

Master AI Integration With Our AI Implementation Roadmap Guide

AI is one of the greatest technological breakthroughs of the last few years. It has become our handy assistant, data...