This is a work in progress and not a release. We're looking for volunteers. See Issues to know how to collaborate.

Google Workspace Security

tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, HR]

Google Workspace (formerly G Suite) is a powerful suite of productivity and collaboration tools widely used by projects. A lot of things may depend on Google Workspace, in which case it is important to consider the security of it.

Account Security

Multi-Factor Authentication (MFA)

  1. Require all users to enable multi-factor authentication for their Google Workspace accounts. This adds an extra layer of security by requiring a second form of verification in addition to the password.
  2. Encourage the use of hardware tokens (e.g., Yubikeys) for MFA instead of SMS, which is more vulnerable to SIM swapping attacks.

Strong Password Policies

  1. Implement policies requiring strong, complex passwords that are regularly updated.
  2. Encourage the use of password managers to generate and store unique passwords for each account.

Access Management

Role-Based Access Control (RBAC)

  1. Implement RBAC to ensure users have access only to the information and applications necessary for their job roles.
  2. Conduct regular reviews of user permissions to ensure access levels are appropriate and revoke access for users who no longer need it.

Least Privilege Principle

  1. Ensure users have the minimum level of access necessary to perform their duties.
  2. Use Just-In-Time (JIT) access controls to grant temporary access when needed and automatically revoke it after a specified period.

Data Protection

Data Loss Prevention (DLP)

  1. Set up DLP policies to monitor and protect sensitive information from being shared outside the organization or to unauthorized users.
  2. Use DLP to scan emails and documents for sensitive content and enforce policies to prevent data leakage.

Encryption

  1. Use Google Workspace's built-in encryption features to protect emails in transit.
  2. Ensure that files stored in Google Drive are encrypted both in transit and at rest.

Monitoring and Alerts

Activity Monitoring

  1. Enable and regularly review audit logs to track user activities, such as login attempts, file access, and administrative changes.
  2. Use the Google Workspace Security Center to monitor security metrics, detect potential threats, and receive alerts for suspicious activities.

Incident Response

  1. Set up alerts for unusual activities, such as multiple failed login attempts, suspicious file sharing, and changes to security settings.
  2. Develop and maintain an incident response plan specific to Google Workspace, detailing the steps to be taken in the event of a security breach.

Device Management

Mobile Device Management (MDM)

  1. Use Google Workspace's MDM features to enforce security policies on mobile devices, such as requiring screen locks, enabling encryption, and remotely wiping data if a device is lost or stolen.
  2. Maintain an inventory of all devices accessing Google Workspace and regularly audit to ensure compliance with security policies.

Communication and Collaboration

Secure Sharing

  1. Set policies to control sharing of files and documents within and outside the project. Use link sharing settings that restrict access to only specific people.
  2. Use shared drives for team collaboration with appropriate access controls and permissions.

Email Security

  1. Enable advanced spam and phishing protection features to filter out malicious emails.
  2. Encourage the use of secure communication channels for sensitive discussions, such as Google Chat with end-to-end encryption.

Compliance and Governance

Compliance Settings

  1. Configure Google Workspace to comply with relevant regulatory requirements (e.g., GDPR) by using compliance tools and settings.
  2. Use Google Workspace Admin Console to enforce security policies and ensure compliance with project and regulatory standards.