G Suite Security: The essential checklist for Admins
By Harsh Vardhan
“There are only two types of companies: those that have been hacked, and those that will be,” said Robert Mueller, the FBI Director, 2012.
What’s changed between 2012 and 2018? We actually take security very, very seriously. We’ve kind of proved Robert wrong already.
Coming straight to Google: It already has close to 4 million businesses on G Suite. They are constantly working towards making companies’ data more secure.
As an administrator, you’d want to stay abreast of the G suite security-related practices Google recommends.
In this post, I will run you through the essential checklist to keep your company’s G Suite data secure.
Manage your users’ password strength
The most fundamental G Suite security etiquette first: help your team choose a strong password—something with an unlikely letter and number combination.
As a G Suite administrator, you get the ability to manage and track the password strength of every user in your organization.
You’d want to set minimum and maximum strength requirement. You’d want to help your users by sharing tips on how to create strong passwords—this is important—you’d be surprised how many people don’t know the basics of strong passwords.
The best tool you have here—monitor the strength of your users’ passwords from the Admin console. It gives you a graph showing how strong each users’ password is. You can have the weak ones changed promptly.
Make 2-step verification mandatory
Two-step verification is a process that involves two authentication checks performed one after the other to verify that someone or something is who or what they claim they are.
It provides an extra layer of security to your users by having them authenticate their password with a verification code. It can be in the form of phone prompts, voice calls, mobile app notifications, and more.
What it means for you—nobody will be able to gain access to your account even when your password leaks out somehow.
You’d want to keep this in mind: Before enforcement, see that everyone in your organization is enrolled in, or they will get locked out of their accounts.
Have a few users still not enrolled-in but you want to enforce 2-step verification for the rest of the team? Place the users not yet enrolled into exception groups — they will not be locked out of their accounts.
It’s a good idea to specify an enrollment period during which new users can sign in to their accounts using just their password. This gives them some time to set up 2-step verification.
Disallow less secure apps from accessing user accounts
G Suite has an awesome feature that allows you to block sign-in attempts from apps and devices that do not adhere to modern security standards.
How to do this:
Security > Basic settings > Less secure apps
Click Disable access to less secure apps for all users
What happens when a hijacker tries to access a user’s account using a less secure app? End users receive an email informing that someone has attempted to access their account through an application that is not secure.
As a G Suite admin, you’d want to monitor if a user has allowed access to less secure apps. Head to the Account Activity Reports section — it includes a Less Secure Apps Filter that indicates whether every user has denied access to less secure apps.
How does Google identify a less secure app? These are applications that do not use modern-day security standards such as OAuth 2.0. They still use old-school username/password authentication to access accounts programmatically.
Manage OAuth based access for third-party apps
There’s been a lot of incidents when non-Google apps impersonated the Google ‘look and feel’ and gained access to your users’ data.
You’d receive a ‘Joe has invited you to edit the following document’ email — you click the Open in Docs button — you land on a Google page asking to grant app permission.
The email was sent from a non-Google app and you’ve just whitelisted a malicious program.
As a Gmail admin, you’d not want sensitive information leaking out from your users’ Drive and Gmail. This is why OAuth came to exist.
With OAuth whitelisting, you will have the ability to specifically select which third-party apps will have access to your users’ data (across Gmail, Drive, Calendar, and Cloud Platform Services)
The apps will still need the users’ permission to access their data, in case you were wondering.
Once you’ve added that app to your organization’s whitelist, users can choose to grant or decline access to their data.
There is no way a malicious app can trick your users into giving it permission to access your data.
Head over to this Google page for steps to whitelist an app.
Use early phishing detection
Email is still the most common phishing attack carrier. Such emails will usually include a link that takes the user to a website known to be confidential, but they’re mere mimics with zero confidentiality.
You don’t want your users Phishing for trouble. As a Gmail admin, you’d want to add an extra layer of security to incoming emails—G Suite gives you ‘Early Phishing Detection.’
It uses machine learning to identify emails that carry a potential threat. Gmail might give you a warning or move the email to spam straight away.
The moment Gmail detects suspicious content in an incoming email, it introduces a delivery delay and performs rigorous phishing analysis.
Head over to this page for steps to set up Early Phishing Detection.
Ensure that unintended external reply warning is on
When a user hits reply, Google scans the list of recipients, including the ones in Cc — to determine the risk of data loss.
If the recipient is not from your company, not on your contact list, and you’ve never talked to them before, Google displays a warning to protect users from an unintentional leak of internal data.
If the recipient is intended, the user just has to dismiss the warning and go ahead with the response.
This feature gives your company solid protection against forged email messages and possible impersonation.
You’d want to ensure that this option is on. Head to the admin console:
Apps > G Suite > Gmail > Advances settings
Select your top-level organization
Scroll to Unintended external reply warning.
Toggle the checkbox to enable or disable this setting.
You’d want to keep in mind that it can take up to an hour for changes to propagate to user accounts.
Limit calendar information sharing
There are a lot of instances when people share their calendar externally so other users can schedule and edit events. Well, this is a potential threat to your data.
As a G Suite admin, you’d want to control the amount of calendar information people can share externally. Google gives you the ability to control the level of calendar sharing with users outside the organization, and the default visibility of calendars internally.
Once you limit external sharing for your organization, users can't exceed that limit when sharing individual events. For example, if you limit your organization's external sharing to Free/Busy, events with Public visibility are only shared as Free/Busy. All other event details remain hidden.
Limiting sharing to Free/Busy protects users from social engineering attacks that depend on extracting information from meeting titles and attendees.
Conversely, you may allow outsiders to view all calendar information, and then choose whether outsiders can or cannot change calendar items, or fully manage a calendar.
Users can choose how they share their calendars with teammates. The internal sharing options you set for your organization automatically apply if a user doesn't customize their own calendar settings.
You’d want to note that even if a user’s calendar is visible to everyone internally, they will be able to keep specific events private.
Head over to this Google support page to set calendar visibility and sharing options.
Be mindful of Google Groups misconfigurations
Many Google Groups have leaked sensitive information in the past — emails that should have never come in public went on to become searchable on Google.
Researchers at Kenna Security say they discovered upwards of 9600 organizations with public Google Group setting and a third of them were leaking sensitive emails in some way or another.
Even Google acknowledges that there have been “a few instances when customers accidentally shared sensitive information as a result of misconfigured Google Groups privacy settings.”
And that is why it is important for you to keep a very close eye on accidental Google Groups misconfigurations.
You can review and update your domain’s sharing permissions from the Admin console — you can ensure all groups with sensitive information are private.
Even when you give your users the ability to create public groups, you’d still be able to change the domain-level setting to private. By doing this, you’ve ensured that nobody from outside the organization gains access to a group which was previously set to be public by your users.
If your organization manages sales or support using Google Groups, you’d want external individuals to be able to contact a group. The good news is that it can be done without making the ability to view topics in a group public.
As a G Suite admin, you have the ability to allow outsiders to post to a specific group — within the setting for the individual group. The setting will apply irrespective of whether group topics are set to be private or public.
Try out the new G Suite security center
If you’re using the Enterprise edition, you also get access to the new G Suite Security Center, a big step in bringing transparency in security. It’s been designed to give G Suite admins a clearer view of the overall state of their company’s security. It boasts two powerful components.
The security dashboard
You get a dashboard with an overview of existing security metrics across all G Suite services. How does it help—you can keep a closer eye on external file sharing. You get more visibility into spam and malware targeting people inside your organization. There are metrics to define the effectiveness of your security measures. All of this in one unified dashboard.
The security health checkup
You get the ability to analyze email messages that fail to meet your company’s authentication standards. It becomes easy to know which Drive files are triggering Data Loss Protection (DLP) rules.
You’d love the quickstart guide which recommends the best security settings for your organization. There’s customized advice on security best practices for content, communication, mobility, and user security.
Why you’d want to use the Security Center?
All the security metrics that were previously spread across multiple products — come to one unified interface now.
As a G Suite admin, you’d love the single view of recommendations based on what Google thinks are the best security practices for your organization.
In the event of a phishing attempt, you will be able to know which users are at risk. You will be able to zero-in on users with risky configurations and adjust security if needed.
About the author
Harsh is the content lead at Hiver. He's jocular, loves dogs, and spends most weekends doing road trips. He also reads sometimes.