Today’s post is by a guest contributor from CloudLock, one of Cloud Sherpas’ technology partners.
With the launch of Google Drive for Work earlier this summer — and the unlimited storage it offers — the sky’s the limit for users. With greater usage and increased collaboration come tremendous business benefits, including enhanced productivity and real-time co-authoring, but data security concerns, always ready to crash a party, follow closely behind.
Here are ten quick security tips you can put into practice today:
1) Understand Your Environment. First, determine who within your organization is using Google Apps and how they are using the platform. Get a sense of all the files living in users’ drives and all the applications connected to the domain in order to understand all of the access points into the environment.
2) Classify Data. You may find it helpful to categorize data into four categories: public, restricted, confidential and top secret. Such data segmentation will prove valuable in policy development and enforcement.
3) Develop Policy and Monitor Accordingly. Establish policy to address sensitive information within shared files. Be sure to include security considerations as well as compliance concerns idiosyncratic to your vertical. Create a policy to define what apps users can and cannot attach to the domain. Then, monitor the environment for violations.
4) Control. Maintain risk-appropriate security controls over your Drive environment by ensuring that in extreme cases you, as an administrator, can remove sharing of files that contain sensitive information. The ability to quarantine and take ownership of documents for that sake is also important.
5) Curb Oversharing. Many users share files with more individuals than they intend to. Familiarize yourself with — and make sure users are aware of — Google Drive’s sharing settings and use them appropriately. Consider removing sharing permissions of files related to a project once it is complete.
6) Out With the Old, In With The New. With the unlimited space offered by Drive For Work, storage is no longer an issue. As such, users naturally build up a considerable library of files, some containing sensitive data. Are you preserving former employees’ access to files by sharing with their personal email addresses? Do external collaborators, such as partners, have ongoing access to documents they no longer need?
If left unchecked, these files can become an exploited vulnerability. By regularly, perhaps quarterly, reviewing the sharing permissions of older files, users can dramatically improve their organization’s security posture.
7) 3rd Party Apps: Know What You’re Connected To. At CloudLock, we’ve discovered nearly 10,000 3rd party apps enabled in corporate domains. While many may offer value, they also have the potential to open a backdoor into the organization via permissions granted to the app by users.
Make sure to evaluate each app enabled through users’ corporate credentials (OAUTH). Does the app enhance user productivity? What information does the app have access to? If the application is not work related, users should enable it via personal credentials.
8) Control 3rd Party Apps. Make sure you can exercise control over apps in your domain. Revoke apps that are risky, including those with excessive access scopes and those that are non-work related. Quarantine apps until you have time to review them. Apply conditional restrictions to applications and whitelist or blacklist by user, organizational unit (OU) and/or domain.
9) Consider Encryption — When Absolutely Necessary. In the event of a breach, leveraging file-level encryption in the cloud will prevent malicious parties from accessing your most sensitive data — whether it’s PCI data, intellectual property or other information you want to keep from prying eyes. Recent headlines continue to emphasize the importance of having an extra layer of security for the most private information assets.
10) Educate and Leverage Your Users. One of the strongest tools in the IT Security arsenal is user enablement. Users may not even know they are sharing sensitive data with external parties or connecting an add-on using corporate credentials — or be aware of the potential risks associated.
Include users in security efforts. After all, who knows more about your sensitive data than they do? By keeping an open line of communication between IT and users — and incorporating an educational element in security strategy — secure behaviors will be encouraged and the resources spent policing users will decrease.
How Secure Is Your Domain?
In the age of the cloud, computing at large has evolved — and users have evolved alongside it. Are your security practices joining the ride?
Find out with CloudLock. Run our free security assessment to audit your organization’s Google Apps environment, as well as pinpoint and address risk areas.
About the Author
Eric Chaves is the Director of Technical Services at CloudLock. Eric has worked with hundreds of customers to enable cloud data security in their organizations. As part of CloudLock, Eric helps organizations enforce regulatory, operational, and security compliance in public cloud platforms with the goal of increasing collaboration and reducing their risk.