An in-depth look into securing your cloud data with these G Suite data loss prevention best practices
Data loss prevention (DLP) in G Suite is critical for any type of organization—whether you’re a for-profit business, nonprofit organization, K-12 school district or higher ed institution, or a publicly funded agency. All types of organizations store sensitive data in G Suite; some are more highly regulated than others. Any type of organization that collects and/or handles children information is subject to strict compliance regulations under FERPA, COPPA, and CIPA, for example.
Google does provide native G Suite data loss prevention controls. How much you will pay for those controls depends on the type of organization you work for and the suite level licensed. Businesses and government agencies will have to spring for the G Suite Enterprise level at $25/user/month to access data loss prevention controls.
The free Google for Education license includes basic DLP controls; however, administrators won’t have access to the security center and more advanced access controls without upgrading to Enterprise for $4/user/month (including faculty and students).
Nonprofit organizations that qualify can get basic G Suite without data loss prevention controls for free. Note that Google provides a variety of grants and offerings for nonprofit organizations.
What Is Data Loss Prevention?
Data loss prevention is a set of policies, processes, and tools that prevent organizations from losing sensitive, important information. Data loss can occur due to a number of factors, such as a natural disaster that destroys physical data servers, hardware failure, human error, or a malicious attack.
Data loss prevention is as important in cloud computing as it is in on-premise software computing. The difference is in how data loss prevention in cloud applications, such as G Suite, is managed. Since cloud data is stored in servers owned and managed by the cloud application provider, IT managers are effectively outsourcing server infrastructure security. However, they will often find that the move to the cloud removes much of the visibility and control over data access and account behavior that they had before.
This is where 3rd party data loss prevention tools and CASB vendors have stepped in to fill this critical cloud security gap. API-based cloud security vendors partner closely with cloud application providers like Google Cloud to provide customers with that lost visibility and control, prevent data loss, and simplify application security. Google prefers that customers work with API-based cloud security tools, rather than proxy-based CASBs, because they integrate more seamlessly with G Suite.
Let’s take a look at why data loss prevention in G Suite is important, what controls are available to you through your Google license, and best practices for preventing data loss in Google apps.
G Suite Data Loss Prevention for Drive
Google Drive allows employees to create, store, and organize files in Google cloud. It also helps streamline team collaboration, as multiple people can work on the same Doc, Slide, or Sheet at the same time. Storing files in Google Drive means that employees and other important stakeholders can access the files at any time, from anywhere.
While this easy accessibility has obvious productivity benefits, there are some potential downsides. The porous nature of working (and storing) information in the cloud also means there are risks for data loss.
Data loss can happen in a number of ways, and it’s not always due to cyber criminals. In fact, the most common cause of a data breach or loss is simple internal human error. For example, a well-meaning employee could accidentally set the visibility of a file to “public”.
Of course, data loss in G Suite can be malicious as well. Certain types of data can mean a big payday for cyber criminals who sell personally identifiable information, trade secrets, and financial information on the dark web for profit.
The tough thing about data loss prevention is that accidental and malicious data breaches have the potential to do the same amount of damage. It can also be difficult to determine if a breach was due to an internal or external source—and whether it was accidental or malicious. But, with the right data loss prevention configurations in G Suite, your exposure to both types of risks can be mitigated.
G Suite Data Loss Prevention for Team Drive
Google Team Drive is very similar to Google Drive, so much of what is discussed above applies. Team Drive was developed by Google mainly to fix issues organizations can run into when an employee leaves. All of the files that employee owned in Google Drive had to be migrated somehow, or the user account would have to remain open for others to access.
With Team Drives, the organization (or “domain”) owns the files, rather than individual users. So, when an employee moves on, all the files they stored in Team Drives is still easily accessible to the rest of the team. And the system admin doesn’t have to deal with migrating the files.
Data loss prevention in Team Drive is similar to Google Drive. The Google system admin defines a set of DLP rules, which can be created from templates or customized, that applies to all the files in Team Drive. The G Suite data loss prevention system will then scan all of the files and determine which ones contain the information it is looking for. It will prevent those files from being shared outside of the organization, and it will revoke access to the files from users outside the organization.
The biggest difference between Team Drive data loss prevention and Drive is that Team Drives are owned by the domain. Therefore, DLP rules will apply to everyone in the organization in Team Drives, whereas Drive DLP rules can also be assigned by organizational unit or group. If a data loss prevention rule in G Suite is assigned by anything other than the entire domain, it will automatically not apply to Team Drives.
G Suite Data Loss Prevention for Gmail
People tend to focus on shared drives when they think about data loss prevention. But a lot of data loss occurs through email as well. For example, an employee could accidentally attach the wrong file to an email and send it to someone who shouldn’t have access to data such as employees’ social security numbers.
Data lost through email is a bit more difficult to retrieve compared to shared drives. Currently, it requires the use of a “man-in-the-middle” type proxy or gateway CASB solution, which have their own downsides. The best course of action is to prevent the loss of data through Gmail in the first place by setting up DLP policies in the Admin console.
Gmail data loss prevention works similarly to Drive DLP. The Google admin sets up predefined content rules for the system to scan for. Gmail data loss prevention will then scan both incoming and outgoing email content. Predefined detectors in Gmail include sensitive information including credit card, Social Security, and passport numbers. You can then set up automatic responses for when it finds this type of data to either quarantine, reject, or modify the message.
G Suite Data Loss Prevention Best Practices
The following best practices for preventing data loss in G Suite can really be applied to securing sensitive data in any cloud environment. The ultimate key to cloud security is visibility and control over user behavior within the cloud. Enabling visibility and control makes prevention, detection, remediation, and reporting possible.
1. G Suite Data Security Control
Data loss prevention in G Suite starts with data security control. When your InfoSec team has the ability to control how information is accessed and used, they are far more capable of preventing a data loss incident in the first place.
When an organization transitions from on-prem servers to Google cloud, IT often loses some of this critical control (depending on the license level purchased). Advanced G Suite data security tools puts control back into the hands of your team. They will be able to automate data loss prevention policies, identify and revoke risky 3rd party SaaS applications, see suspicious login attempts (and successes), and detect malware risks across all of G Suite.
2. Google Cloud Malware Protection
While most data loss incidents are due to unintentional human error, protection from malicious access is still very much required in cloud computing. Cloud malware threat protection should cover more than just Gmail, it should protect Google Drive and Team Drives from risks as well.
Cyber criminals have found interesting vulnerabilities in G Suite that allows them to use its own malware detection against it. The main use case for this type of attack includes a criminal uploading a malicious file or malware executable to Google Drive. They then create a public link to the file and paste it into a Google Doc. Now, they have a Google link in a Google Doc, which Google will rarely flag as a suspicious file or link. In some cases, research has found, this type of malware can exploit scripting in SaaS platforms to trigger malware without any interaction from the user victim.
In other cases, hackers are using malware to infect and encrypt files in G Suite. This scheme involves criminals threatening to delete and/or sell the information unless you pay the ransom.
3. G Suite Account Takeover Prevention
An account takeover in G Suite can have huge ramifications for your business or organization, yet it’s one of those issues that is less often talked about than malware or data breaches. When one or more accounts in your G Suite is compromised, criminals can wreak havoc on your system—often without IT managers realizing it’s happening for days, weeks, or months.
There are many ways a G Suite account takeover can happen. It can be due to weak passwords, stolen (and/or purchased) login information, or malware infection to name a few. A G Suite account takeover is difficult to detect, particularly for traditional network security such as your firewall or gateway. This is because access will look like it’s coming from a legitimate login.
Using a good, cloud-based data loss prevention solution in G Suite will help system admins not only see where logins are coming from, but also the number of login attempts and—perhaps most importantly—account activity once the login is successful.
Your InfoSec team will want to be notified if a specific account is acting abnormally. This could include bulk file downloads, risky file uploads, risky SaaS application connections, and more. When this type of activity is detected, a good cloud security tool will lock down the account, unshare or quarantine the files, and remove malware infections in your system.
4. Security Audits and Reporting
Any good IT security strategy must include easy G Suite monitoring, audits, and reporting. If you are responsible for the security of your organization’s G Suite environment, regular audits and reports are a necessary part of your job. If you happen to work in the Education industry, these types of compliance audits and reporting are required by law.
G Suite security reports should include stats on DLP policy violations, file and 3rd party app risk scores, and account login activity, to name a few. Some organizations also choose to track and report on content violations in G Suite. These could include explicit or inappropriate content and threats of violence or self harm.
5. G Suite Data Automated Backup
The best way to ensure that you still have access to your data in the event of a data loss incident is to use an automated backup solution. Backing up your data is the most fool-proof insurance against hardware failure, ransomware attacks, and other complete loss events if all else fails. Automating backups means that your team doesn’t have to remember to back up the organization’s database on an on-going basis. It also makes restoring lost data much easier and data loss incidents less disruptive.
Every organization that is a Google customer must make data loss prevention in G Suite a priority. Depending on your G Suite license level, native controls within the Google Admin console are sufficient to start protecting your data today. But it is your responsibility to make sure those controls are properly configured.
IT teams that need advanced data loss prevention controls, as well as easy monitoring and reporting, across G Suite and all of their SaaS applications may find that 3rd party Google Cloud Partners are better option.