An in-depth look into securing your district’s cloud data with these Google Workspace data loss prevention best practices
Data loss prevention (DLP) in Google Workspace is critical for K-12 school districts. Not only are schools being targeted by phishing and ransomware, but there are also data loss prevention regulations they need to comply with, such as FERPA. One common misconception is that Google Workspace data loss prevention is covered by the school’s firewall and/or web content filter. That was never the case for schools using Google apps such as Gmail, Shared Drives, Google Meet & Chat, and/or Classroom. Now that COVID-19 has pushed most schools to remote and/or hybrid learning, that misconception has caused a lot of problems for IT admins and student data privacy.
Google does provide native Google Workspace data loss prevention controls in its Admin Console. The strength of the DLP visibility and control you get in Admin Console depends on your license level. The free Google for Education license includes basic DLP controls. However, administrators won’t have access to the security center and more advanced access controls without upgrading to Enterprise for an additional $4 per user per month (including faculty and students).
5 Google Workspace Data Loss Prevention Best Practices
The following best practices for preventing data loss in Google Workspace can be applied to securing sensitive data in any cloud environment. The ultimate key to cloud security is visibility and control over user behavior within your cloud apps. Enabling visibility and control makes prevention, detection, remediation, and reporting possible.
1. Google Data Security Control
Data loss prevention in Google Workspace starts with data security control. When your IT team has the ability to control how information is accessed and used, they are far more capable of preventing a data loss incident in the first place.
When your district migrated from on-prem servers and software to Google, your IT team likely lost at least some of this critical control. Advanced Google data security tools put control back in your hands. You will be able to automate data loss prevention policies, identify and revoke risky third-party SaaS applications, see suspicious login attempts (and successes), and detect malware risks across your entire Google for Education domain.
2. Google Malware Protection
While most data loss incidents are due to unintentional human error, protection from malicious access is still very much required in cloud computing. Cloud malware threat protection should cover more than just Gmail, it should protect Google Drive and Shared Drives from risks as well.
School information systems are increasingly under malicious attack. At the same time, cybercriminals are using vulnerabilities in Google Workspace that allow them to use its own malware detection against it.
The main use for this type of attack includes a criminal uploading a malicious file or malware executable to Google Drive. They then create a public link to the file and paste it into a Google Doc. Now, they have a Google link in a Google Doc, which Google will rarely flag as a suspicious file or link. In some cases, research has found, this type of malware can exploit scripting in SaaS platforms to trigger malware without any interaction from the user victim.
In other cases, hackers are using malware to infect and encrypt files in Google Workspace. This scheme involves criminals threatening to delete and/or sell the information unless you pay the ransom.
3. Google Account Takeover Prevention
An account takeover in Google can have huge ramifications for your school district, yet it’s an issue that is discussed less often than malware or data breaches. When one or more accounts in your Google Workspace is compromised, criminals can wreak havoc on your system—often without IT managers realizing it’s happening for days, weeks, or months.
There are many ways a Google Workspace account takeover can happen. It can be due to weak passwords, stolen (and/or purchased) login information, or malware infection to name a few. A Google Workspace account takeover is difficult to detect, particularly for traditional network security such as your firewall or gateway. This is because access will look like it’s coming from a legitimate login.
Using a good, cloud-based data loss prevention software in Google Workspace will help system admins not only see where logins are coming from but also the number of login attempts and—perhaps most importantly—account activity once the login is successful.
Your IT team will want to be notified if a specific account is acting abnormally. This could include bulk file downloads, risky file uploads, risky SaaS application connections, and more. When this type of activity is detected, a good cloud security tool will lock down the account, unshare or quarantine the files, and remove malware infections in your system.
4. Security Audits and Reporting
Any good IT security strategy must include easy Google Workspace monitoring, audits, and reporting. If you are responsible for the security of your district’s Google environment, regular audits and reports are a necessary part of your job and are also required by law.
Google Workspace security reports include stats on DLP policy violations, file and third party app risk scores, and account login activity, to name a few. Some districts may choose to also track and report on content violations in Google Workspace. These reports could include explicit or inappropriate content and threats of violence or self-harm signals.
5. Google Data Automated Backup
The best way to ensure that you still have access to your data in the event of a data loss incident is to use an automated backup solution. Backing up your data is the most fool-proof insurance against hardware failure, ransomware attacks, and other complete loss events if all else fails. Automating backups means that your team doesn’t have to remember to back up on an on-going basis. It also makes restoring lost data much easier and data loss incidents less disruptive.
Every school using Google Workspace must make data loss prevention a priority. Native controls in the Google Admin console should be sufficient to start protecting your data today. But it is your responsibility to make sure those controls are properly configured.
IT teams that need more advanced data loss prevention controls, as well as easy monitoring and reporting, across Google Workspace and all of their SaaS applications may find that third-party Google Cloud Partners are a better option.
What Is Data Loss Prevention?
Data loss prevention is a set of policies, processes, and tools that prevent schools and districts from exposing or losing sensitive, important, and protected information. This could include student and staff personally identifiable information (PII), tax information like employee W-2s, and district financial information. Data loss can occur due to a number of factors, such as a natural disaster that destroys physical data servers, hardware failure, human error, or a malicious attack.
Data loss prevention is as important in cloud computing as it is in on-premise software computing. The difference between the two can be seen in how data loss prevention in cloud applications, such as Google Workspace, is managed. Since cloud data is stored in servers owned and managed by the cloud application provider, IT managers are effectively outsourcing server infrastructure security. However, they will often find that the move to the cloud removes much of the visibility and control over data access and account behavior that they had before.
This is where third-party data loss prevention tools and CASB vendors have stepped in to fill this critical cloud security gap. API-based cloud security vendors partner closely with cloud application providers, like Google Cloud, to provide customers with that lost visibility and control, prevent data loss, and simplify application security. Google prefers that customers work with API-based cloud security tools, rather than proxy-based CASBs because they integrate more seamlessly with Google Workspace.
Let’s take a look at why data loss prevention in Google Workspace is important, what controls are available to you through your Google license and best practices for preventing data loss in Google apps.
Data Loss Prevention for Google Drive
Google Drive allows students, faculty, and staff to create, store, and organize files in the Google cloud. It also helps streamline class collaboration, as multiple people can work on the same Doc, Slide, or Sheet at the same time. Storing files in Google Drive means that students, faculty, and staff can access the files at any time, from anywhere.
While this easy accessibility has obvious productivity and collaboration benefits, there are some potential downsides. The porous nature of working (and storing) information in the cloud also means there are risks for data loss.
Data loss can happen in a number of ways, and it’s not always due to cybercriminals. In fact, the most common cause of a data breach or loss is simple internal human error. For example, a well-meaning employee could accidentally or unknowingly set the visibility of a file to public that contains sensitive student information that is protected by FERPA.
Of course, data loss in Google Workspace can be malicious as well. Certain types of data can mean a big payday for cybercriminals who sell PII, login credentials, and financial information on the dark web for profit.
The difficult thing about data loss prevention is that accidental and malicious data breaches have the potential to do the same amount of damage. It can also be difficult to determine if a breach was due to an internal or external source—and whether it was accidental or malicious. But, with the right data loss prevention configurations in Google Workspace, your exposure to both types of risks can be mitigated.
Data Loss Prevention for Google Shared Drive
Google Shared Drive is very similar to Google Drive, so much of what was discussed above apply. Shared Drive was developed by Google mainly to fix issues that organizations ran into when an employee left. All of the files that employee-owned in Google Drive had to be migrated somehow, or the user account would have to remain open for others to access. With Shared Drives, the organization (or “domain”) owns the files, rather than individual users. So, when an employee moves on, all the files they stored in Shared Drives are still easily accessible to the rest of the team. And the system admin doesn’t have to deal with migrating the files. Of course, school districts have found many benefits of using Shared Drives for students and classes, in addition to their business operations.
Data loss prevention in Shared Drive is similar to Google Drive. The Google system admin defines a set of DLP policies, which can be created from templates or customized, that applies to all the files in Shared Drive. The Google Workspace data loss prevention system will then scan all of the files and determine which ones contain the information it is looking for. It will prevent those files from being shared outside of the organization, and it will then revoke access to the files from users outside the organization.
The biggest difference between Shared Drive data loss prevention and Drive is that Shared Drives are owned by the domain. Therefore, DLP rules will apply to everyone in the organization’s Shared Drive, whereas Drive DLP rules can also be assigned by the organizational unit or group. If a data loss prevention rule in Google Workspace is assigned by anything other than the entire domain, it will automatically not apply to Shared Drives.
Gmail Data Loss Prevention
People tend to focus on Shared Drives when they think about data loss prevention. But data loss occurs through Gmail as well. For example, an employee could accidentally attach the wrong file to an email and send it to someone who shouldn’t have access to the information it contains.
Data lost through Gmail is a bit more difficult to retrieve compared to Shared Drives. Currently, it requires the use of a “man-in-the-middle” type proxy or gateway CASB solution, which have their own downsides. The best course of action is to set up DLP policies in the Admin console to prevent the loss of data through Gmail in the first place.
Gmail data loss prevention works similarly to Drive DLP. The Google admin sets up predefined content rules for the system to scan for, Gmail data loss prevention will then scan both incoming and outgoing email content. Predefined detectors in Gmail include sensitive information like credit card, Social Security, and passport numbers. You can then set up automatic responses for when it finds this type of data to either quarantine, reject, or modify the message.