Everything you need to know about Google Apps security
The number one concern in school districts (and all organizations) about making the transition to cloud computing is security. And for good reason. With data breaches and cybercrime on the rise, IT security professionals are under increasing pressure to be perfect. As the second leading provider of cloud productivity applications, Google Apps security is often questioned.
The good news is that the Google Apps infrastructure is among the top (if not THE top) provider for security and compliance. Everything from physical data center security and redundancy to comprehensive Admin tools ensures that organizations have what they need to keep their data secure in Google Cloud.
Are Google Apps Secure?
There is a lot of concern out there about the security of Google apps. It is true that, if misconfigured, information stored in any cloud application is vulnerable. But it’s important to remember that Google’s cloud infrastructure is, in many ways, more secure and reliable than your typical on-premise office server.
When it comes to the physical security of Google data centers, you really can’t get anything better. From custom-built servers to a 24×7 security team, Google’s data center security is top-notch. With 16 locations around the globe, Google also ensures that your data is backed up from any possible misfortunes that might hit any one data center.
Data sent from, created in, or uploaded to Google Apps is automatically encrypted, both in transit and at rest, without the customer needing to do anything.
For data in transit, Google uses multiple encryption levels, including HTTPS (Hypertext Transfer Protocol Secure), Perfect Forward Secrecy (PFS), 256-bit Transport Layer Security (TLS), and 2048 RSA encryption keys. Data at rest in G Suite services is also encrypted through HTTPS. Encryption at rest includes Gmail messages and attachments, Calendar events and descriptions, Drive files, metadata, and more.
You can find a full list of G Suite services and the type of data that is encrypted here.
2. Single Sign-On (SSO)
Single Sign-On (SSO) allows users to access all of their accounts after logging in once. Google uses the industry-standard SAML based SSO, and customers can choose to either use Google’s SSO service or a third party.
You can learn more about Google SSO and how to set it up here.
3. 2-Step Verification (2SV)
Also referred to as 2-Factor Authentication (2FA) or Multifactor Authentication (MFA), 2SV creates an additional layer of access security to your Google apps suite. It helps prevent account takeovers from criminals who may have been able to steal or purchase usernames and passwords.
2SV requires users to login using two steps. First, they use something they know, like their password. Then, they verify it’s them using something they have, such as a physical key or an access code sent to their phone).
Setting up 2SV is perhaps the most important (and easy) thing you can do to secure your G Suite account and protect your organization. Learn more about it and how to set it up here.
4. Administration Tools
The Google Admin Console provides administrators with a single place to manage G Suite services such as Users, Apps, Device Management, Security, and more. System admins can use the Admin Console to set and manage their G Suite security settings, including those discussed above. It also provides analytics and audit reports for analyzing things like access to your sites and documents, and account activity.
Learn more about the features and capabilities available in Google Admin Console here.
Google Security and Compliance
When using Google Apps, it’s important to understand your role in Google cloud security. As a service provider, Google’s responsibility is to protect the infrastructure that your Google Apps services work on from a cloud security breach.
It is your responsibility to secure your district’s information stored in your G Suite environment. It is also your responsibility to store data in compliance with federal and state (and, in some cases, international) regulations regarding student data privacy, personally identifiable and health information, and more.
When it comes to regulatory compliance, Google Apps supports school districts’ ability to comply with HIPAA, FERPA, and COPPA. Google is registered as a compliant service for these regulations and provides the functionality for administrators to be able to adhere to them. But, again, it’s up to the administrator to ensure that their G Suite is properly set up and configured for compliance; it’s not automatically done and managed by Google.
It’s also important to note that not all G Suite license levels provide the full suite of compliance tools. Your ability to manage security and compliance in Google Apps depends on the license level your district purchased, and how you have configured your security settings.
How to Check Your Google Apps Security Settings
G Suite administrators can use the Admin Console to check and manage Google Apps security settings, users’ account settings, activity, and behavior, and more. Note that you must be set up as an admin for your district’s Google Cloud account to complete this audit.
Step 1: Log in to your Google Admin Console
Navigate to https://admin.google.com/ and log in using your school district login credentials.
Step 2: Open your Google Apps security report
From the Admin Console homepage, go to Reports, then Users, and then click on Security. Note that to see Reports, you may need to click on More Controls at the bottom of the homepage.
Step 3: Determine what data you need & understand reporting
There are a lot of places where your district’s Google Apps security settings could go wrong. The Admin Console provides many different report types to give you visibility into account settings and behavior to start to determine if your security settings need adjustments.
A good place to start is in the “General” report types, which will provide you with insights into activities like External Apps, 2-Step Verification Enrollment and Enforcement, User Account Status, Admin Status, and Less Secure Apps Access.
There are also G Suite reports available for Gmail and Google Drive that can show you information such as the number of internal and external shares by users, the number of files that are publicly available, and more.
Step 4: Customize your report
Once you have the report that you want to look at, you have some customization options to allow you to see the information you need. You can adjust the data you will see in the chart by clicking on the down arrow next to the chart title.
You can also adjust the columns visible in the report by clicking on the Select Reports icon in the toolbar. This will bring up all available columns for that report, and you can click the box next to each column to select the data you would like to display, or deselect the data you would like to remove from the report.
Finally, you can filter the data you see in the report by user, activity, or organizational unit. Click on Filter in the toolbar and simply select the criteria you would like to filter the report on.
Step 5: Export your report
You can export your report data to Google Sheets or download it to a CSV file. Simply click on the Download icon in your report view and select where you would like the data to export to. You can export up to 210,000 cells; the maximum number of rows is determined by the number of columns you have selected in Step 4 above.
Does Google Partner With Third-Party Security Vendors?
Yes! While Google provides a comprehensive cloud security infrastructure for G Suite customers, some prefer to work with third-party security vendors. Google works with a broad variety of security partners, including services and resellers, technology partners, and training providers.
At ManagedMethods, we set out to make Google cloud security easy for system administrators in K-12 school districts. The cybersecurity market has convinced IT professionals that complicated and expensive is better. We know that is wrong because when a system is over-complicated, mistakes are made and necessary audits are neglected. And when it’s expensive, budget decisions must be made that could impact the overall security strategy.
We’re shifting this paradigm to make cloud security is easy and accessible for more Google for Education customers. Google administrators that we work with consistently find that running Google Apps security reports, not to mention identifying and fixing issues, is infinitely easier using ManagedMethods over the Admin Console. ManagedMethods also provides security management and control for other popular cloud applications, such as Office 365, Slack, Dropbox, and more, from one centralized platform.