Google Drive security is a big issue for K-12 IT teams, even before the unexpected move to remote learning and working. Now that monitoring data security, student safety, and student data privacy compliance just got a lot more difficult, IT managers need to seriously take stock of their ability to monitor, detect, and control risks in Google Drive—as well as their entire Google Workspace for Education environment.
Remote learning and working makes this more difficult because there are account logins coming from many locations and devices. None of which are within the school’s network.
Many IT admins and district administrators think that network-level firewall is sufficient to secure the data stored in Google Drive. Or, worse, that Google is responsible for their security. The issue is further complicated in the new remote learning and work environment that we find ourselves in. IT teams and security tools can no longer rely on IP address and/or location information alone to authorize access to school technology
You can manage the activity by securing cloud access, but remote access does make that task more challenging. Many districts use cloud application security to monitor and control access, prevent data loss, and avoid account takeover risks.
Account takeovers are a cybersecurity concern in any environment. But if your district is using Google Workspace, detecting an account takeover is difficult. Hackers can use account takeovers to send lateral phishing emails, steal data, mount ransomware attacks, and steal identities.
An account takeover leads to a litany of data security, student safety, and compliance problems for school districts. Under federal regulations such as CIPA, districts are responsible for adopting policies that restrict unauthorized access to information systems and disclosure of personally identifiable information. Violation of CIPA and other data privacy and security regulations could result in the loss of eRate funds and/or Department of Education funds for the district.
Account takeovers are notoriously difficult to detect in Google Workspace because the hacker has been able to breach the district’s perimeter security. Any activity within the Google environment looks like authorized access.
Once a hacker gains access to one (or more) of your district’s Google Workspace accounts, they’ve gone beyond your network-level firewall protections. Your team needs to be able to identify abnormal behavior taking place inside Google Workspace (not just the access to it). There are five indications to look for:
1. Login Location: You can analyze login locations to identify login attempts that originate outside the areas where you’d normally see them. For example, if you know that you don’t have students studying outside of the country (or you know what countries you have students in), seeing login attempts or successful logins originating from suspicious countries should raise the alarm.
2. Failed Login Attempts: Some level of failed login attempts is normal because people forget their passwords, accidentally enter the wrong password, etc. But a large spike in the number of failed login attempts from what you normally see is a strong indicator that an account takeover attack using brute force and credential stuffing is underway.
3. Lateral Phishing Emails: Lateral phishing is different from tactics such as spoofing. Lateral phishing refers to phishing emails that are sent from an actual, authorized user account within your district’s Gmail environment. Lateral phishing emails are near impossible for traditional phishing filters to detect because they’re coming from within your district’s authorized and trusted domain. They’re not being scanned at the perimeter before they are sent to another user’s inbox. Detecting a lateral phishing email is a very good indicator that there is a successful account takeover in your Google Workspace environment.
4. Unauthorized OAuth Connections: OAuth risks are little understood, but very real for K-12 districts. OAuth is helpful and used by many SaaS apps to make logging into different applications easy. It can also be used to gain control of a user’s Gmail, Docs, Drives, and other Google Workspace apps without the need to login to the account each time and risk detection.
Malicious SaaS apps can become connected to a Google account either by tricking the user into installing and authorizing OAuth. It can also be done by gaining unauthorized access to an account and then installing the app. In either case, the hacker behind the app can then use the OAuth connect to do things like write and send emails and documents as though it is the account owner.
This is why, though often misunderstood, OAuth EdTech security is critically important to student data privacy, data security, and compliance in school districts. Identifying unknown, unauthorized, and/or highly risky OAuth connections in your Google environment can be an indication of a successful account takeover. It can also be an indication of an account takeover that was able to take place without the criminal ever needing to attempt to login to an account (in the case of tricking someone into authorizing the app).
5. Abnormal File Sharing and/or Downloading: A spike in file sharing and/or downloading (or attempts to, if you have DLP policies enabled) is another indicator of a possible Google account takeover.
Beyond being able to actually see and detect these types of behaviors, you’ll also want to be able to automate actions fix them. If one or more of these five account takeover indicators are detected in your Google environment, you’ll want to lock those accounts immediately and require a password reset. You’ll also want to audit the user account to see what emails were sent, files accessed, etc.
When it comes to infrastructure security, Google drive security is excellent. Google provides customers with the world’s most secure infrastructure and transmission security available. Customers are effectively able to outsource Google apps security to one of the biggest and best data organizations in the world.
But there are two common misconceptions about Google Apps and Google Drive security.
The first is that securing the information that is stored in Google Workspace apps is Google’s responsibility. Like all SaaS vendors, Google is responsible for the physical security of its data centers, its own infrastructure and network security, and application-level security. Customers are still responsible for the security of the data and content stored, accessed, and shared in Google Workspace. Customers are also responsible for identity and access security to their service environment. This means that school districts that use Google Workspace without application-level cybersecurity protection have a gaping hole in their cybersecurity tech stack.
The second common misconception is that the Google Admin Console is the best platform to use for monitoring and securing district data. However, many IT staff members in school districts find Admin Console difficult to navigate and nearly impossible to get usable data out of investigation tools. Further, many important security features are only available in pricey Google for Education Enterprise Edition upgrades. K12 IT teams juggling the needs of helpdesk support, cyber safety monitoring, and cybersecurity investigations simply don’t have the bandwidth to deal with Admin Console. As a result, important Google Workspace security audits and configurations are put off until a disaster happens.
Google Workspace data loss prevention is an important element of Google Drive security. Configuring your Google Workspace DLP policies will help ensure the sensitive data stored in Google Drive (including Shared Drives) are protected from unauthorized access, whether it be malicious or accidental.
If you’re not sure how secure your Google Workspace is, it would be a good idea to conduct a cloud application security audit using a 10 point checklist. Regular audits and reports are a good way to increase your protection.
Other best practices include establishing cloud malware protection that covers Google Drive and Shared Drives from risks along with Gmail, and automated backups.
The coronavirus crisis threw many K-12 IT teams into chaos as districts work to transition to remote learning and working with little to no notice. Securing information systems simply cannot take a backseat during this time. There are many remote learning resources available to administrators, teachers, and parents. But IT teams are in the unique position of needing to support this transition while keeping districts in compliance with student data privacy, online safety, and data security requirements.
Our remote learning security checklist can help your IT team take steps to make sure your cybersecurity infrastructure is properly configured to enable remote learning and working without sacrificing security. Google Drive security is a critical part of securing information systems in remote learning environments because it’s likely the storage center of your district’s information.
But monitoring and securing Google Workspace for Education on an ongoing basis is critical for your stakeholders’ wellbeing and the district’s ability to keep operations going in the long-run. ManagedMethods allows district IT teams to monitor and automate cybersecurity, student safety, and compliance risks in Gmail, Google Drive, Shared Drives, Google Meet, and Google Chat all from one, easy-to-use platform.
We’re offering school districts free access to our cybersecurity and student safety monitoring platform. Learn more and request your free access today to get the most benefit out of this offer.