Cloud storage is a valuable asset. But is it secure? The answer isn’t quite so simple.
On one hand, a storage application like Google Drive eliminates the need to dedicate and maintain physical storage servers throughout your district. But on the other hand, it places sensitive data outside of your network perimeter.
This makes accessing the information easy and convenient for your students, faculty, staff, etc. But it also has the potential to leave that information more exposed to the wrong people.
With hackers targeting schools at an unprecedented rate, it’s only a matter of time before your Google domain is put to the test. For this reason, you better be sure your cloud security is up for the challenge.
Not sure where to start? Don’t worry. In this guide, we’ll explain what you need to know about Google Drive security, including why you need to safeguard your cloud storage and what you can do to keep sensitive files under lock and key.
Is Google Drive secure?
The short answer is yes — Google Drive is a secure cloud storage provider. Although theoretically its servers can be breached, Google Workspace’s underlying structure has never been hacked to date.
Since it’s one of the world’s largest information technology companies, Google has access to cutting-edge cloud security capabilities. As a Google Workspace for Education customer, your district benefits by being able to rely on those capabilities rather than maintaining local servers in-house.
How Google Drive security works
Google’s hallmark security measure is its ability to encrypt Google Drive data. When you upload a file to a Google Drive folder, it converts your sensitive data into secret code so that it can’t be read by someone without the requisite encryption keys.
Technically speaking, Google products use 256-bit encryption for data in transit (such as a Drive file being shared to a classmate) and 128-bit encryption keys for data at rest. Google automatically ups the amount of encryption applied to sensitive files moving throughout Google Workspace, which is when they’re most vulnerable. Hackers can potentially intercept information as it’s transferred from your device to a folder. That’s why this security measure is so valuable.
According to Google, strong encryption can:
- Ensure that if sensitive data falls into an attacker’s hands, it cannot be read
- Reduce the attack surface by allowing you to focus on protecting the encryption keys instead of having to guard all data at once
- Act as a chokepoint because centrally managed encryption keys create a single location where data access is enforced and audited
However, strong encryption doesn’t mean your Google Drive account is impervious to a data breach. In fact, even with Google’s built-in data security features, you still have an obligation to protect information on your end of the relationship.
What most school districts don’t realize is that Google Workspace operates under a shared responsibility agreement. This means that some security functions are Google’s responsibility, whereas others are the responsibility of the customer (i.e. your district).
More specifically, this means you’re still partially accountable for securing sensitive files stored in your domain’s various Google products, including (but not limited to):
And, of course, Google Drive and Shared Drives. For these Google services, you have to manage certain data security measures such as access control, configuration and incident management. Without proper cloud security configurations in place, your sensitive data remains woefully at risk.
What are Google Drive’s security risks?
Google users can rest assured that they’re receiving the best protection their service provider has to offer. That said, misconfigurations can create vulnerabilities, gaps, and threats that jeopardize your student, staff, and district business/financial data.
Let’s examine each security risk in more detail:
1. Encryption keys
Encryption keys are tools that allow whoever possesses them to decrypt files. According to Business Insider, some data security experts are wary of the fact that Google maintains keys in-house by default rather than sharing them with your district.
In other words, all your eggs are in Google’s basket. If Google suffers a data breach, hackers may gain access to your encryption keys, exposing your sensitive data.
2. Account takeovers
Also known as “account hijacking,” a takeover is just what it sounds like: a cybercriminal ripping your Google account right out from under your feet.
In many cases, an account takeover results from a data breach. It’s also a form of identity theft, as hackers often use compromised credentials to pose as a legitimate person — a student or staff member — in what’s known as a lateral phishing attack.
A phishing attack is a tactic used to gain access to your Google Drive data. By impersonating a legitimate or authoritative company, they attempt to fool students and staff members into clicking malicious links, sharing personal information, login credentials, or sensitive files. With that information in hand, they gain unfettered access to your shared drive.
Cybercriminals may even create phony websites or Google apps to mine credentials from unsuspecting victims.
Malware is short for malicious software. Hackers often embed malware into phony cloud apps and email attachments, hoping that students will unknowingly walk into their trap by either installing the app or downloading a file. Some cybercriminals even attempt to spread their malware by embedding malicious links in Google Docs.
5. Third-party apps
According to K12 SIX, 55% of school data loss incidents are initiated by third-party vendors — in many cases, companies who provide cloud apps to your school district. If students download an unsanctioned application to your Google domain, it could expose your district to an unnecessary security risk. Vendors process student data, meaning every additional app expands your attack surface and compounds your vulnerabilities.
6. Risky file sharing
One downside to Google Drive security is that it lacks a cohesive organizational permission system. In other words, it doesn’t allow you to segment data and restrict access to those folders. According to the same Business Insider article, this creates an ad hoc permissions process, which may lead to mistakes. For example, some Google users may have access to resources they shouldn’t, such as a folder containing academic records or student Social Security numbers.
It’s not uncommon for teachers to mistakenly attach a Google Drive folder to an external email. Students may just as easily send a file containing personal data to a classmate. In either case, there’s no telling where a shared document might end up once it’s exposed to the public.
7. Weak password security
As with file sharing, perhaps the biggest security risk to Google Drive data is Google users. Students and staff too often reuse the same old passwords across all of their accounts. Even worse, they tend to be weak, personal, and simple to guess.
This makes it easy for hackers to crack your Google account without actually having to infiltrate Google’s data security systems. All it takes is one data breach for a reused password to give cybercriminals complete access to someone’s accounts, including those your district provides.
How to secure Google Drive
1. Classify your data
Data classification refers to the process of categorizing cloud data into buckets based on sensitivity. The idea is that the more damaging the data, the more security it deserves. This allows you to place your most sensitive information behind tighter security controls and focus your attention where it’s needed most. You can even automate data classification with the help of the right cloud security platform.
2. Vet third-party edtech vendors
Are you aware of how many cloud applications your students and staff members are using? What about the apps that are long forgotten, but still floating somewhere in your domain?
As explained, these pose a major security risk. We recommend auditing your cloud environment to identify any unauthorized services and removing those that could potentially put data in harm’s way.
3. Restrict user permissions
Administrators possess the ability to control which apps and Google products students and staff members can access, including Google Drive. Enforce a policy of least-privileged access: a model wherein users can only access files that are required to perform their job or complete their assignments.
4. Automate monitoring and alerts
Have you ever noticed a particular Google account is logging in from an abnormal location? Unless that user is on vacation, that’s likely the sign of an account takeover.
It’s important to identify signs of suspicious activity, such as users sending lateral phishing emails or downloading massive amounts of data at a time. Automated solutions can expedite this process and make it easy to investigate strange behavior before it’s too late.
How? By monitoring your Google cloud 24/7. In other words, the right security platform can work behind the scenes to patrol your environment and ensure student information is always protected.
5. Mandate two-factor authentication
Google Drive has secure login options such as two-factor authentication (2FA). When you enable 2FA, every user in your district will be required to provide two pieces of information before accessing their Google account. This might include a combination of passwords, SMS verification, or a one-time passcode.
6. Teach digital literacy
It’s crucial that all of your users learn the ins and outs of data security. They don’t need to be an expert — they have to know the basic best practices that go a long way toward protecting your district.
For starters, teach password hygiene. A strong password should consist of letters, numbers, and symbols. It should also contain at least 12 characters, as longer passwords are much tougher to crack.
Next, demonstrate how to spot a suspicious link or email attachment. This way, they’ll avoid a potential scam when they see one and can safely avoid putting your district at risk.
7. Review shared documents regularly
Take a closer look at which files are currently being shared externally and internally. Review Google’s built-in file-sharing report to get a good idea of where your data may be exposed. Then, apply granular sharing permissions for certain users and set up policies to close the holes in your defenses.
8. Add account backup and recovery options
Hackers target your data. Ransomware hackers hold it hostage. It’s a subtle distinction, butmakes all the difference when cybercriminals are forcing you to pay enormous amounts of money to retrieve your data.
Backing up information to a secure storage location ensures that this can’t happen. With a backup of your most important files in safe keeping, you can rest assured that even if information falls into the wrong hands, you can restore systems in a hurry.
9. Control your own encryption keys
Luckily, Google implemented a recent security update that addressed many of the concerns around Google Drive encryption. Now, schools can gain more control over their encrypted files by owning encryption keys. Read more about the security update here.
10. Use an automated cloud security platform
Schools are struggling to keep up with the flood of cloud security risks threatening their student data. With few resources available and a lack of full-time cybersecurity personnel, it’s not easy to give cloud data the protection it needs or deserves.
That’s where automation comes into play. An automated solution takes the burden off your staff by streamlining many crucial processes, such as risk detection, alerting, monitoring, and intervention.
Audit Your Google Drive Today
That means the majority of school districts also lack visibility into their cloud domain. Simply put, they have no idea the full extent of their cloud-based vulnerabilities, which is a major threat to student data.
Fortunately, ManagedMethods has you covered. Once you activate an account, our cloud security platform will automatically scan your Google Workspace and identify risks, such as: and
- Phishing and malware in emails, files, and shared folders
- Risky sharing behavior, such as emailing credit card numbers, global link sharing, and more
- Unauthorized third-party apps with risky OAuth access permissions
- Abnormal behavior that may indicate a compromised Google account
Now, you can request your Google Workspace (and/or Microsoft 365) security audit absolutely free! It takes just a few minutes to set up and can save you a world of hurt down the road.