Know all about the best practices on Google Workspace security

Introduction

In this blog, we will know all about the best practices on Google Workspace security. Online security is of utmost importance to stay safe and protected in this digital era. It safeguards your personal as well as business data from the perpetrators. Similarly, you can protect your Google services through Google Workspace security essentials. These security checklists are applicable for individual users and small, medium, and large business owners. Admins have the most powerful Google Workspace accounts. So, they are responsible for imposing security norms on their users’ Google accounts.

Best practices for small businesses

Account protection:

Passwords are the first and most important requirement for Admin and user accounts. Thus, Google always encourages users to use unique and strong passwords. Also, it recommends not to reuse a password again. Additionally, you should use lengthy passwords, at least 12 characters. For example, you can use a sentence from a book, a series of meaningful words, a meaningful quote, a lyric from a song or poem, etc. You must avoid passwords which are easily recognized by people.

Also, you shouldn’t use your data like – birthdays, phone numbers, nicknames, addresses, etc. Again, avoid using simple words, combinations, and numbers, such as –‘abcd’, ‘1234’, ‘xyz’, ‘password’, etc.

Always keep your password hidden from others and use a password management tool like Google Password Manager. Know more about password managers from here.

2-step verification (2SV) protects your password from being stolen by someone. 2SV requires some unique data in the first step that is only known to the actual owner of the password. In the second step, they need to enter an access code or physical key for the 2SV. A hacker can steal your password, but they never get your unique data and security key. Thus, Google recommends using 2SV for every Google Workspace account.

Source

Source

Admin can add recovery information to their account. It will help them to access their account in case they forget the account password. Also, it helps to block persons who have unnecessary access to admin or users' accounts.
Note: You should use an email address for the admin or user's sign-in that is different from the Google Workspace account email. Also, choose a mobile number that only belongs to the admin or user and easily gets text messages.
For a business, it's necessary to have multiple super admin accounts. Manage these accounts individually. If the primary super administrative account becomes compromised, the backup super admin can perform critical tasks to recover the primary super admin. When you assign a user in a super admin role, they can add and remove other users. Also, they can handle additional management portions of Google Workspace. You can create a super admin role by following these steps.
If a super admin encounters difficulties when resetting passwords through recovery information, and another super admin lacks the necessary permissions to address this issue, they have the option to contact Google support.
Moreover, enable your auto-update policies for Google apps and Chrome browsers. The admin can manage auto-update policies for Chrome browsers, such as – turning on auto-updates, scheduling auto-updates outside work hours, cache updates for reducing bandwidth usage on a network, auto-updates for particular apps, etc. Learn more from Auto-update policies.

Protection for Google products

These security practices apply to Gmail, Drive, Calendar, Docs, Sheets, etc.

Google has the feature to scan incoming messages on Gmail to defend from phishing. Phishing is a cybercrime activity practiced by scammers. It's a trick to make the user reveal their sensitive information like – passwords, bank account numbers, and other information. So, as an Admin, you can enable the pre-delivery message scanning by Gmail. When it identifies a phishing message, it displays a message to the user and moves the message to the spam folder. Also, Gmail can perform additional security checkups for an email with suspicious content. Learn more about preventing phishing here.
Google Calendar may contain sensitive data. So, you can control the users by limiting their ability to share it with external users. For example, when you set this limit for 'Free/Busy' schedules, external users can only see the 'Busy' schedules. Also, you can set a default sharing limit of calendars within your organization's users. Learn to Set a Calendar sharing option to know more about this.
Note: Admins and super admins can see all the event details on the calendar if they have Meet hardware management permission.
You can control external sharing of files from Google Drive, Docs, Slides, Sheets, Sites, etc. Depending upon the Google Workspace edition, you can turn on or off external sharing for the parent organization, child organization, or configuration group, restrict link sharing if external sharing is on, permit sharing content within certain domains, and restrict external users to access content from a shared drive. You will get additional information from Manage external sharing for your organization.

Best Practices for medium and large businesses

1. Admin and user accounts

You have already learned about the security requirements for admin and user accounts. Also, you can set up report and alerts for compromised accounts, such as – Account activity reports, adding employee ID as a login challenge, maintaining data security after an employee leave your organization, admin email alerts, etc.

2. Devices

You can also use Google Endpoint management to protect your users' accounts and work data. It applies to all types of devices like – mobiles, desktops, laptops, and other endpoints within your organization. For example, you can remove work data from missing and unmanaged devices. When a device of your OU goes missing or a staff member of your organization leaves, your corporate data will be at risk. So, you must wipe their work data and work account from the device. If you have advanced management, you can wipe the data of the entire device. Also, you can use device encryption to protect your data from misuse. Learn another security checklist for device management.

3. Google Workspace Apps

You can control which third-party apps can access your Gmail and Drive. You can control access to Google Workspace services through OAuth 2.0.
You can block the sign-in attempts from less-secure apps. These apps never use the latest security standards like OAuth. Thus, you need to block them.
You can enable client-side encryption for Google Drive, Meet, Gmail, and Calendar. You can use encryption keys to protect your OU's data.

4. Google Groups

You can ensure secured access to data and resources to reduce data leakages. For example, you can prevent unsecured and external groups from joining a Google group, apply security policies, etc.
Customize your group settings by who can access, moderate, and post in your Google groups. There are default roles of manager, owner, and members.
You can disable the configurations like - public access, allowing anyone to post your group, and accessing the internet for anyone.
You can create specific admin roles to perform some specific admin tasks. Also, assigning multiple admin roles is available for a user. For example, if you create a User Management Admin role for a person, he can access and modify specific settings for the non-admin people.

5. Google Sites

Control who can share files in Google Sites. For example, you can allow or block people outside your organization from sharing files and create a default setting for link-sharing. Moreover, you can use Google Drive sharing settings.
You can use classic Sites sharing options for the users in your domain. So, you can set different options and decide whether your domain users can share files with external domain users. You can get options like opening sites to anyone on the internet, creating a warning for the users when they share a site in public, making the sites viewable outside your domain, etc.

6. Google Vault

Google Vault enables auditing Vault users' activity across Vault or specific methods. Auditing across Vault shows edited retention rules by Vault users. The specific method of auditing enables one to know about the downloaded files on users' devices. The audit data includes data like – date, user, name, email, action, resource URL, query string, etc.
Also, follow the administrator roles for Vault.

Additional Security

Admin Audit log
Review your Admin log events from the audit and investigation page. From this page, you can find out when an admin adds a user from the Admin Console, activate Google Workspace services from them, etc. Also, you can find several data sources from this page, such as – actions, actors, data source, device ID, Google Workspace edition, and more. Source
Security center

The security center provides advanced security reports and analytics about your domain. It helps to strengthen the advanced settings of the Admin Console. It has three sections – security dashboard reports, security health page, and investigation tool.

From dashboard reports, you can find reports and charts from several security centers. Data from these reports is updated every 15 minutes.
The security health page enables monitoring on Admin Console settings. As a result, you can find out the security risks. Also, you can manage these risks with security guidelines and your organization’s security management policies.
The investigation tool helps you to access data about different devices, access email messages, access Gmail logs and find out, remove spam messages and mark them, access the log data of your device, and access the log data of Google Drive.

Use Foresight to enable the power of automation

By using a robust automation platform like Foresight you can streamline your business operations and empower Google Workspace workflows easily. The smart solutions of this SaaS platform don’t require any expertise in automation scripts. It helps the admin and users to handle their tasks effortlessly within a short period. In this way, it improves the efficiency of your employees and enhances productivity.

You can find different types of use cases for admin and users. There are admin use cases for Google Workspace security like Apps Reporting and Getting Alerts in Google Workspace, etc., and user use cases like Mail Merge Using Gmail and Foresight, etc.

Conclusion

Now, you have a clear understanding of Google Workspace securities and best practices. These security policies are essential for protecting your Google Workspace account from data breaches, spamming, phishing, and other malicious activities. Moreover, you will learn these security policies from the use cases of Foresight.

Also, learn the other automation use cases of Foresight and try a 14-day free trial. Know other topics related to this one – Create and manage rules, etc.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site’s analytics report. The cookies store information anonymously and assigns a randomly generated number to identify unique visitors. This cookie is installed the first time a visitor enters the website through a browser. When the visitor comes back to the website through the same browser, the cookie will consider them to be the same visitor. Only in the event that the visitor changes browser, will they be deemed to be a different visitor.
_gat_gtag-###	1 minute	This cookie is installed by Google Analytics. It is used to analyze visitor browsing habits, flow, source and other information.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected includes the number of visitors, the source where they have come from, and the pages visited in an anonymous form.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
__Secure-1PAPISID	2 years	Used by for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalized Google advertising
__Secure-1PSID	2 years	Used by for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalized Google advertising.
__Secure-3PAPISID	2 years	Used by for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalized Google advertising.
__Secure-3PSID	2 years	Used by for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalized Google advertising.
_gcl_au	3 months	This cookie is set by Google Analytics to take information in advert clicks and store it in a 1st party cookie so that conversions can be attributed outside of the landing page.
1P_JAR	1 month	This cookie is installed by Google Ads. This cookie is used to collect site statistics and track conversion rates.
APISID	2 years	This cookie is used by Google to store user preferences and information while viewing Youtube videos on this site.
HSID	2 years	This cookie contains digitally signed and encrypted records of a user’s Google Account ID and most recent sign-in time. Google uses security cookies to authenticate users, prevent fraudulent use of login credentials, and protect user data from unauthorized parties.
LOGIN_INFO	2 years	This cookie is used by YouTube (Google) for storing user preferences and other unspecified purposes.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
PREF	2 years	This cookie is used by YouTube (Google) for storing user preferences and other unspecified purposes.
SID	2 years	This cookie contains digitally signed and encrypted records of a user’s Google Account ID and most recent sign-in time. Google uses security cookies to authenticate users, prevent fraudulent use of login credentials, and protect user data from unauthorized parties.
SIDCC	1 year	This cookie carries out information about how the end user uses the website and any advertising that the end user may have seen before visiting the said website.
SSID	2 years	This cookie is used to save the user's preferences and other information.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	6 months	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	This cookie is used by YouTube to remember user input and associate a user’s actions. This cookie lasts for as long as the user keeps their browser open.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.