• No results found

THE COMPLETE GUIDE TO GOOGLE APPS SECURITY. Building a comprehensive Google Apps security plan

N/A
N/A
Protected

Academic year: 2021

Share "THE COMPLETE GUIDE TO GOOGLE APPS SECURITY. Building a comprehensive Google Apps security plan"

Copied!
10
0
0

Loading.... (view fulltext now)

Full text

(1)

THE COMPLETE

GUIDE TO GOOGLE

APPS SECURITY

(2)

SHARE THIS EBOOK

THE COMPLETE GUIDE TO GOOGLE APPS SECURITY • Building a comprehensive Google Apps security Plan

Contents

Introduction ……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..3

1. Secure the core …..……..……..……..……..……..……..……..……..……..……..……..……..……..……..4

Google Apps settings..……..……..……..……..……..……..……..……..……..……..……..……..……..4

Security settings ..……..……..……..……..……..……..……..……..……..……..……..……..……..……..5

Device Management settings ..……..……..……..……..……..……..……..……..……..……..……..5

Chrome Management settings.……..……..……..……..……..……..……..……..……..……..……..6

Review Reports…..……..……..……..……..……..……..……..……..……..……..……..……..……..……..6

2. Enhance email security …..……..……..……..……..……..……..……..……..……..……..……..……..6

3. Extend data recovery ..……..……..……..……..……..……..……..……..……..……..……..……..……..7

4. Lock-down document security.……..……..……..……..……..……..……..……..……..……..……..8

5. Save Gmail and Docs for compliance …..……..……..……..……..……..……..……..……..……..9

Summary …..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..……..10

(3)

Introduction

The good news is that once your organization switches to Google Apps for Work, Google provides several essential pieces of security.

Yet for some organizations, data protection gaps remain.

Unaided, Google Apps for Work—and even Google Apps Unlimited, which includes Vault—may not completely address business needs previously met by traditional on-premise systems.

Google’s offerings may be sufficient for some organizations, but others require multiple data recovery options, stronger security, or more robust compliance measures.

With thoughtful configuration and the right additional services or apps, you can easily strengthen your organization’s approach to securing data in the cloud.

This guide outlines the kinds of services and technologies offered in the market today that will provide additional protection for your company’s data stored in Google.

SHARE THIS EBOOK

(4)

4 THE COMPLETE GUIDE TO GOOGLE APPS SECURITY • Building a comprehensive Google Apps security Plan SHARE THIS EBOOK

1. Secure the core

Who’s Involved:

A Google Apps Admin + Organization Leadership

A Google Apps administrator should configure the core Google Apps suite with security settings approved by organizational leadership. The settings must represent an appropriate balance between enabling collaboration and securing data.

What Needs to Happen:

Ideally, when you migrate to Google Apps for Work, you’ll review all available Admin settings in the Admin console (at http://admin.google.com). That will expose you to the entire feature set of Google Apps administrative controls.

To secure Google Apps, configure settings, then review reports: • Google Apps settings

• Security settings

• Device Management settings • Chrome Management settings • Review reports to maintain security

The first three of these are prominent Google Apps Admin console items. If any of those three items aren’t visible, select the “More controls” option at the bottom of the Admin console. While many other settings are important, proper configuration and periodic review of the following items will help you secure the core features of Google Apps.

Google Apps settings

As an administrator, you can adjust the security of the core Google Apps suite. To do this, you’ll need to:

• Select sharing levels,

• Determine data storage settings, and • Configure features.

Select sharing levels

Review sharing settings for each of the core Google Apps carefully. Shared calendars simplify scheduling, and shared documents enable collaborative writing and editing. Yet these sharing features also may allow unauthorized sharing. For example, a calendar shared with a colleague may unintentionally reveal sensitive information. A document created in a shared folder will inherit the folder’s sharing settings. Review maximum sharing settings carefully for Drive, Calendar, Sites, and Groups, as each of these apps allows sharing options that may expose data to people outside the organization.

(5)

5 THE COMPLETE GUIDE TO GOOGLE APPS SECURITY • Building a comprehensive Google Apps security Plan SHARE THIS EBOOK Determine data storage settings

Examine offline data storage and sync settings carefully. Arguably, restricting access to Google Apps while connected improves security: a person must log in to their Google Account to access data. However, offline data storage enables offline work, which may be not only convenient, but also necessary. In some organizations, security must take priority over convenience. For maximum security limit offline access and sync of Gmail and Google Drive documents. Make sure your users know whether they may—or may not—work with this data offline.

Configure features

For maximum security, disable unused Google Apps. For example, if your organization doesn’t use Google Sites or Google Groups, disable the app. In larger organizations, you might selectively disable a feature for a group of users, with Google’s organizational units feature. (Learn more about this from Backupify’s “Google Apps Organizational Units and Permissions Guide”.)

Organizations subject to HIPAA (health insurance portability and accountability act) may need to disable Apps outside of the core Gmail, Calendar, Drive and/or Vault apps.

Allow time to properly configure Gmail, where the options vary from simple to complex. On the simple side, prevent auto-forwarding of email by unchecking the box next to “Allow users to forward incoming mail to another address”. Reduce the chance of spoofing or spam from your domain, by configuring SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Confirmance) records. This configuration requires several steps to properly configure. (Learn how to configure these items from Google’s “Prevent Outgoing Spam with DMARC” help pages.)

Security settings

With Google Apps, a password must meet a minimum length requirement. Google allows the minimum to be as low as 8, and the maximum to be as high as 100 characters. We recommend the minimum be increased to at least 12, with higher values for organizations requiring more security. A longer password helps increase security. Leave the maximum value at 100.

Google Apps also adds two-step authentication as an option: enter your email address and password, then obtain a six digit number from your phone (either via a text message or an app) and enter it. (If your phone isn’t available, a user or an administrator may obtain a backup code.) Allow the use of two-step authentication as an option. In highly sensitive environments, two-step authentication may be required.

Device Management settings

If your organization uses Android or IOS devices, review the Device Management settings to configure security policies for these devices. Android and iOS configuration differs. Enterprise managed Android devices should have the “Google Apps Device Policy” app installed, while iOS devices should connect with Google Sync. Once connected, an administrator may remotely lock, locate, or erase a managed mobile device—following the organization’s policy to do so, of course.

(6)

6 THE COMPLETE GUIDE TO GOOGLE APPS SECURITY • Building a comprehensive Google Apps security Plan SHARE THIS EBOOK Chrome Management settings

When users login to a Chrome browser with a Google Apps account, an administrator may configure Chrome policies. These policies manage which apps and extensions may be installed, and control some Chrome settings. (These settings can be somewhat difficult to locate. From the main Admin console, you may need to choose “More Controls” at the bottom of the screen to bring “More Google Apps” into view. Select “More Google Apps”, then scroll through the list and choose “Chrome Management”.) If your organization has purchased Chrome device management, configure those policies from here, as well.

Review Reports

Maintain security by periodically reviewing Reports, Marketplace apps, and Admin user settings. Access Reports in the Admin console to view account activity, shared files, and connected apps. Pay special attention to failed login data (available under account activity) to identify attempted unauthorized account access. Review Marketplace apps to ensure that no unauthorized apps have been added—and to update or renew app authorizations Finally, look through the User list to verify that only appropriate people have necessary Admin permissions.

For the latest news about Google Apps and Security, follow the Google Online Security blog and the Google Apps Release Calendar.

2. Enhance email security

Who’s Involved:

Consult your legal department and organizational leadership to determine if your organization should take additional steps to secure Gmail.

What Needs to Happen:

Google Apps Email Security

By default, Google relies on several tools to secure email. Google secures the connection to Gmail from your browser (i.e., “https://”), and also enables forward secrecy. Google encrypts messages as they move between Google servers. Gmail exchanged among Google Apps and Gmail users remains protected, as are messages exchanged with email providers that support TLS (transport layer security). These measures provide many organizations a previously unachievable level of email security.

Enhanced Email Security

Google, in partnership with Zix, offers the Google Apps Message Encryption service. The service routes email securely via Zix. The sender triggers this routing with a keyword in the email subject line, such as “Encrypt”. Recipients access messages in one of three ways: transparently, if their organization uses a ZixGateway; by logging into ZixPort, a web-based portal; or, by unlocking the email with a password, with ZixDirect.

(7)

7 THE COMPLETE GUIDE TO GOOGLE APPS SECURITY • Building a comprehensive Google Apps security Plan SHARE THIS EBOOK However, a major security concern remains: Google and/or Zix hold the encryption keys. For optimal security, only the user—or an enterprise—would have access to encryption keys. In 2014, Google announced initial development work on End-to-End, a Chrome extension. The browser extension promises to secure email messages with OpenPGP, a widely used open encryption standard. Of course, both parties need the extension to be installed and configured to encrypt and decrypt email messages.

For an enterprise, CipherCloud’s gateway encrypts data to cloud services, such as Gmail or Salesforce. The gateway encrypts and decrypts traffic between the user and the cloud service, while the encryption keys remain in the organization’s control. The system stores sensitive data within the enterprise, and sends a “token” representing that data to the cloud service. This happens transparently for the user, who views the app and decrypted data in their browser as usual.

Solution to Consider for Encryption:

3. Extend data recovery

Who’s Involved:

Discuss data recovery and restoration policies with your organization’s operations, human resources, and business continuity teams.

What Needs to Happen:

Google Apps Recovery Options

A Google Apps user may recover some deleted items without help. For example, a user can recover deleted Google Drive files or Gmail from Trash for up to 30 days. Similarly, Contacts may be reset to as they existed at any point in the prior 30 days. After 30 days, Google deletes items in Trash automatically. Google allows an administrator to restore a person’s Google Drive files for up to 25 days after the file has been deleted from Trash.

But not all items may be recovered. Google does not retain Calendar items in Trash, they’re deleted immediately. Outside of the 30 day window, deleted email and contacts are not recoverable.

Google Vault doesn’t restore user data. Instead, Vault “traps” data for administrative search and export. Vault excludes Calendar items and Contacts. Vault can’t recover a user-deleted Drive document that matches “hold” criteria (as of August 2014). Vault won’t capture Gmail that doesn’t match an administrator-defined retention policy.

(8)

8 THE COMPLETE GUIDE TO GOOGLE APPS SECURITY • Building a comprehensive Google Apps security Plan SHARE THIS EBOOK Backupify saves and restores all of your Google Apps data: Gmail, Calendars, Contacts, Drive documents. It even saves Google Sites. Backupify securely and automatically backs up your Google Apps data up to 3 times a day. An administrator can export and preserve a complete data set for any—or all—users so that companies have a secure, second copy of their data.

Solution to Consider for a Secure, Second Copy of your Data

4. Lock-down document security

Who’s Involved:

Consult your legal department and organizational leadership to determine if your organization should take additional steps to secure documents.

What Needs to Happen:

To secure documents, you need to control—and know—who can find and open files. On-site legacy file servers handled this task well: permission settings controlled access to files and folders. File activity logs documented access. People typically shared files outside the organization as email attachments.

Google Apps Document Security

Google Apps gives administrators and users control of file and folder permissions, as well. A person may share a file either by sending it as an email attachment, or by sharing access to the document. Access options allow a document owner to publish a document to the web, or require authentication to view. Your Google Apps administrator controls whether files may be stored offline or synced to local systems.

Google encrypts all Drive files. The company enforces a secure connection from your browser to Google Drive. Files are encrypted when stored on Google’s servers, and when conveyed between Google’s data centers.

Drive document audit options range from simple to complex. Google Apps reports the total number of files shared by each user, but no details. Google Apps Unlimited creates a log entry every time people create, modify, or share documents.

(9)

9 THE COMPLETE GUIDE TO GOOGLE APPS SECURITY • Building a comprehensive Google Apps security Plan SHARE THIS EBOOK Third-party solutions enhance cloud document security and audit options. For example, CloudLock helps identify when people share PII (personally identifiable information), PCI (payment card information) or other sensitive information in documents. People may be prompted to remove, restrict sharing, or to password protect (and encrypt) each identified file.

Solution to Consider for Enhanced Document Security:

5. Save Gmail and Docs

for compliance

Who’s Involved:

Consult your legal department to determine if your organization should take additional steps to retain email and documents for compliance purposes.

What Needs to Happen:

Google Vault helps legal teams discover and retain sensitive information in Gmail and Google Drive for compliance purposes.

Google Vault allows an authorized person to “matter” and “uncover” email/documents requested. Specify your “matter” terms, then Vault will “uncover” email—with attachments—that match. Similarly, Vault also allows a keyword search of Google Drive documents. Matching items may be held indefinitely or retained temporarily, according to administrator-defined rules. Identified items may be searched and exported. Vault preserves retained email for 30 days beyond the specified retention period, after which Vault deletes the item.

Upgrading to Google Vault

(10)

SHARE THIS EBOOK

Summary

As we said at the start, Google Apps for Work offers the kind of security that might be sufficient for some organizations but we strongly believe that smart configuration of the core Google Apps will provide organizations with secure, world-class collaboration tools.

Organizations should defend the core, and extend data protection by adding: • CipherCloud to secure email,

• Backupify to preserve and restore data,

• CloudLock to protect sensitive documents, and

• Vault to discover and hold data for compliance purposes.

Google Apps, combined with these additional apps, will keep people in your organization working safely and securely in the cloud.

References

Related documents

For organizations already leveraging Google Apps and interested in utilizing DaaS, the starting place is to quickly and easily import in all of the users in Google Apps into

You must sign in to a Google Account to use Gmail, Hangouts, Google Calendar, and other Google Apps; to download APPs from Google Play; to back up your settings to Google servers;

To get relevant information when using Google™ apps, check the Let Google Apps access8. your location

You must sign in to a Google Account to use Gmail, Hangouts, Google Calendar, and other Google Apps; to download APPs from Google Play; to back up your settings to Google servers;

Install Confirmation Google Play Unknown Sources Warning Verify Apps Consent Verify Apps?. Warning Runtime Security

Google Apps Sync seamlessly syncs all your mail, calendar events, and contacts between your Google Apps account in the cloud and your Google profile in Outlook, so you can access

 Google Apps Sync for Microsoft Outlook® - Download, sign in, and import  Make Google Apps your default Outlook profile.  Getting started with Google mail in Outlook 

Google Apps allows to configure Organizational Units that have different access rights to applications. For example, one group of users has access only to mail, calendar and