Google Workspace Security 101

The most basic steps to secure your Google Workspace

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Google Security | Cloud Governance | DNS Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In a prior post I was migrating some emails from one Google Workspace to another.

Migrating Emails and Domains From one Google Workspace to Another

Taking a look at the new Google Migration process

medium.com

Along with that I wanted to write about some quick things you can do to secure your Google Workspace account if you haven’t already.

This is not a complete list of security best practices for Google Workspace. However, here are some immediate and basic things you can do to improve the security of your account.

Look at which users are assigned to the admin role. While logged into the admin dashboard (https:// admin.google.com) take a look at who is assigned an Admin role by clicking Admin roles on the left. Make sure you know who has administrative access as they can do anything in your account.

Create at least two administrators so if you lose access to one email you can still login with the other. You may also want these users on different domains in case you lose access to one domain.

Avoid using an admin account to check email with an account that is constantly logged in. Create separate administrative accounts that you log into as needed but do monitor those emails for any alerts or warnings.

Assign hardware MFA like a Yubikey to those users rather than entering a code so you cannot be tricked into entering a code into a fake website which then takes your code and enters it into the real website to get a session. They then will relay you over to the website so you never knew this happened.

Yubico Home

Get the YubiKey, the #1 security key, offering strong two factor authentication from industry leader Yubico.

www.yubico.com

Check for third-party administrative access to your account. When you register a domain on Google Domains in the past, it would ask you if you wanted to create a workspace. If you chose to do it at that point, Google Domains would have administrative access to your account. Now Google Domains has moved to SquareSpace and that administrative access moved with it.

Google Domains — Squarespace Domains

Squarespace Domains is the new home for Google Domains customers. Learn more about Squarespace Domains as an…

domains.squarespace.com

Getting that access removed was not simple when I had to do it in the past. I had to cancel the Google Workspace and wait for days to get the issue resolved. I had to contact support multiple times. Once I got the account out of that workspace created by Google Domains, I was able to independently create my Google Workspace without giving the domain provider administrative access.

Check to see if this applies to you, and if so, I recommend setting up a new Google Workspace and taking steps to eliminate that access, if it still exists.

Limit who can transfer accounts, emails and files out of your organization. Related to all of the above administrative access, understand who has permission to transfer accounts and files out of your organization. I explained how to do that in the last post. Lock it down.

Check your Account Settings. Navigate to Account > Account Settings. I recommend turning off new products being available to users. You want to be intentional about which products you enable and allow users to leverage in your account. I didn’t do this in one of my account and found all kinds of services enabled that I didn’t want.

You may also want to turn off extraneous emails as I did in the second box.

Disable any Google Services that are not required. Navigate to Apps > Service Status. Here you can see which services are enabled for your Google Workspace that users are allowed to use. Check the services you know you are not using and then click OFF to disable them. You can also enable services for select groups of users by creating groups and assigning permission to a group or by assigning the permission only to a specific organizational unit.

Navigate to Google Workspace > [Service Name] and configure all the external sharing settings. One of the biggest cloud configuration problems occurs when users accidentally share data to the entire world that was meant to only be shared within the organization. Navigate to each service and configure the service to only share data with the expected audience.

For example, here’s Google Workspace > Calendar. Do you want people to be able to share their calendards externally? In my case, I share my calendar with an application. That may require this service to be on. As above you can configure this service to be on for specific groups. You might allow certain users to share data publicly while others cannot.

Here’s a look at some of the calendar sharing options:

External: Only share free/busy information externally (hide event details)
Internal: share all calendar information.
Video conferencing: If you don’t use Google Meet you can turn that off.

Limit who can make documents public via Drive and Docs. This is another important setting that can lead to misconfigurations. Who is allowed to share documents in Google Drive with people outside your oranization? You might want to limit it to no one.

However, sometimes groups like the sales department needs to be able to share documents such as presentations with potential customers. They could do that via email unless the documents are very large. In that case, perhaps you have a group of people who are allowed to share certain documents. When people can’t do their jobs effectively, they tend to bypass security with their own personal accounts, so make sure you understand what people need to do their jobs and design your controls accordingly.

I used to share class documents via Google Drive. I would set up a separate email account and drive for that purpose. I would limit access to the drive to the domain of the company for whom I was providing the training and grant access to the specific students in the class via a gmail account that was allowed to access the class folder.

Creating Shared Drives can be very helpful because you can keep your sensitive documents in a shared drive and limit what people can do with those documents via the shared drive while giving people more leeway in their personal drive accounts where they should not be storing sensitive or proprietary information.

Check that the services are actually disabled. Even though I disabled Google Chat, it still shows On for everyone.

When I look at the details it shows both of these are turned off.

I’m not sure if the screen just hasn’t updated or that is a bug. I don’t see why this is the case after a scan of the Google documentation but it should be off. You can always contact Google support to ask more questions.

Do you want to allow users to search internal resources via Google? Google Cloud Search may be a handy feature, unless you didn’t intend to use it and your data is getting connected to Google in ways you do not desire. If your’e not sure if you should be using this, you might want to turn it off until you have time to investigate and test it further. Where does the data end up? Who can access it? Who can connect resources to it? Attackers often take advantage of services people haven’t properly locked down and don’t understand to access resources at an organization.

Navigate to Apps > Additional Google services. Here you can see other services people can use and you can disable if you’re not using them.

Click on the three dots on the right next to an service to turn it on or off.

I find this service questionable but I haven’t looked into it in detail yet. I just know I won’t be using it. If you do, make sure you understand how it works very well and what could go wrong.

Limit Google Marketplace apps to what is required. Navigate to Google Workspace Marketplace apps > Settings. Only allow users to install approved apps. Note the warning if you have an existing account.

Click Google Workspace Marketplace apps > Apps list

This is where you can add applications to the list that your users are allowed to use.

Require 2-step verification (MFA). Navigate to Security > 2-step verification. Require 2-step verification. You will probably want to give users a grace period and notify them they only have a short window to fix any accounts that do not currently have this configured.

Require additional verification for suspicious logins. Navigate to Security > Login challenges. Enable the option to require additional authentication if a login looks suspicious. Make sure users have 2-step verification enabled first.

Configure Rules to alert you to sensitive actions. Click Rules in the left menu. Review the different types of alerts that exist. Enable alerts to be notified of sensitive actions.

For example, you may want to know if the users assigned to Admin roles changes.

This alert tells you if admin privileges are revoked:

Click on the rule. Click the pencil icon next to Actions.

Choose where you want to send an alert. Click NEXT: REVIEW.

Click UPDATE RULE.

Go through all the rules and update them the same way. In my case if I’m not sure if I want an alert I enable it. If it turns out I don’t later, I can always disable it.

In addition to the pre-defined rules you can create your own custom rules to alert on actions that are important to you.

These are not all of the security settings you can configure for Google Workspace but some you might want to look at right away. For all of the other settings you can obviously review the documentation, but also click through the console and make sure you understand what all the settings are and what they should be.

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab

Summarize