sign in sign up
<<
Home , Google Groups, Google One

EBOOK

PART FOUR Advanced Security Configuration and Compliance in G Suite We create, store and share data bits every day. Email? Bits. Documents, spreadsheets, and slides? All bits. Social media posts? More bits. protects your G Suite “bits” with secure data centers and encryption systems. But G Suite security extends far beyond these basic settings and tools. In this guide, we look at the systematic security that Google provides and review Need some additional help? the security settings you control for the core G Suite suite. We also address Check out related apps, such as Chrome, and apps from the G Suite Marketplace or . Advanced Security Configuration and Compliance. EBOOK Security basics PART TWO Ho to Secure a As a G Suite Administrator, you should have (hopefully) mastered the basics. G Suite Domain You’ve selected settings that require people to: • Use longer passwords • Login with two-step authentication • Login on mobile devices

PART TWO You also use G Suite tools to: How to Secure a G Suite Domain • Monitor logins DOWNLOAD NOW • Lock, locate and wipe managed devices remotely

2 | backupify.com GOOGLE’S APPROACH TO SECURITY

As customers, we want Google to secure their applications and protect our data. To some extent, we rely on Google’s public statements.

Google articulates an overall corporate security philosophy on their . The company publishes a detailed privacy policy and they offer a white paper that addresses “Google’s Approach to IT Security”.

More specifically, Google addresses common concerns on their support pages: Who owns data stored in G Suite? Who at Google can access my data? (The quick answers: you own your data, and only people at Google authorized by the privacy policy terms may access your data.)

External verification of security standards and procedures helps. Google’s website asserts that their data centers are SSAE 16 / ISAE 3402 Type II SOC 2-audited and have achieved ISO 27001 certification. The former means a third-party auditor has reviewed Google’s physical and logical security setup. The latter certification—by Ernst & Young CertifyPoint— indicates that Google has implemented ISO 27001 practices. G Suite and HIPAA compliance If your organization handles Protected Health Information (PHI) in the United States, you’re likely required to protect that information under the Health Insurance Portability and You own your data, and only people Accountability Act (HIPAA). at Google authorized by the privacy The good news is Google will sign a Business Associate Agreement for G Suite with your policy terms may access your data. organization. (Actually, Google requires your organization to do so. As Google’s support page says: organizations “Customers who have not entered into a BAA with Google must not use Google services in connection with PHI”)

2 | backupify.com 3 | backupify.com However, the agreement covers just four G Suite services: , Calendar, Drive, Sites, and Vault. (Google Vault provides archiving and discovery services for compliance purposes.) As the G Suite Administrator, you Learn more from Google about HIPAA compliance and G Suite. choose both the maximum level G Suite: Security Settings of calendar sharing with people Calendar outside the organization, As the G Suite Administrator, you choose both the maximum level of calendar sharing with people outside the organization, and the default visibility of calendars internally. In all and the default visibility of cases, Google Calendars are private by default, and only visible to others when shared. calendars internally. External calendar sharing Once shared, you may allow outsiders to see only free/busy information: all event details remain hidden. Or, you may permit outsiders to view all calendar information, then choose whether outsiders can—or cannot—change calendar items, or fully manage a calendar.

You may set the highest level of sharing allowed differently for primary and secondary calendars. Each person’s primary calendar is their default G Suite calendar. Any additional

EBOOK calendar a person creates is a secondary calendar.

For example, you might restrict primary calendar sharing to free/busy information, but allow

PART ONE secondary calendar sharing to allow outsiders to change calendar items. This setting protects Ho to Set Up G Suite Domain people’s primary calendar data, and permits calendar collaboration on secondary calendars. Internal calendar visibility You also choose the default amount of calendar information visible to people internally. You may choose a default setting of “no sharing”, “only free/busy information”, or “all PART ONE information”. Each person can change the internal visibility of calendars. How to Set Up a G Suite Domain Note that even if a calendar is visible to others, people may still set a specific calendar DOWNLOAD NOW event to be private. Events detail set to private are visible only to people that have the ability to make changes to events on that calendar.

4 | backupify.com Learn more from Google about primary, secondary and internal calendar sharing options.

Help your colleagues learn how to change calendar sharing options.

DRIVE

Google provides Administrators settings to limit sharing and visibility of Google documents, to restrict offline file access and syncing, and to prevent access to third-party extensions and apps. Sharing and visibility Most Administrators configure a newly created Google Doc to be private by default, and allow people to share the document outside the organization. Typically, the system is set to warn people before sharing a document externally.

But the collaboration capabilities of can be restricted. An Administrator may disable publishing documents to the web or prohibit sharing outside the organization. A slightly less restrictive setup requires people who access a shared Doc to do so with a .

Most Administrators configure a Learn more from Google about default document sharing and visibility settings. newly created Google Doc to be Offline access private by default, and allow People who use Windows, Mac, or the Chrome browser to access may all people to share the document work offline. The Google Drive app on Windows and Mac syncs stored on Google outside the organization. Drive to your local system —including non-Google Docs format files, such as Word, Excel, PowerPoint or PDFs. Chrome apps and extensions let people work with Google Docs offline in the browser. Administrative settings can block the installation of the Google Drive app, as well as prohibit access to Docs offline.

Learn more from Google about the installed Google Drive app and working with docs offline.

4 | backupify.com 5 | backupify.com Apps and extensions Google provides Administrators three ways to add or extend apps: the G Suite Marketplace, the Chrome Web settings to limit sharing and Store, and Add-ons (in Docs). visibility of Google documents, Only a G Suite Administrator can add apps from the G Suite Marketplace. Apps added this way appear in the bar’s “More…” menu (the Google One bar is the grid of nine to restrict offline file access and small squares in the upper right). Typically, everyone in the organization has access to syncing, and to prevent access to these apps. third-party extensions and apps. The Chrome Web Store offers even more apps that store data on Google Drive. People who use the Chrome browser can add these apps, then create and save files with these apps in Google Drive.

Google also offers “Add-ons” for some G Suite, such as Docs and Sheets. These add features that check grammar, merge data to labels, or track document changes.

You can block access to both the Chrome Web Store and Add-ons. There’s no need to block G Suite Marketplace apps, since only Administrators can add those apps.

Learn more from Google about the G Suite Marketplace, Chrome Web Store, and Google Docs Add-ons. SITES may be used to create public , restricted-access project sites, or private internal sites. The new Sites are located in Google Drive. Classic Sites users can find more information here.

G Suite Administrators can set sharing and visibility options through the Google Drive App. New Sites will use the Drive settings and apply them to Sites. As with Google Calendars, the G Suite Administrator sets the highest level of access available for for Google Sites. People may be prohibited from making a Google Site public, or from sharing a Site outside the organization.

Learn more from Google about new Sites sharing settings. 6 | backupify.com CONTACTS

You can block access to both the G Suite Contact sharing is enabled by default: people can find contact details for other Chrome Web Store and Add-ons. people in the organization. Additionally, email auto-complete options will display people There’s no need to block G Suite listed in the directory. With contact sharing disabled, internal contact details will be Marketplace apps, since only unavailable. All G Suite account users are automatically listed in the Directory. You may add additional contacts to the Directory, but doing so requires external tools. Administrators can add those apps. Contacts people create are private. However, a person may choose to “manage delegation settings” to share their contact list with another person in the organization. Contacts shared in this way will display with the label “Delegated contacts”, and can only be accessed in a web browser.

Learn more from Google about G Suite Directory contact sharing.

Help your colleagues learn how to share access to all of their G Suite contacts.

EBOOK GMAIL PART THREE Settin up External Mail Servers DNS settings for G Suite You should use three DNS (domain name system) records to improve email deliverability and reduce spam sent from from your domain: SPF, DKIM, and DMARC. An SPF (Sender Policy Framework) record identifies the mail servers authorized to send email for your domain. A DKIM (DomainKeys Identified Mail) record helps validate that an email was sent by a domain. The DMARC (Domain-based Message Authentication, Reporting and PART THREE Conformance) record specifies how to handle outbound email that doesn’t pass SPF and/ Setting up External Mail Servers or DKIM validation settings. DMARC helps reduce email spam and spoofing. DOWNLOAD NOW Learn more from Google about using SPF, DKIM and DMARC records.

6 | backupify.com 7 | backupify.com Gmail access People access email in many ways: via browsers on laptops, in Gmail on smartphones, and with POP/IMAP email clients on desktops. As Administrator, you may prevent offline You should use three DNS (domain access in the browser, prohibit mobile sync, and/or disallow access to email via POP/IMAP name system) records to improve protocols. You can also disable automatic forwarding, to prevent people from forwarding email deliverability and reduce email to other accounts. (If you used all of the above settings, people would need to access spam sent from from your domain: Gmail with a browser while online. Secure, yes—but likely not very convenient.) SPF, DKIM, and DMARC. Learn more from Google about offline Gmail access, mobile management (and sync), POP/ IMAP access, and automatic forwarding settings. Compliance and other security settings You may configure Gmail to automatically delete or move email to “Trash” after a specific number of days. You may also configure a specific label to be used to prevent a message from being auto-deleted. For example, all emails labeled “keep” or “important” can be retained. People would need to apply the label to emails they wish to keep.

Some organizations choose to append a footer message to all email. Such footers typically contains either a legal notification or a marketing message. The contents of the footer can WHY SAAS be customized by any G Suite Administrator. ISN’T BACKUP You may also choose how Gmail accounts interact with other mail services. For example, you may prohibit “read receipts” to be sent. (Remember: “read receipts” may “leak” information as to when people read email.) You might enable mail delegation, to allow an executive to “delegate” an associate full-access to the executive’s email account. Or, if your organization uses Google+, you might enable other Google+ users to contact people Why SAAS isn’t Backup once via email—even if the recipient’s email address isn’t public. Salespeople and product DOWNLOAD NOW managers may find this feature useful.

8 | backupify.com Learn more from Google about email retention, custom footers, read receipts, mail You may configure Gmail to delegation, and email Google+ contact settings.

automatically delete or move Learn more from Backupify about how to restrict, route, filter and archive Gmail with email messages to “Trash” after “Setting up external mail servers for G Suite”. a specific number of days. Mobile (and Chrome) device management Google offers Administrators several mobile device management tools beyond the standard lock, locate and remote wipe capabilities (covered in “How to secure a G Suite domain”). You choose which devices connect, define how they’re secured, and specify the WiFi networks they access.

Administrators control which devices can link and sync with an organization’s account. In most cases, you’ll want both and Android Sync services enabled to allow iOS and Android devices to connect. (Android users should install the G Suite Device Policy app.) Some organizations may manage Chrome OS devices. Check a box to enroll (and ) if your organization has purchased Chrome device management.

You may enforce password, encryption and application-related policies on many mobile devices. As Administrator, you can choose to require a device password, set a minimum password length, and select the time until a device locks. You also may choose to encrypt device data.

Some management features apply only to Android devices. For example, Private Channel allows your organization to distribute apps to Android users. An application auditing setting allows Administrators to view apps installed on managed devices. While a WiFi networks setting lets you define wireless network settings (for devices running Android 2.2 or newer).

Learn more from Google about mobile device management or Chrome device management.

8 | backupify.com 9 | backupify.com Groups for business As Administrator, you can choose As Administrator, you set the highest level of visibility allowed for for to require a device password, set Business: groups may be public or restricted to members of the organization. a minimum password length, and You determine who may create groups: administrators, people in the organization, or anyone on the Internet. (Allowing anyone on the Internet to create a Group would be an select the time until a device locks. unusual choice for many organizations.) You also may choose to encrypt You also choose whether Group owners can allow members outside the organization. If device data. not, an Administrator can add members from outside the organization to a group.

Finally, you select whether or not new Groups are visible—or hidden from the Group directory. And you may allow Group owners to hide Groups from the Group directory.

Learn more from Google about Google Groups for Business. Hangouts both offers chat and video calling features. The service unifies communication across all of your devices. Users can message one another using Hangouts chat, which are enabled by default. Video calls between Hangouts and Microsoft Outlook can also be configured.

Hangouts security settings mostly block collaborative capabilities. An Administrator may prevent people from making voice and video calls, and/or block chat with Google Account users outside the organization. Other than that, an Administrator chooses whether chat history is “on” or “off” by default, but people may change this setting.

Learn more from Google on how to enable, configure and use Google+ Hangouts.

10 | backupify.com OTHER GOOGLE SERVICES

As an Administrator, you may enable (or disable) many other Google Services. These services are outside the “core” services, and include offerings such as , the Chrome Web Store, Google AdWords, , and many others. (To view these services, login to the Administrator Control Panel. From the Dashboard, select “More” at the bottom of the screen, then choose “Other Google services”.) Review the entire list of “Other Google Services” and consider disabling services that your organization doesn’t use.

Most of the services offer only two options: enable or disable. However, two of these “other Google services” offer extensive security and configuration settings: Chrome Management and Google+. Chrome management Many G Suite work best when used in Google’s Chrome browser. For example, Chrome enables offline use of Gmail, Docs, Sheets, Slides and Drawings.

Chrome and G Suite work best together when people login to Chrome with their G Suite account. (To login to Chrome: select the three-line menu in the upper right, then choose “Sign in to Chrome”.) Since Chrome works on Linux, Mac and Windows systems, this provides a consistent experience across platforms. Hangouts both offers chat and As Administrator, you can control many Chrome settings for people in your organization. video calling features. The service For example, you can auto-install specific Chrome apps and extensions, or disable the saving of passwords and/or browser history. You may also customize how Chrome unifies communication across all handles content (e.g., Javascript, pop-ups, plugins and more) and printing. There are many of your devices. customizable Chrome settings. It may take some time to review them all, but since the settings apply to everyone in the organization, this is time well spent.

Learn more from Google about Chrome Policies for Users and how to Set up Chrome for Business.

10 | backupify.com 11 | backupify.com Google+ Chrome and G Suite work best If you’ve enabled Google+ for your organization, you choose the default setting for new posts: either restricted (viewable by other people in the organization), or public. People may together when people login to change the setting, though. Chrome with their G Suite account. Learn more from Google about Google+ features. Since Chrome works on Linux, Google Vault (for compliance) Mac and Windows systems, this Google Vault adds email retention, search and export services to G Suite. As Administrator, provides a consistent experience you define retention rules. These rules define which emails are preserved—and for across platforms. how long they will be preserved. A retention rule may preserve email for a specific organizational unit, during a defined time period, or containing specific words. Preserved emails may be searched and exported. (Note Google Vault is an added Google service, available on an additional per user per month fee basis.)

Learn more from Google about Google Vault. G Suite Marketplace The G Suite Marketplace offers hundreds of third-party apps that integrate with G Suite in various ways. Most of these apps integrate with Google’s “single sign-on”: you—the Administrator —add the app, then everyone in the organization can access the app from the Google Bar’s “More…” menu. (The Google Bar is the grid of nine squares in the upper right.)

Learn more from Google about the G Suite Marketplace. Integration and data access required Many apps require access to your organization’s G Suite data. Project management apps may connect to Calendar data. Flowchart apps may need access to Google Drive documents or photos. Mail merge apps often connect to spreadsheets. Review permissions required by each app carefully.

12 | backupify.com You should investigate the vendor, as well. Look at the G Suite Marketplace “star-rating” and verified reviews: is feedback generally positive? Pay attention to security details provided by the vendor, as well. For example, Backupify completed a Service Organization Control Type II (SOC 2) audit; the same as one of the security audits completed by Google. Remember, vendor assertions are helpful, but external audits are also necessary.

Learn more from Google about how to evaluate a Marketplace app’s security. User tip: Review and revoke logins If you suspect your account is being accessed elsewhere, follow these steps:

Login to Gmail on the web, then scroll to the bottom of the page. Look in the lower right corner.

You’ll see something like “Last account activity: 9 minutes ago”. Select the “Details” link.

This will display recent activity for your Gmail account on the web and other devices. Select

“Sign out all other sessions” to logout of all locations other than your current session.

Then, go to https://www.google.com/settings/security to reset your password and review your security settings. Review connected apps A retention rule may preserve In the G Suite admin control panel, select “Marketplace Apps” to see all Marketplace apps email for a specific organizational connected to your G Suite. Review connected apps periodically. Revoke data access and unit, during a defined time period, delete apps no longer needed by the organization. or containing specific words. Learn more from Google about app data access. Preserved emails may be searched and exported.

12 | backupify.com 13 | backupify.com RESET, RECOVER AND REACH OUT

People forget passwords. Add user support contact information to your organization’s All G Suite Administrators Company Profile so people can contact someone when this occurs. Administrators can should add both a phone number reset a user’s password. All G Suite Administrators should add both a phone number and recovery email address and recovery email address to their accounts, so as to enable password recovery for to their accounts, so as to Administrator accounts. enable password recovery for Data recovery Administrator accounts. In some cases, deleted G Suite data can be recovered. Deleted Contacts may be restored to their state anytime in the prior 30 days (go to Contacts > More… (above main contact listing) > Restore contacts...).

In some cases, deleted email may be restored by searching the email Trash folder (if found, select the email then choose “Move to Inbox”).

EBOOK A similar process may work for some deleted Drive documents: search the Trash folder, Makin the Case for then select the item and choose “Restore”. Cloud-to-Cloud Backup A deleted page on a Google Site may be recovered within 30 days. (Go to the Site > choose “More actions” > Select “Manage Site” > then choose the Deleted items tab > select the page, then choose “Recover”).

Not all deleted items can be recovered. For example, deleted Calendar Events cannot be recovered. Any item “deleted permanently” or “immediately” cannot be recovered. Making the Case for Cloud-to-Cloud Backup Third-party solutions, such as Backupify for G Suite make recovery of deleted Gmail, DOWNLOAD NOW Calendars, Contacts, Drive documents and folders, and Sites possible.

14 | backupify.com LEARN MORE: G SUITE & SECURITY

Google’s teams continuously monitor and periodically modify G Suite to improve security. The team announces new features and changes on the G Suite blog. New features may mean new settings you need to review or change. Follow the blog to stay up-to-date.

For more information about G Suite, check out our complete series; Guide to G Suite:

● Guide to G Suite: How to setup your domain

● Guide to G Suite: How to secure your domain

● Guide to G Suite: Setting Up External Mail Servers

CONCLUSION

While Google is protecting all the bits of data in your company’s domain, it’s critical to configure the right privacy and security settings for your business. After the basics are Sign up for a FREE trial for Backupify checked off, it’s necessary to meticulously go through all the G Suite settings - ensuring the right amount of access for employees. It’s a lot easier to enjoy the benefits of G Suite START FREE TRIAL NOW once your data is secure.

14 | backupify.com 15 | backupify.com