2FA, context-aware access and more should be used…
Google is ranked a leader in Gartner’s Magic Quadrant for Content Collaboration Platforms (CCP), and with more and more businesses using its tools, Computer Business Review decided to look at Google Drive security. Here five Google Drive security features to help give your business peace of mind.
Google Drive Security: 5 Things to Consider
1: Context Aware Access
Google is continually testing and rolling out new features that give administrators higher degrees of control over the security of Google’s platform. One such feature is Context Aware Access control over G-suite and Drive access.
Admins using G-Suite can turn on or off user access to Google applications such as Drive, however this is a bit of a blunt instrument which gives no contextual information to the security team. With dynamical control, admins can manage access to the drive based on a user’s identity, device security status and IP address.
This level of control allows admins to established different access levels based on the context of the user request. For example it can be set up so only users with a corporate-owned device or originating from a corporate IP address can access data on the shared Google Drive.
Context Aware Access can also be used to give such context-aware access to Google tools such as Gmail, Calendar, Drive, Docs, Sheets, Slides, Forms, Sites, and Keep.
Google Drive security uses two forms of encryption when a user stores data. Importantly data is encrypted the moment it leaves a user’s device, before it reaches Google’s servers. First data is encrypted using the common TSL standard, as Google forces HTTPS on all data that is in transit. When moving data to its servers Google Drive will decrypt that data and then re-encrypt it using 256-bit AES keys. Data at rest is encrypted using 128-bit AES keys.
Google Security wrote in a blog that: “Encryption at rest reduces the surface of attack by effectively “cutting out” the lower layers of the hardware and software stack. Even if these lower layers are compromised (for example, through physical access to devices), the data on those devices is not compromised if adequate encryption is deployed.”
To some users’ chagrin, Google doesn’t have an option to encrypt individual documents. But users can encrypt them prior to upload if they see fit, using the encryption tool in Microsoft Word, for example; File > Protect Document > Encrypt with Password.
3: Setting Up 2FA
Everyone’s starting point for Google Drive Security should be to initiate Two-Factor Authentication (2FA). It is not difficult to set up. https://www.google.com/landing/2step/
With 2FA enabled every time a users logins from a new device an alert/request is sent to their phone to confirm they’re trying to log in. “What if I lose my phone?”
You can set a back-up device, i.e. your line manager’s phone, partner’s phone; IT’s phone… Not keen on that idea? Google lets you print out 10 one-time passwords in old-fashioned paper, to keep in a safe.
4: Advanced Protection
Google offers an advanced level of 2FA under its “advanced protection” programme for targets like journalists or indeed, CISOs. This requires a physical 2FA key. Admins can make certain staff who may be particular phishing or BEC targets require “advanced protection” in the admin console. Titan Security Keys meanwhile are a 2FA access device that contain a hardware chip loaded with Google security firmware that the company uses to establish the integrity of the key.
The Titan key works with nearly all popular devices and browsers and uses protocols developed by the FAST Identity Online (FIDO) Alliance. With FIDO the authentication is done by a client device which proves it holds the private key.The key can either be a USB or a Bluetooth key and Google have long touted them as the surest way to stop phishing attacks against an organisation.They’re not bulletproof, but they help..
5: Machine Learning-Powered Anomaly Detection
Google recently finished a beta run of an anomalous alert activity tool for Google Drive.
Google researchers wrote in security blog that: “Our machine learning models analyze security signals within Google Drive to detect potential security risks such as data exfiltration or policy violations related to unusual external file sharing and download behavior.”
As a result administrators will be alerted to security risks happening within Google drive. These alerts are sent to the Google alert centre where security workers can launch a mitigation effort to minimise the risk of an occurring threat.
Expect to see the learnings of that deployed more broadly soon.