Google Workspace security features every business should know about
“Google Workspace is secure by design” as a Google Workspace user you've probably heard this sentence more than once.
The suite of office tools is built from the ground up to comply with even the strictest security requirements of industries such as finance, healthcare, education etc out of the box. Google gets its products regularly audited and verified for example for SOC 2, FISC, PCI DSS, ISO 27001, ISO 27017, ISO 27018, HIPAA, GXP, HITRUST CSF, and way more. (Full list of compliance resources can be found here)
So why is there still so much distrust towards it, especially in security-sensitive industries?
Well, the bad news is, technology unfortunately isn't everything. It all comes down to people. Let me try to explain:
Google provides you with the option to have a layer upon layer of security from any angle you can think of so that your business stays compliant with the requirements of your industry. Let me emphasise the word “option” again.
They also give you full control over your own data and your domain settings. It's up to you as your domain admin to decide how many layers of the “security onion” your business needs and then actually press the button and switch them on. Google won't do it for you.
The good news is that your Google Workspace licence most likely already includes all the features you need. Depending on the type of licence you have right now, it might even cost you zero. Or you might even realise that the fancy software you were planning to deploy next month won't be needed at all as you'll find the same features within Google Workspace.
All in all, knowledge is power, and I truly believe that knowing some of the features Google Workspace offers out-of-the-box might just save you a lot of headaches. So let's get to it:
Control the context of how users access your company data with Context-Aware Access
Using Context-Aware Access, you can create many layers of the “security onion” by setting up very specific policies for gaining access to your company data. As the name would suggest, this security feature gives you control over which apps a user can access based on their context, such as whether their device complies with your IT policy. You can set up these policies yourself based on attributes such as user identity, location, device security status, and IP address.
Some examples of a policy could be:
- Allow access to apps only from company-issued devices.
- Allow access to Drive only if a user storage device is encrypted.
- Restrict access to apps from outside the corporate network.
- Allow access only from devices with the latest version of the OS installed.
You can also combine more than one use case into a policy. For example, you could create an access level that requires app access from devices that are company-owned, encrypted, and meet a minimum OS version. Access for apps is evaluated continuously after access is granted. The exception to this rule is SAML apps, which are evaluated on sign-in.
You can still set other policies, such as 2-Step Verification, for all organizational units or group members. Context-Aware Access provides additional granular and contextual controls for those users.
What does it mean in practice?
Say, you want to introduce BYOD (Bring Your Own Device) policy to allow your team to work from anywhere. People would most likely have a real problem (and rightfully so) to allow you to have full control over their personal devices with endpoint management. Setting up Context-Aware Access will allow you to have full control over your company data without compromising your employees’ privacy.
Modernize your IT and strengthen security with Cloud Identity
In the cloud environment, the security perimeter has become dispersed and elastic, wrapped around each user and device. Moreover, ‘users’ no longer refers to simply employees, but also vendors, partners, contractors and customers. Each of these groups has its own requirements for access to different information and applications. In the ever-evolving ecosystem of users, apps, and devices, traditional identity and access management approaches aren’t sufficient anymore. These approaches were built for the on-premise world (think cumbersome VPNs, limited device access and inconvenient authentication), instead of today’s cloud-first world.
Cloud Identity is an Identity as a Service (IDaaS) solution that centrally manages users and groups. You can configure Cloud Identity to federate identities between Google and other identity providers, such as Active Directory and Azure Active Directory.
When you adopt Cloud Identity, you create a Cloud Identity account for each user and group. You can then use Identity and Access Management (IAM) to manage access to Google Cloud resources for each Cloud Identity account.
Cloud Identity integrates with hundreds of cloud applications out of the box—and we’re constantly adding more to the list so you can count on us to be your single identity platform today and in the future. See current list
What can you do with Cloud Identity?
- Defend your organization with Google’s threat intelligence signals and BeyondCorp security model
- Help protect your user accounts and company data with a wide variety of MFA (Multi-factor authentication) verification methods such as push notifications, Google Authenticator, phishing-resistant Titan Security Keys, and using your Android or iOS device as a security key.
- Enforce phishing-resistant FIDO security keys to protect your high-value users
- Take advantage of the Security Center, which provides analytics, actionable insights, and best practices.
- Extend your on-premises directory to the cloud with Directory Sync
- Enable access to traditional apps and infrastructure with secure LDAP
- Automatically synchronize user information with HR systems of record.
- Improve your company’s device security posture on Android, iOS, and Windows devices using a unified console.
- Set up devices in minutes and keep your company data more secure. Enforce security policies, wipe company data, deploy apps, view reports, and export details. (Endpoint Management)
- Save employees time with one-click access to all of their work apps (SSO- Single Sign-On)
- Enable users to manage their own accounts on virtually any device, anywhere.
Cloud Identity is available as a stand-alone product with different pricing tiers based on which features you need. The great news for Workspace users is that all of the Cloud Identity features, as well as Context-Aware access, are already included in the Enterprise licence of Google Workspace. Other tiers provide you with some of them.
Choose the geographical location for your data with Data Regions.
There are many reasons why some industries are more concerned than others about where their data is actually stored in the world. Google has servers all around the Globe and as an administrator, you can store your covered data in a specific geographic location by using a data region policy. Your geographic location options are the United States or Europe.
Enterprise data regions policy option is included with an Enterprise Plus subscription. Fundamental data regions function is included with Business Standard, Business Plus, Enterprise Standard, and Frontline Edition. To compare these features,
If you'd like advice on which tier to choose, don't hesitate to get in touch. We'll be happy to answer all the questions you might have. We can also provide you with a thorough security audit and Admin security training to make sure your Google Workspace is set up correctly.