Google Apps

Five ways to make Google Apps safer

David Politis suggests five specific and practical steps you can take to make your enterprise installation of Google Apps more secure.
By David Politis

Moving your messaging and collaboration systems from a legacy software platform to Google Apps is a big change that can impact budget, staff and productivity. As with any new IT platform, change implies risk, and security - particularly in the cloud - is the greatest risk of all. Suddenly, your most sensitive documents seem to be floating around on the web. And although they're protected, they're also no longer locked down inside your firewall, and that's no small consideration. So, as an IT professional, how can you make Google Apps safer for your business - and CYA in the process?

Here are five suggestions:

1. Enable two-factor authentication

Employee negligence may be unavoidable, but it can definitely be minimized by enforcing two-factor authentication across your domain. Two-factor authentication in Google Apps provides added security by requiring two layers of identity, something you know (your password) and something you have (a PIN number on your phone), in order to access any part of Google Apps.

You can enable two-factor authentication in the Google Apps Control Panel, under Advanced Tools in the Authentication section.

Figure A

Enable two-factor authentication in the Google Apps Control Panel

2. Correctly delegate administrative controls

As an IT administrator, you need to make sure you're giving the right level of access to the right users and members of your own department. Administrative delegation gives specific access levels to specific users, effectively narrowing the scope of control so IT team members don't have more access than required to perform their job.

For example, if a company has a satellite office in India, but the IT help desk is located in California, there will often be time zone issues with IT tickets. But something as simple as resetting a password can be done by almost anyone. With delegated administration, a super administrator can appoint a delegate in the satellite office to reset passwords when necessary.

Figure B

Administrative delegation can be configured in the Control Panel under Domain Settings

Administrative delegation can be configured in the Control Panel under Domain Settings, and then Admin Roles. You can define roles here, and then assign those roles to users in the Organization and Users tab.

3. Suspend user accounts immediately as part of the deprovisioning process

Another must for system administrators in Google Apps is suspending a user's account as soon as he or she leaves the organization. Be careful to first suspend the user, as deleting their account will also delete every asset they own.

To suspend a user, find them in the Organization & Users tab. Once viewing their individual profile, select "Suspend User" in the top right hard corner of the Control Panel.

Figure C

Suspend user accounts immediately
Caution: After suspending a user, but before deleting them, you will need to transfer ownership of that user's assets, including Docs, Sites, Calendars and Groups, to a new owner. You can transfer ownership of Docs through the Google Apps Control Panel (under Advanced Tools), but to transfer Docs collections to certain people or to transfer Sites, Calendars and Groups ownership, you'll need a third-party application from the Google Apps Marketplace. Find one by searching for "transfer sites ownership" or "transfer groups ownership" etc.

4. View and correct data sharing

After transferring ownership, you'll need to take a full inventory of the assets in question and determine if any shared users should be removed. Depending on how the company and employee parted ways, you may make some interesting discoveries, like repeated sharing with personal email accounts. Obviously, that's not very secure.

Figure D

Correct data sharing

While searching for sharing violations often comes to mind when an employee leaves the company, it makes even more sense to perform this analysis regularly for your entire domain. That way, you're ahead of the game when it comes time to deprovisioning a user, as you've already caught and corrected any violations. Most of this functionality is not native in Google Apps, so head over to the Google Apps Marketplace and search for "Google Docs inventory" where you'll find a few third-party options.

5. Limit Group Owner settings

Finally, I recommend restricting Google Group owners from allowing members outside of your domain into your employees' Groups. Allowing external Group sharing limits your visibility into how assets are shared both internally and externally, so Docs you may think are private, may actually be shared with non-employees. And the only way to know this is to check the sharing settings of every single Group. So take the proactive approach and limit Group Owner settings initially.

Go to the Control Panel under Settings and then Google Groups for Business Settings.

Figure E

Limit Group Owner settings

Google Apps provides users unheard of real-time collaboration, but so much sharing can compromise your organization's security. By following a few simple protocols, you can be sure your employees are getting the most from Google Apps, while also maintaining a safe and secure domain.

Also read:

About the author: David Politis is the co-founder and CEO of BetterCloud, the leading provider of Google Apps extensions that provide comprehensive security and management for Google Apps. Follow David on Twitter @DavePolitis and BetterCloud @bettercloud.
1 comments
Mark W. Kaelin
Mark W. Kaelin

Comments in this blog's forums often talk about security when it comes to Google Apps. David Politis has suggested five ways to increase security ??? do you have more suggestions and tips for your peers?

Editor's Picks