3 sets of G Suite security and privacy settings every admin should review

As Google Drive, Team Drives, and G Suite evolve, G Suite administrators may choose to configure security and privacy settings to meet a wide range of customer preferences.

G Suite administrators may select from a wide range of settings that control the privacy of new G Suite files, sharing settings on Team Drives, and security requirements for account sign-ins.

Many organizations prefer the default options for these three sets of settings, which result in:

    • New G Suite files that are private, viewable only by the creator of the file
    • Team Drives that allow files to be shared externally
    • 2-step authentication that is optional

    But different organizations may choose dramatically different defaults. For example, one organization I worked with had been accustomed to files stored on a Windows server, on-site, with the server configured to allow access only from systems connected via Ethernet. But once an account signed-in, nearly all files were available to everyone: Few files or folders on the server were private. As this organization transitions to G Suite, they would like their G Suite settings to reflect their current security and privacy preferences.

    Here's a look at how each of these three sets of G Suite settings affect security and privacy. (Note: To adjust each of these settings, you'll need to sign-in at https://admin.google.com with a G Suite administrator account.)

    1. New G Suite files: Private or public?

    By default, G Suite makes each new Google Doc, Sheet, or Slide that people create private—only able to be accessed by the person who created it.

    But a G Suite administrator may choose to make new G Suite documents findable by other people in the organization, instead of private by default. After this change, when you search Google Drive, your search results will show documents created by colleagues. Essentially, with this setting, each new document will be public—within the organization, not the world!—by default. People may still change a Doc, Sheet, or Slide to be private, of course.

    (To adjust this setting, go to Admin console > Apps > G Suite > Drive and Docs > Sharing settings > Link Sharing Defaults, then choose "OFF," "ON - Anyone at <your organization> with the link," or "ON - Anyone at <your organization>.")

    Screenshot of G Suite Link Sharing Default settings (top: off, bottom: on)

    By default, newly created G Suite files are available only to the owner. But a G Suite administrator may choose to allow anyone in the organization to find and access these files by default.

    2. Files on Team Drive: Internal-only or shareable externally?

    Files on a Team Drive may be accessed by all team members. As team membership changes, you add or remove team members. When an administrator adds a member to a Team Drive, the member gains access to the files on that Team Drive. And when an administrator removes the member from the Team Drive, they lose access to the files on that Team Drive—but all the files on the Team Drive remain.

    A G Suite administrator can create Team Drives that either promote privacy or encourage sharing. The default Team Drive settings encourage sharing: People outside the organization may be allowed access, files on the Team Drive may be shared with non-members, and content may be downloaded, copied, or printed.

    But a G Suite administrator also may adjust a Team Drive's settings to promote privacy. For example, the admin may adjust the setting to limit membership to people in the organization, to restrict access to members-only, and to constrain downloading, copying, or printing by commenters and viewers.

    Importantly, I suggest that most members of a Team Drive be allowed "Edit access," instead of "Full access." This lets people add and edit files, but ensures they can't delete or remove data.

    (To adjust settings for a Team Drive, go to Admin console > Apps > G Suite > Drive and Docs > Manage Team Drives > then select the sprocket on the right-side of the screen next to the settings for the Team Drive you want to manage. You may manage sharing, access, and content controls for each Team Drive.)

    Screenshots that show sets of Team Drive configuration options, take from G Suite admin Manage Team Drives screen.

    A G Suite administrator may adjust settings for each Team Drive separately. The top image shows a Team Drive configured to allow external sharing, non-member access, along with permissive content controls. The bottom image shows a Team Drive intended for internal-only use: No external sharing, no non-member access, yet still with permissive content controls.

    3. 2-step verification: Required or optional?

    In almost all cases, a G Suite administrator should choose to "Allow users to turn on 2-step verification." This will require people to sign-in with their account name and password, then approve access. The "approve access" step may be via Google prompt from a phone, an authenticator app, an SMS message, or a security key.

    However, an administrator may choose several advanced security settings that significantly restrict account access. These options include:

    • Enforcing 2-step verification (for all accounts, or accounts in a specific organizational unit)
    • Requiring a security key for access
    • Requiring 2-step verification for every sign-in (as opposed to periodic verification on a trusted device)

    (To enable 2-step verification, go to Admin console > Security > Basic settings > Two-step verification > check the box to "Allow users to turn on 2-step verification." Follow the link below this box to "Go to advanced settings to enforce 2-step verification" to manage enforcement.)

    Screenshot of G Suite advanced 2-step verification configurations.

    After a G Suite administrator enables 2-step verification, they may also adjust advanced security options, such as requiring 2-step verification for some (or all) accounts, requiring the use of a security key, or requiring verification for every sign in. (Top image: More permission settings shown; bottom image: More restrictive permissions selected.)

    Distinct choices: Which settings do you use?

    The client organization I mentioned near the beginning of this post will make very different choices than I typically select for an organization. They'll configure new Google files to be able to be found by other people in their organization by default. They'll move all of their files and folders to a Team Drive, with all members of the organization as members with "Edit access" (and just a couple people with "Full access"). And they'll require 2-step authentication, but only require a security key for G Suite administrator accounts.

    How does your organization configure these three sets of settings? Are new G Suite files private or findable by default? Do you have different Team Drives with different default settings? And do you require security key use for some, or all, accounts? Let me know in the comments or on Twitter (@awolber).

    Also see

    Illustration shows G Suite file (public/private), Team Drive (external sharing/internal only), and Password settings (2-step verification optional/required).
    Illustration: Andy Wolber / TechRepublic