Importance of Google Drive encryption can be found in data breach report:
As per breachlevelindex1 more than 9.7 Billion records have been lost or stolen since 2013. “ONLY 4% of breaches were “Secure Breaches” where encryption was used and the stolen data was rendered useless”!
Encryption is the process of encoding a file with a password key so that only a person with the same password can open that file for view or edit. Any unauthorized person with access to that file cannot open or read the file in an intelligible way. Google Drive Encryption software encodes files and folders present in the drive.
What is Google Drive file encryption?
You can encrypt a file with a password using Google Drive encryption application. This application can be installed on your Google Drive account or for your entire domain by any G suite Administrator.
What is Google Drive folder level encryption?
You can also encrypt an entire folder with a password using Google Drive encryption application. The same password applies to all files within the folder. Files placed within that folder are automatically encrypted. This is very helpful for the team of people working together as they can share the common password and collaborate on sensitive data files.
Can you encrypt Google Team Drive files and folders?
Yes, you can encrypt any file or folder you own, as well as any file or folder you own that is present in Team Drive.
Why encrypt Google Drive files?
Does Google Drive encrypt files?
Security is a shared responsibility between organization users and Google. Google for its part encrypts & secures files. However, 95 % of security breaches happen due to user errors due to various scenarios as explained below.
Data theft and leaks
When a user accidentally or deliberately shares Google Drive files containing sensitive data to other users (insiders or third parties) or attackers (phishing), it leads to data leaks and theft. A survey published by Biscom4 in 2015 found that 87 percent of employees take the data they created over the course of their employment when they leave, and 28 percent take data that others had created. Google has no way of knowing which of your users with valid credentials are stealing business data in your organization’s Google Drive.
Laws & regulations
Laws like HIPAA, SOX and PCI regulation require that sensitive information is encrypted with strong keys. Non-compliance results in heavy fines and possible jail terms.
Successful phishing attacks cause users to mistakenly send sensitive drive document links and access permissions to attackers giving them access to sensitive data.
Users install third-party Google Drive applications such as a file editing app or games. Some of these third-party apps request permissions during installation and gain access to the Google Drive content which may include sensitive data.
Ransomware bots are always looking to compromise user’s Google G Suite account login credentials using phishing and spyware. Once successful in gaining Google Drive account entry, they encrypt files using custom Google Drive apps(installed by them) and demand ransom in exchange for the password to decrypt files.
A real-life attack example
In May 2017, millions of users were attacked by an email asking users to “edit a Google Drive document“ which, when clicked, took users to a Google Drive app install page. Once installed the application gave the third party full access to the Google Drive contents.
Figure 1 A Real Life Example
For above-mentioned reasons, it is highly recommended that organizations use Google Drive encryption software to secure their sensitive data.
Google Drive Security & Role of Drive Encryption
Encryption of sensitive data is a must have to ensure the security of your organization’s Google Drive. While you may have data loss prevention, phishing and other security software in place, the absolute protection guarantee comes ONLY from encryption since it renders any leak or theft harmless.
Types of Google Drive Encryption
Drive encryption at rest
Drive encryption at rest refers to files which are not moving across users.
There are 2 levels of security here:
- Default Behavior: Once users log in to their Google Drive account successfully and try to access a file, then it is unencrypted and presented for view or edit. No further file specific password keys are required. This basic level of login security is a default Google protection.
- With Drive Encryption Software: Files encrypted by using drive encryption software ask users to password keys before opening the file. This is an additional level of security helps in the event that the default level is compromised.
Drive Encryption in Transit
Second is drive encryption in transit whereby Google Drive file links or attachments are sent to other users (both outside and inside the domain).
There are 2 levels of security here as well:
- Default Behavior: If the receiver has access permission (authorized or unauthorized), then the file is unencrypted and presented for view or edit. No further file specific password keys are required.
- With Drive Encryption Software: Files encrypted by using drive encryption software requires the receiver to input the password before opening the file regardless of whether the receiver has access permission.
How to encrypt Google Drive files and folders with passwords?
You need to follow these steps:
Search Google Apps Marketplace for Google Drive Encryption apps. For example, for SysCloud’s Security App, please Click here as given below:
Install any Google Drive Encryption application on your Google Drive from G Suite Marketplace
After installing the Google Drive Encryption application, go to the file in Google Drive.
Right-click file and click “Encrypt”. Then provide the password you want to use as shown below:
Where can I find Google Drive encryption applications and software?
How do you open an encrypted file?
Do I have to enter the password each time to access my encrypted files?
Owners of files need not enter the password to access their files. Other users having access to this file will need to provide the password to open the file.
Can the file being edited be again encrypted?
Files which are inactive are encrypted again automatically within minutes by the Google Drive Encryption software.
How do you decrypt a file?
Files can be decrypted by providing the password. Files can also be opened by G suite administrators after resetting the password or removing encryption from Google Drive encryption software console. For example, as given below for SysCloud Google Drive Encryption Application:
Encryption within and outside Organization
Google Drive encryption software must work even when encrypted files are shared outside the organization
How does it work? What does Google Drive encryption do?
The process of encryption involves making a copy of the original and encrypting that, then deleting the original. The Google Drive encryption software uses encryption algorithms to do this.
Can I send encrypted files to people outside my organization?
Yes, you can send Google Drive encrypted files or encrypted file links to users outside your organization.
How can an external receiver open the encrypted file?
They would need to install the encryption software on their G suite Drive account or Gmail account. Then open the file with the password you have given to them.
What are the risks using Google Drive encryption software?
If the Google Drive encryption software does not have a way for G Suite admins to reset password or remove encryption, there could be a risk of losing access to files when owners of files leave the company or have lost or forgotten passwords. SysCloud Drive encryption allows admin to reset keys across all users in the domain.
The other risk is the maker of the encryption software themselves being compromised by attackers thus exposing all their customers. SysCloud Drive encryption software uses a combination of private key(which the only customer has) with the public key(specific to a customer) thus giving absolute protection and eliminating risk.
Stop data leaks & theft
Encrypting Google Drive files is the only way to keep your sensitive Google Drive documents 100 % data leak & theft proof!
Meet regulatory law requirements
Drive Encryption is mandatory for compliance with laws and regulations including HIPAA, SOX, and PCI.
Convenience and peace of mind
Encryption allows an organization to rest assured that their sensitive valuable data is safe regardless of any data breach. Also, Folder level encryption allows a team to share a common folder(s) where they can place sensitive data and use the common password for decrypting/encrypting. This strikes a good balance between convenience & security.
Is Google Drive encryption secure & always on?
Encrypted file key management
The user holds the password keys and G suite admins can reset or remove encryption. It is recommended to always have strong passwords.
Backup & restore of encrypted files and folders
The backup and restore of the encrypted files and folders will be in encrypted form.
Disaster recovery & high availability
What happens if Drive encryption service is unavailable or offline? Can users still open the file?
Drive encryption application online service must have primary and secondary sites. For example, SysCloud primary site app.syscloud.com is disaster-ready with high availability. Also, in the rare case that all primary site servers are down, a second site will always be running as failover site to decrypt the files.
Encryption Management FAQ for G Suite Admins
Is there a way to decrypt or change ownership and still have encryption in place?
i.e. if a user account is suspended and we change ownership of their drive files.
Encryption software like the one from SysCloud has an option to change the password by admin. Either single or in bulk. This is done by removing encryption and encrypting again with the new password. In SysCloud Google Drive Encryption application console, G Suite admins can filter by owner in the documents report under DLP menu option for encrypted documents and do this.
How is encryption affected when the file owner G suite account is suspended?
File owners who are suspended cannot access files. Collaborators will be able to access the files by entering the password.
Can G Suite administrators decrypt files and folders in bulk across the domain?
G Suite admins can remove/add encryption item (file or folder) wise or in bulk.
Google Drive encryption and Google Drive Sync
Can Google Drive sync still be used along with Drive encryption?
If an encrypted file is synced to the local machine, is there a process to decrypt it off-line, or does that only work via Drive web interface?
Drive encryption works only with Drive web interface. If you want the decrypted content on the local machine then you should decrypt it online and sync it.
Sign up here to receive our encryption software for Google Drive for free.
- SysCloud Google Security and Backup Application
- Biscom Survey
Author’s note: Thank you for reading this article. If you have any feedback, please feel free to write to me at email@example.com