Top 3 Critical Security Mistakes When Configuring a Google Apps Domain

When the wrong users can access sensitive files, one unhappy worker or spear phishing attack could lead to a breach. Also, lost or stolen phones become disastrous when the phone has access to critical data. Google Apps domain management offers granular controls for enterprise data security, but too many admins rely on default settings. Refining your domain configuration will help you prevent these three Google Apps security oversights.

With organizational units, you can restrict Apps access and limit functions like mobile device access and remote Gmail access. Instead of creating organizations first and then assigning people, let user requirements dictate which organizations you create: Start with a master list. List each person’s name, job title, the Apps they must access based on job title and each person’s authority level.

Group similar personnel into organizations. Create organizations in a way that makes sense based on your master list. Organize people by department or by function depending on what’s easiest to manage.

Fine-tune with sub-organizations. By default, each sub-organization inherits the parent organization’s settings. Override the default settings to turn off individual apps or customize policies for sub-organizations.

To set mobile policies for each organization and sub-organization, like requiring a mobile password for all users, go into Device management > Device management settings. To manage Apps access and settings, click Apps and then select the App that you want to customize. Under Gmail’s advanced settings, for example, you can disable both automatic forwarding and POP/IMAP access to keep data from being sent outside your organization. If you enable Offline Gmail, remind users never to install it on public or shared computers.

If you’re using another organization for SSO, then you’ll need to set up MFA with your provider. Without an outside provider, you can set up SSO within your Admin console by clicking Security > Basic settings and checking off Allow users to turn on 2-step verification.

One best practice for rolling out MFA is to sort a small group of personnel into a pilot organizational unit, or sub-organization. Putting high-level managers into this pilot organization sets up immediate protection for the company’s most sensitive data. Also, it gets management to cheerlead for MFA when you roll it out company-wide. To get started, allow MFA for the pilot organization, ask users to enable it and then enforce it during the test period. After the pilot, set a company-wide enforcement start date, and train all end users to set up MFA.

A final tip: Anticipate extra help desk calls on your enforcement date. Users who haven’t set up MFA will be locked out of their accounts.

Offline Drive access lets users work remotely. However, lost or stolen devices with online Drive access could lead to a data breach. The legitimate need for offline Drive access depends on each user’s job title. Improve Google Drive security by limiting remote access.

Go into Apps > Drive > General settings to enable or disable offline Drive access. Within General settings, you can also choose whether users can download and install Google Drive on their devices. The same menu lets you determine whether third-party apps can access Drive. You can improve Google Docs security by limiting add-ons like mail-merge apps.

Go beyond the default settings when configuring your Google Apps domain. By enabling MFA, leveraging organizational structure tools and customizing Drive settings, you’ll prevent costly and embarrassing data breaches.