When the wrong users can access sensitive files, one unhappy worker or spear phishing attack could lead to a breach. Also, lost or stolen phones become disastrous when the phone has access to critical data. Google Apps domain management offers granular controls for enterprise data security, but too many admins rely on default settings. Refining your domain configuration will help you prevent these three Google Apps security oversights.
1. Not Harnessing the Power of Organizational Units
With organizational units, you can restrict Apps access and limit functions like mobile device access and remote Gmail access. Instead of creating organizations first and then assigning people, let user requirements dictate which organizations you create:
Start with a master list. List each person’s name, job title, the Apps they must access based on job title and each person’s authority level.
Group similar personnel into organizations. Create organizations in a way that makes sense based on your master list. Organize people by department or by function depending on what’s easiest to manage.
Fine-tune with sub-organizations. By default, each sub-organization inherits the parent organization’s settings. Override the default settings to turn off individual apps or customize policies for sub-organizations.
To set mobile policies for each organization and sub-organization, like requiring a mobile password for all users, go into Device management > Device management settings. To manage Apps access and settings, click Apps and then select the App that you want to customize. Under Gmail’s advanced settings, for example, you can disable both automatic forwarding and POP/IMAP access to keep data from being sent outside your organization. If you enable Offline Gmail, remind users never to install it on public or shared computers.
How organizational structure works
How to add an organizational unit
How to turn Google Apps services off and on
2. Failing to enable MFA
If you’re using another organization for SSO, then you’ll need to set up MFA with your provider. Without an outside provider, you can set up SSO within your Admin console by clicking Security > Basic settings and checking off Allow users to turn on 2-step verification.
One best practice for rolling out MFA is to sort a small group of personnel into a pilot organizational unit, or sub-organization. Putting high-level managers into this pilot organization sets up immediate protection for the company’s most sensitive data. Also, it gets management to cheerlead for MFA when you roll it out company-wide. To get started, allow MFA for the pilot organization, ask users to enable it and then enforce it during the test period. After the pilot, set a company-wide enforcement start date, and train all end users to set up MFA.
A final tip: Anticipate extra help desk calls on your enforcement date. Users who haven’t set up MFA will be locked out of their accounts.
How to set up sub-organizations in Google Apps
How to enable 2FA (for your end users)
3. Not Disabling Offline Drive File Access
Offline Drive access lets users work remotely. However, lost or stolen devices with online Drive access could lead to a data breach. The legitimate need for offline Drive access depends on each user’s job title. Improve Google Drive security by limiting remote access.
Go into Apps > Drive > General settings to enable or disable offline Drive access. Within General settings, you can also choose whether users can download and install Google Drive on their devices. The same menu lets you determine whether third-party apps can access Drive. You can improve Google Docs security by limiting add-ons like mail-merge apps.
How to control third-party application access to Drive
How to enable Google Docs add-ons
Take Control and manage your Google Apps domain
Go beyond the default settings when configuring your Google Apps domain. By enabling MFA, leveraging organizational structure tools and customizing Drive settings, you’ll prevent costly and embarrassing data breaches.