Virtru Security Insights

Join 10,000+ Security Professionals Who Receive Our Content Every Month

Google Drive Security: Native Features And Gaps

Getting the Most Out of Google Drive – Part 2 of 3.

Native Google Drive security in the G Suite Business and G Suite Enterprise SKUs gives organizations basic data protection functionality. However, many enterprises enact a defense in depth strategy with layered protection beyond native Google Drive security.  The majority of G Suite customers in highly regulated industries add enhanced security and control functionality to ensure private, controlled file sharing workflows in Google Drive.

How Google Drive Protects Your Data (and How It Doesn’t)

Google Drive Encryption in Transit 

Google Drive uses Transport Layer Security (TLS) to protect data in motion and prevent eavesdropping and tampering. TLS secures the communication pathway that allows you to create, edit, and share documents in Drive. While helpful as a baseline security measure, TLS doesn’t protect the data itself, only the communication channel, so you don’t get persistent protection and control over a Drive document throughout its full lifecycle. Files become vulnerable once they are shared outside the Google ecosystem, and with each additional share, risks multiply.

Data leak risks are highest when users create open link shares, which allow anyone on the internet to access the document via a public URL. Careless external collaborators may forward this link to unwanted third parties, who can then forward the link to other unauthorized users, drastically increasing your risks for data loss.  In this scenario, TLS encryption does nothing to prevent unauthorized access to your Drive files.

Google Drive Encryption at Rest

Google encrypts data at rest by breaking it into shards, encrypting each shard with an encryption key, then rewrapping that key with another encryption key. Despite these protections, it’s important to mention two things. First, data at rest is only one click away from becoming data in motion due to Google Drive’s rapid collaboration workflows. So even with these state-of-the art encryption practices, you’re still vulnerable to data loss as documents are shared externally. And second, Google Drive’s encryption at rest doesn’t keep your data truly private – Google still has access to your data and controls the keys protecting it.

When to Add Security Layers to Google Drive for Defense In Depth

Drive files often contain regulated personal information and corporate private data, so regulatory compliance and corporate privacy are chief concerns for organizations adopting G Suite or evaluating Google Drive security. A defense in depth approach with layers of additional protection and control is necessary in many cases.

Regulatory Compliance

G Suite can support the requirements of organizations subject to requirements for the Health Insurance Portability and Accountability Act (HIPAA) by signing a Business Associate Agreement (BAA) with Google. However, the responsibility ultimately falls on customers to organize their data and establish processes to properly safeguard protected health information (PHI). Many organizations ensure PHI stays protected by adding data-centric protection to reinforce Google Drive’s native controls.

G Suite also supports the European Union’s General Data Protection Regulation (GDPR) by offering customers a data processing amendment (DPA) that meets the regulation’s requirements. Google has updated their processes to comply with GDPR’s terms regarding how customer personal data is handled, but forward-thinking security teams are adding information-centric protections to Drive to meet GDPR’s explicit requirement for using “state of the art” security technology.

Criminal Justice Information Services (CJIS) and Export Arms Regulations (EAR) have more stringent compliance requirements that mandate layering protections on top of Google Drive.

CJIS makes law enforcement and government agencies directly responsible for securing sensitive criminal justice data – everything from fingerprints to background checks. When criminal justice information is created, stored, or shared in the cloud, the information must be immediately protected via encryption, since it’s moving beyond the boundary of the agency’s physical data centers. Direct control of the encryption keys that protect these files is also mandatory; key management cannot be delegated to security or cloud providers. Organizations most commonly meet these requirements by implementing data-centric protection measures that encrypt the data end-to-end and offer customer-hosted encryption keys.

Meanwhile, EAR regulates the export of commercial goods and services that could have military applications, including technology, files, and technical data. Implementing end-to-end encryption gives multinational enterprises more flexibility when managing cloud data in the context of EAR. With end-to-end encryption, files uploaded to a cloud server outside the US then later retrieved in the US are not considered to have been “exported” under EAR, reducing bureaucratic burdens.

Corporate Privacy

All company departments and any employee will eventually handle company private data that should be protected from unauthorized access. When organizations embrace G Suite and employees begin creating, storing, and sharing data in Google Drive, security teams should be hyper aware of privacy concerns around confidential data in their files.

When sensitive legal contracts are exposed, critical deals fall through, trust among partners and customers plummets, and damage to your company’s brand piles up. Similarly, internal accounting information, M&A plans, sales projections, and other financial records can wreak havoc on your company’s operations if they’re breached.  Meanwhile, Human Resources departments constantly collect and process sensitive data including social security numbers, tax records, and salary and benefit information, and when that data falls victim to unauthorized access, your employees are susceptible to identity theft. The value of intellectual property is difficult to quantify, but when your product specifications, code, proprietary research, sales and marketing plans, and other trade secrets falls in the hands of your competitors or corporate spies, your organization loses its competitive advantage.

If your organization has any of these elevated requirements for regulatory compliance and corporate privacy, standard Google Drive Security doesn’t meet the need.

Key Features for Layered Google Drive Security

Organizations that require protection beyond native Google Drive Security should enact a defense in depth approach using the following functionality.

  • End-to-end protection encrypts files before they ever reach Google’s servers to prevent access by Google and unauthorized third parties.
  • Enhanced access controls strengthen Google’s native information rights management features, with the ability to watermark documents to prevent data exfiltration.
  • Granular audit gives your organization visibility over who has accessed and reshared documents, wherever they travel, with the ability to integrate with any SIEM.
  • Secure external sharing allows you to keep control over Drive documents  – whether they’re shared with Microsoft users or anyone else – without forcing collaborators to create new Google accounts or creating open share links that increase data leak risks.
  • Customer-hosted encryption keys give customers direct control of the keys protecting their Drive files, preventing government surveillance and shielding your information from Google.
  • Seamless user experience ensures adoption, with security embedded directly in the native Drive interface, without requiring local client software, separate applications and passwords, or new workflows.

Virtru provides these capabilities with our Google Drive Encryption solution, giving organizations using G Suite the enhanced protection and control necessary to keep Drive files private and prevent data leaks. 

Don’t Put All Your Data In Google’s Basket

Looking back on any of the breaches that have gripped the headlines over the past 5-10 years, if CISOs of hacked companies had implemented a layer of data-centric protection, they could have mitigated much of the financial and brand damage, and elevated their personal reputation.

Savvy investors have learned that diversification – layering their principal across several different asset classes instead of putting everything into a single stock – is key to their financial security. Likewise, in order to secure their data privacy, security leaders cannot put all their faith in one vendor, and should instead implement multiple layers of security.