This is the first article in a 2-part series on Google Drive security. View Part Two here.
More than 90% of organizations store data in the cloud, and when it comes to sharing that data, 60% rely on cloud file storage systems—such as Google Drive—to collaborate across distributed remote teams, among internal departments, and with external partners.
A popular choice for organizations of all sizes in the digital workplace, Google Drive eliminates many of the traditional problems associated with file collaboration by providing an intuitive way to create, store, share, and manage documents in the cloud. Organizations that understand Google Drive sharing settings and native controls can enhance secure cloud collaboration. However, additional layers of security and control are often needed for compliance in the cloud.
Organizations considering file sharing in G Suite should get familiar with Google Drive sharing settings and native control features for each tiered G Suite offering, then determine where layered security can fill any gaps the security team identifies.
G Suite Basic, Google’s entry level offering, does not include the granular data protection controls necessary to meet regulatory or corporate confidentiality requirements. All enterprises, and many small to medium-sized businesses will require Google Drive for Business at a minimum so that admins can implement suitable controls, while heavily regulated organizations driven by compliance will need to consider Google’s enterprise plan. Of course, more robust controls come with higher costs.
Google Drive Native Security: Information Rights Management and Sharing Settings
Built-in Google Drive sharing settings and information rights management features determine how users interact with Drive. Different permission levels can be associated with files or folders, such as edit, comment only, or view only.
Administrators can limit files to internal use only, restrict access to certain departments or roles, disable sharing, printing, or copying, and blacklist (or whitelist) specific domains. Administrators can also set up Team Drives—shared spaces used to store, edit, and access files. Team Drives belong to a group, not an individual, so files stay put even when the individuals who created them leave an organization.
Google Drive sharing settings and rights management controls support many corporate security requirements, but cross-platform sharing workflows may present challenges. When files are shared beyond Drive with external partners, controls don’t travel with them, so G Suite organizations need an overarching strategy for controlled, secure external sharing workflows.
Secure File Sharing Challenges with Google Drive
Keeping documents secure while supporting internal and external sharing is a balancing act in Google Drive. For external sharing workflows, administrators should pay close attention to end user workflows to remove as much friction as possible while maintaining the highest level of control over their data. At the same, administrators must also take care to train employees to prevent unauthorized access when sharing sensitive data internally. In both scenarios, leaving security up to end users means putting your data unnecessarily at risk.
External Sharing Concerns: Passwords vs. Open Link Sharing
If recipients don’t already have Google accounts, document creators must choose between two poor alternatives: forcing recipients to create a new Google account, or sharing an open, public link.
Forcing collaborators to create a new Google account in order to access a shared file inhibits the productivity Drive is designed to enable. This requires collaborators to create and manage another password, on top of the nearly 200 other passwords the average business user already keeps track of. And unfortunately, password strength is not always taken into consideration, further placing sensitive data at risk.
Open link sharing, while more convenient, also adds significant risk. Creating an open link and enabling public sharing essentially forfeits your control over the document. With this option, anyone who has the URL can view sensitive content. A collaborator could accidentally send the link to the wrong recipient, who can then forward to other unauthorized users, increasing the risk of data loss and potentially violating privacy and compliance requirements.
Considering the fact that Drive’s market share is around 10%, organizations should assume that not all external parties will already be using Google, and in that case, both alternatives above present a significant security concern.
Unauthorized Internal Access Risks
Internal sharing and unauthorized employee access is also a key security concern within Google Drive. The rapid internal collaboration and file sharing workflows in Google Drive exacerbate the risks that sensitive data—such as confidential memos, financial records, and privileged HR documents containing healthcare, benefits, and salary data—fall into the wrong employees’ hands; all it takes is one careless user or honest mistake. That’s why it’s critical for administrators to set guardrails by managing Groups and organizational units (OUs) properly, then configure folders and Team Drives with the appropriate rights management settings.
However, administrative precautions can only go so far. At a certain point, it’s up to your individual users to prevent unauthorized internal access by leveraging Google Drive sharing settings and rights management controls in a way that synchronizes with your internal policies. Regular training sessions can help, but organizations taking a more proactive security posture add control layers on top of Google Drive’s native functionality.
Layered Security for Enhanced Control
Google Drive has made powerful collaborative capabilities accessible to all businesses, of all sizes. Enterprises—and small businesses alike—using Drive must support that collaboration with controls that extend Google Drive’s native security. Adding enhanced control features that protect the data at the object level ensures that data remains private when stored in the cloud and secure when shared with external parties.
Enhanced protection and access controls are often necessary to ensure secure file sharing throughout collaboration workflows. The vast majority of G Suite customers, and especially those that operate in heavily regulated industries, will need to implement third-party solutions to strengthen security within G suite. The ultimate goal should be to protect data with solutions that work behind the scenes to support sensible, secure business practices.
Request a demo to learn how Virtru enables secure file sharing workflows in Google Drive with data privacy solutions that transparently integrate into G Suite, providing automatic security and total control.