My organization is on Google Workspace (formerly G Suite). Can I add security?

April 12th, 2021
My organization is on Google Workspace (formerly G Suite). Can I add security?

Startups love Google’s suite of free apps because they’re free (duh) and they get the job done. If there are only fifteen people in the entire organization, it’s easy to have everyone download Google Authenticator and use that as one of the simple ways to keep company accounts secure.

However, once business booms and you’ve hired your 101st employee, you come to find that giving security protocol directives one staff member at a time is very inefficient. You want to be able to deploy security rules across teams and the entire organization. Before, this used to be very difficult — if not downright impossible — to do on G Suite. Companies had to migrate to other platforms such as Microsoft 365 (M365) to implement their security measures.

With Google Workspace now in the picture, businesses that started out using Google services can remain on the platform, thanks to the admin controls Workspace provides.

Can I assign admins and super admins in Google Workspace?

Yes. You’ll want admins who can:

  • Add users to your business account
  • Set user permissions for Google apps
  • Create groups so that individual users can collaborate with one another more easily
  • Set up organizational structures so that you can apply settings and permit app usage across entire groups or departments

There’s plenty more that admins can do on Workspace. And, when a team in your organization grows bigger, you may want to turn its admin into a super admin — someone who can assign admin roles for groups in that team.

Can you add MFA requirements for Google Workspace accounts?

Yes. MFA is essential for accounts of admins and users who deal with sensitive data, so you’ll want to enforce it especially upon such accounts — including yours. Of course, you can also let admins require stringent access protocols for the rest of the staff. Once the requirements are deployed across groups and departments, users like yourself will have to follow these steps:

  1. In a new browser tab, log in to your Google Account and click on your account icon.
  2. Click Manage your Google Account.
  3. Go to the navigation panel and select Security.
  4. Scroll down to “Signing in to Google,” click the 2-Step Verification toggle to the “On” position, and then click Get started. From there, just follow the steps provided.

There are many ways users can accomplish MFA:

  1. Via Google prompts
  2. Via security keys
  3. Via Google Authenticator or other verification code apps
  4. Via a verification code in an SMS message or through a phone call

Can I manage users’ identities and devices on Workspace?

Yes. If you already have your own identity and access management (IAM) system in place, you can subscribe to Google’s Endpoint Management service to easily enroll, monitor, and manage devices.

But if you don’t have your own IAM yet, you’ll want to use Google’s Cloud Identity service. This conveniently rolls up IAM and endpoint management under one centralized console. Additionally, Google beefs up the security provided by Cloud Identity by incorporating BeyondCorp zero trust security model into it.

BeyondCorp enforces stringent user- and device-based authentication such as MFA so that users can access company data. Once users have authenticated their identities, BeyondCorp encrypts the data going back and forth between users and your network. This means that even when users are on untrusted networks like public Wi-Fi and don’t have traditional VPNs, they can still work securely.

Can I enforce automatic logouts for inactive users?

Yes. Google Workspace admins can set session lengths for Google services. Session length is the amount of time a logged-in user may use Google apps such as Gmail without having to sign in again. For desktops and laptops, 14 days is the default web session length for Google services.

Admins can shorten session lengths for staff members who work remotely or from places that provide unsecure public Wi-Fi connections such as cafes. This can only be done manually and your admins must know users’ circumstances for them to apply such controls, but this is wholly unnecessary if you’re using BeyondCorp.

Warning: Google session length is convenient for both legitimate users and those who want to take over accounts
For as long as a session has not expired, all active sessions remain vulnerable to people other than the current user. For instance, let’s say a user accessed their account via a public computer. When they’re done, they close the browser window, thinking that that would log them out. However, this isn’t the case. When another user reopens the web browser, they’ll be able to continue the previous user’s session.

Google Workspace does not check for session activity or “idle time” since “session length” allows users to be idle for long periods of time. However, if a user’s account is indeed taken over, Google Cloud’s Security Command Center service may be able to detect malicious activities from that account. Event Threat Detection in particular is a Security Command Center Premium tier inclusion and is able to automatically detect anomalous behaviors such as exfiltration of data to unknown external parties.

Event Threat Detection has default threat detection rules out of the box, but your data security specialists can also implement custom rules based on threat models derived from your own log data.

Can Google Workspace help me comply with data regulations?

Yes. First and foremost, Google employs the Shared Responsibility data security model, one within which Google secures items that are under their control, such as the physical infrastructure of their data centers, as well as the security controls of all of their applications. This means that Google’s customers are no longer burdened with such concerns.

Secondly, Google strives to always be up-to-date with data regulations compliance all over the world. And if companies need to comply with regulations of other regions and countries, Google can help them do so as well.

Last but not least, you can either work with Google directly to identify the Google services you’ll need to help with compliance, or you can work with a Google partner that has expertise in your particular area and industry.

Businesses used to outgrow Google, but now startups don’t necessarily have to leave the platform because of security reasons — they just need to shift to a paid Google Workspace plan. For your own company in particular, our IT specialists at HERO Managed Services LLC can help you determine which platform and service plan will serve your business best. Be it Google Workspace, Microsoft 365, or other platform you choose, our IT services will have you covered. Schedule a consultation today.

Leave a comment!

Your email address will not be published. Required fields are marked *

It’s time to take downtime seriously. Discover why an MSP is your best ally against this threat. Download our free eBook today to learn more!Download here