The Security Best Practices for External Sharing on Content Collaboration Platforms blog series examines the state of security for external sharing on the leading Content Collaboration Platforms (CCP). Each week we’ll review a different platform and make security best practice recommendations.
Background
Google Drive was launched in 2012 as a CCP offering, available stand-alone or bundled with G Suite. G Suite services include Gmail, Hangouts, Calendar, and Google+ for communication; Docs, Sheets, Slides, Forms, and Sites for collaboration; and an admin console for managing users and the services. Google’s popular API platform also allows developers to integrate existing business applications with Google Drive. As of March 2017, Google Drive has more than 800 million active users with over 2 trillion files stored. Google is thought to have at least 3 million paying customers across its business-focused Google Business and Google Enterprise versions.
For some enterprises the appeal of Google Drive is its native integration with G Suite, but large enterprises are still mostly the domain of Office 365 (which of course has its own native integration with OneDrive). Both Box and Dropbox have had to up their game to make their products also tightly integrated with the “big boys” of office productivity. To sum it up, all parties have announced deep partnership on the one hand, but engage in fierce customer acquisition battles on the other. Being the enterprise default for collaboration is the “brass ring” they all seek and cloud storage is just one important component.
Another key advantage Google Drive has over its CCP competition is Google’s strength in the mobile market. If you have 54% of the mobile browser market and over a billion downloads of the Google App you can get creative on the authentication side without sacrificing convenience. For example, multi-factor authentication on G Suite uses a push-notification to the Google App which is much easier than a PIN-based approach. Also, the higher security U2F token options are pretty much only used in production on the Chrome browser (for now).
Google’s Security and Privacy Record
In recent years Google has been very successful in avoiding the types of security breaches that have plagued other cloud companies. This success dates back to a breach of Google by Chinese military hackers in 2010. At that time Google’s Sergey Brin promised “never again,” and then proceeded to invest hundreds of million of dollars in security infrastructure to protect Google customers’ accounts.
Privacy, however, is a touchier topic since Google’s primary business model depends on advertising to you based on partial knowledge of your content. Google’s Terms of Service for consumer products states, “Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection.” This wording does not sit well with many CIOs even if the enterprise-focused products like G Suite have more stringent protections. Also, as we learned in the 2013 Snowden affair, Google and others cloud providers had been giving the NSA, under the PRISM program, direct access to users’ information since early 2007. G Suite has picked off a few prominent corporate accounts (i.e. Verizon, Colgate-Palmolive) so large enterprises are beginning to trust that Google will be a capable “steward” of their data.
Four External Sharing and Collaboration Security Best Practices for Google
1 – Know Your Sharing Options
Your Google Drive administrator should actively control how users in your organization share Google Drive files and folders externally. If turning off sharing is not feasible (though still good to know you can) we recommend checking the “warning” box (see below). This setting will notify your user every time they are about to share a file externally. An additional option is to check the box that requires the file recipient to sign-in to their Google account before they can view the shared file. Of course this is not a completely foolproof way to authenticate someone since it’s relatively straightforward to set up a Google account that disguises your true identity.
2 – Use Link Sharing Sparingly
Link sharing is perhaps the most under-developed of Google Drive’s sharing and collaboration features. Standard features on other CCPs like password protection and expiration dates do not yet exist on Drive. With this in mind your users should use external link sharing sparingly. Users should be trained to exercise common sense and a few rules when sharing files with others. Rule #1 – pick the most restrictive level of access that gets the job done (not everyone needs full editing and download rights). Rule #2 – be aware of access rule “inheritance” when placing a file in an existing shared folder. One last word of caution; Google Drive does not support a “shared by me” folder the same way they offer a “shared with me” folder. This makes it difficult to provide visibility, or reporting, on the shared files. On the plus side, the Link Sharing dialogue box (see below) provides a comprehensive selection of restrictions tied to corporate domains.
3 – Monitor your External Sharing with Google’s New Security Center for G Suite
In January, 2018, Google introduced Security Center for G Suite. As the introduction blog states “a big part of this is making sure that you and your admins can access a bird’s eye view of your security and more importantly that you can take action based on timely insights…” This new unified dashboard combines security analytics, actionable insights and best practice recommendations, all in one place. The tool includes reporting and alerts focused on external sharing from Google Drive. Google has also introduced the concept of “Security Health” which analyzes your organization’s existing security posture and gives you customized advice to secure your users and data. These recommendations include best practices for how your files are shared.
4 – Consider Managing the Identities of your External Users
Shared links and folders are convenient ways for external sharing and collaboration but it is not going to get high marks from your CISO. With other CCPs, like Box, some organizations give managed user licenses to external parties in order to ensure compliance. This is not done for Google because it not logical to consider Google Drive as a separable product from G Suite and you don’t want external users on your domain and indistinguishable from your actual employees.
It is possible, however, to manage the identities of your external users yourself with the Resilient Access™ for G Suite product. This product integrates with the authentication and content APIs from Google to give you more flexible security, better reporting and safer sharing. If having complete knowledge and control of every file shared with every external person is important to you, consider making your CISO happy by provisioning your key external users into Resilient Access™ for G Suite. You can read a case study here or schedule a demo here.