Secure remote working with Google Workspace

08 October 2020

Using Google Workspace to keep your data secure and business protected.

We use Google Workspace in many ways to keep our organisations thriving, more now than ever before. Netpremacy is here to support your Google Journey, and in doing so, we support the security of your operations. With this in mind, we have put together some guidance and information to help you optimise your security posture.

There is a global shift now in adapting to a new way of working, ensuring our employees are productive, collaborating, and driving business whilst operating in a secure environment all whilst working remotely. Securing cloud environments is what we are dedicated to providing.

By delivering Security Workshops, webinars, regular updates, and articles we are ensuring that our Google Cloud customers are utilising their cloud investment to the highest level. Enterprise-level security, such as DLP, endpoint security, MDM, and log analysis are all available with Google Workspace. However, many security failures have been a result of the person or the process and not the technology. With all this in mind, we are investing our time and resources into ensuring all points of failure are assessed and mitigated against using Google Cloud Technologies and our expertise, whether that is the person, policy, process, or technology.

If you are operating the newly transformed Google Workspace, you will be aware of the vast security features available at your fingertips. With the majority of our workforce now facing remote working as a somewhat permanent measure, we need to look at securing not only the perimeter but the user, the endpoint, the access control, and ensuring data loss is no issue. Previously, working from home policies seemed alien to most security pods, posing unmanageable risks. However, as we are heavily invested in enterprise-level cloud solutions like that of Google Workspace, these security concerns are met with mitigating controls and processes to ensure peace of mind whilst staying compliant to regulating bodies and guidelines.

Google Workspace

As discussed, the user has been given a bad press in former years due to lack of due diligence, mistakes, or failure to provide multiple authentications leading to significant breaches. Ensuring your users have a seamless process to access the services and documents they need to fulfil their employment duties is a must. Overcomplicating authentication and access controls can lead to user dissatisfaction and shadow IT. Authentication is heavily used across all Google Workspace features, having a strong authentication process ensures that the right data is being accessed by the right person on the correct device. 

2 step verification reduces this risk greatly, by using the features available in Cloud Identity you can ensure all your users are providing additional verification processes and lowering your risk of unauthorized access to your company data. Google also provides security key enforcement offering another layer of security. This is a physical security verification process and sends an encrypted signature that only works with the access that it is provided, helping G Suite administrators to manage and monitor security keys at large and without having to install many different types of security software.

Moving on from the user, we look towards securing the device. If organisations have not already, there has been seen to be a huge uptake on device management solutions. Solutions on the market that are available to ensure the safety of company data when employees are remote working or using devices that are not owned by the company themselves, such as a BYOD policy. Being able to control what applications a user can utilise, to be able to lock the device down and wipe sensitive content if the device is lost or stolen has provided another layer of security to those companies who can operate outside of the traditional network structure. Google MDM is available in both Business and Enterprise SKUs, with a significant feature enhancement when looking into Enterprise, this provides what is usually a heavy investment with an alternative MDM provider included in your license commitment. Google was named a 2018 Gartner Peer Insights Customers Choice for Enteprise Mobility Management Suites.

There are many other features that enhance your cloud security posture with Google’s Suite, however, whilst security features are fundamental, regulated organisations need these security features to adhere to strict guidelines so their business can operate and expand. GDPR and ISO27001 are by far the most commonly adhered to guidelines in today’s data society. Google Cloud is compliant to GDPR guidelines as in most commonly known cases the data processor. Customers that utilise either Google Workspace or Google Cloud Platform take the role of the data controller, owning the data and must adhere to the data controller guidelines. GDPR has in essence given data protection and privacy and a dual-action approach, ensuring that cloud providers give assurances that data is protected in their environments and on the other hand the data controller ensures that the security processes around that environment are compliant with these regulations. 

Google has recently announced new security features, one of these features being data protection insights. This is a step forward in being able to classify data, the location of that data, and in turn be able to report on that to make informed decisions surrounding protecting your organisation’s data and can be of assistance when complying with regulations such as ISO27001. ISO 27001 is an internationally recognised data protection standard, which looks at all areas of data protection, from the virtual, physical, software, policy, and process. Many organisations wanting to work with the central government or organisations that hold extremely sensitive information will be asked to adhere to this framework. However, this is usually not light work, with some projects taking longer than 6/12/18 months to complete and become certified. When using any Google Service, you will adhere to these guidelines automatically and your data in that environment will be continually monitored and improved under the ISO 27001 regulations.

In addition, Google has also recently announced that Google Workspace has received ISO 27701 certification alongside their 27001 and alternate data protection and privacy certifications. This being part of the ISO 27001 family, aligns directly with data privacy and provides guidance for implementing, maintaining, and continuously improving a Privacy Information Management System (PIMS). This relays back to GDPR considerably when looking into data protection laws and guidance. You can read more about the recent updates and security certifications here.

Although this article merely touches lightly on some of the features available to you with Google Cloud Services, there are many more. We carry out regular Security Workshops with our customers to ensure their environments are optimised to the highest level of security standards available.

We will be discussing this further on our Google Workspace Security Webinar which will take place on the 12th of November, covering a variety of security topics that have been highlighted in this article. We welcome customers and non-customers alike to join us to discuss this further.

Please contact me if you have any further queries around security: amunroe@netpremacy.com 

30 January 2019

Keep your company’s data secure

Unfortunately, it is almost impossible to prevent your employees’ devices being lost or getting stolen from time to time. These things happen. However, it does not have to be such a worry when things like this do happen.

G Suite keeps your company’s data secure with mobile device management (MDM) policies. With basic management, you can ensure that mobile devices require screen locks and/or strong passwords on your employees’ devices, keeping your corporate data secure. In addition, G Suite allows you to erase confidential business data with device wipe, or selected account wipe for Android or iOS. This feature also allows you to wipe corporate information from devices if they have been lost or stolen. You can see the list of devices that are accessing corporate data in the Google Admin console.

Google Mobile Management means that you can manage, secure and monitor all mobile devices that are in your organisation. It is possible to manage a range of devices, including phones, tablets, and even smartwatches. People are still able to use their own personal devices for work (BYOD) as you will be able to wipe their corporate accounts on their devices, should the worst happen.

So, how does G Suite protect my data?

When you decide that you would like to store your data with G Suite, it is then protected in a number of different ways. This includes advanced phishing detection with the aid of machine learning, authentication with security key enforcement and also prevention of data leakage.

Due to G Suite being a 100% cloud-based system it means you can be protected from attacks such as Ransomware, viruses, and malware. There is no need to install a separate system for spam processing because Gmail uses Machine Learning to automatically filter any spam and to scan all emails for suspicious and dangerous content.  The G Suite administrator can also control all attachments sent and received by your organisation so that nobody opens or sends anything that they shouldn’t.

2 Step Verification keeps your data secure  

Using 2-Step Verification (2SV) provides users with a better option to secure their accounts. As well as 2SV over an encrypted connection, users can also block unauthorized access to their accounts with Google Prompt that delivers real-time prompts, telling the user when they have logged into a device.

This update comes through as a pop-up notification on the Google app. This allows users to answer “yes” or “no” when asked, “are you logging in?”

Automatic rules

There are now new device rules for Mobile Management, which allows G Suite admins to define custom rules that create triggers for certain actions or events. For example, if somethingoccurs on one of your company’s devices that’s been specified in a custom rule, the corresponding action that’s been set will automatically be carried out. Some of these rules include;

  • Approve select mobile devices when the device is enrolled.
  • Block access to corporate data if a specific app is installed.
  • Block access to account/wipe the device if the user has more than 5 failed screen unlock attempts.
  • Block access to/wipe the account if there is suspicious activity found on the device.

3rd party app control

Google can also protect your data against phishing attacks. Google provides 3rd party control with OAuth apps whitelisting. This gives your company extra control over 3rd party applications that have access to your data. It is now possible for admins to specifically select which apps can have access to which users G Suite data. This keeps your data safe as it is ensuring that your users don’t accidentally grant access to apps that may be malicious.

How can Netpremacy help?

Our support team are highly skilled and have the knowledge needed to answer any questions you may have about your companies security, and how you can further improve it. If you have any questions regarding security, please feel free to contact us here.