Endpoint Devices and the Impact on Google Drive Security

Interested in learning more? Check out our Introduction to Google Drive Security

Although Google Drive is primarily a browser-based application, there are several mobile and desktop applications that can lead to data exposure if the endpoint device itself is compromised.

Laptops and Google Drive Security

The greatest vulnerability to Google Drive data on a laptop is caused by the Google Drive Desktop application. The Google Drive app downloads files and folders located in a user’s “My Drive” to a corresponding desktop folder. It also uploads files added to the Google Drive desktop folders and continuously synchronizes changes. Because copies of Google Drive files are stored locally on the hard drive, these files can be compromised if the computer is stolen. Use of 2-step verification is strongly recommended as a proactive way to secure Google Drive content when used in conjunction with the desktop application.

In addition to the Google Drive desktop app, the Google Drive offline feature also poses a risk of data exposure in the event a laptop is lost or stolen. Offline Drive syncs recently viewed Drive content to the Chrome browser cache, so the files can be viewed using the Google Drive web interface, even without an internet connection. Therefore, data will be accessible even if the user’s password and sign-in cookies have been reset.

Mobile Devices and Google Drive Security

The Google Drive app for Android and iOS is a convenient way for end users to view and edit Google Drive documents. However, because the app has full access to all Google Drive content, it poses a significant security risk if the mobile device is lost or stolen. Fortunately, in order to constrain data usage, the app does not sync a significant amount of Google Drive data to the local device, meaning most content is accessed “on demand.” Google provides a number of controls which the admin can use to both secure access and wipe account data in the event the device is compromised.

In order to protect data on mobile devices, we strongly recommend enforcing policies on Android and iOS devices. With enforcement enabled, end user devices will appear in the “mobile devices” section of the Google Apps Admin console, which allows admins to view the devices in use by each user, and wipe the device if necessary.

As a first line of defense against unauthorized access, a PIN/password policy should be applied, which will require the correct input in order to unlock the device screen. Additionally, data encryption should be enabled as an extra layer of security.

Chromebooks and Google Drive Security

Because Chromebooks rely primarily on data stored in the cloud, they are somewhat more secure than a traditional laptop. Access to a Chromebook user profile is handled via the same username/password process as a browser-based login. Users can choose to sync Drive documents for offline access; however, access is still controlled via the primary device sign-on screen.

Mitigation and Securing Compromised Endpoint Devices

In order to make files more difficult to access in the event a physical device is lost or stolen, users should be encouraged to create files in Google Docs, rather than traditional formats. Because Google Docs are stored in the cloud, and access is controlled via password, it is much easier to secure access to this content. Whereas Google Docs live online and access can be revoked with the click of a button, there is no way to revoke access to a traditional file stored locally on a computer or mobile device once the device has been lost. To complement the use of Google Docs, users should be trained to enable 2-step verification, which adds an additional layer of defense to Google Drive data stored online.

Securing Laptops

If a laptop is stolen, you as the administrator should access the user’s account in the Google Apps control panel as soon as possible. Look for the “authorized access” section under “security.” If Google Drive is authorized, revoke access to that application. This will force the app to attempt to reauthenticate, and the malicious party will be unable to do so with no knowledge of the new account password. Despite this, however, it is important to note that non-Google Docs files located in the local Google Drive folder will still be accessible (albeit changes will no longer sync). This is because while Google Docs synced to the folder are still essentially hyperlinks which redirect the user to the browser, non-Google Docs files (e.g. MS Word, PDF, etc.) are stored locally and can be opened.

In order to secure data stored in Google Drive, users should be encouraged to use the web interface exclusively. In order to prevent laptops from becoming a weak link in your Google Drive security strategy, we recommend disabling both offline access and Drive for desktop. These settings can be found in the Google Drive section of the Admin console under “Data Access.”

Securing Mobile Devices

If a mobile device is reported as lost or stolen, you should take immediate action to secure the account. In the Google Apps Admin console, navigate to the user and revoke account access for the device in question in the “security” section.

If policy enforcement is enabled, locate the device in the user’s “devices assigned” section and remote wipe the device.

If 2-step verification is in use, and the device has been assigned an application specific password, revoke access under “security.” Additionally, if the device was being used to receive 2-step verification codes via SMS, inform the user to access their account settings and temporarily remove or change the phone number associated with the account (at least until the mobile provider assigns the number to a replacement phone).

Securing Chromebooks

If a Chromebook is reported as lost or stolen, the user’s password and sign-in cookies should be reset immediately. If the Chrome device is under management, you can also disable the device. Once disabled, the device will show a notification in lieu of the normal sign-in screen stating the device has been disabled, and it will show information on where to return the Chromebook.

Although most Google account data is not stored locally on a Chromebook, users are able to use the device’s limited amount of internal storage to store files (such as MS Word, PDF, etc.) and these files are at greater risk of being compromised if the device is stolen.