Evaluating Auditing, DLP, and Compliance for Google Apps
July 12, 2015
6 minute read
Interested in learning more? Check out our Introduction to Google Drive Security
Data loss due to improperly shared documents is a major risk for organizations using Google Drive. However, when compared with the traditional method of transmitting files via email attachment, Google Drive actually tends to be more secure. As opposed to an email attachment, which has no audit trail once sent, Google Drive content can be audited and sharing settings altered to correct policy violations. Of course, while Google Drive does offer these advantages, they nonetheless do not guarantee that files cannot be copied or downloaded once shared, meaning robust tools and policies must be implemented to adequately protect your organization against data loss. With the right balance of auditing tools and data loss prevention policies, Google Drive data can be safeguarded without imposing inconvenient restrictions on end users’ ability to collaborate and share files.
In addition to the obvious negative internal impacts of data loss, it is important to consider the measures you are taking to secure your Google Drive data in the context of requirements imposed on your organization by outside parties, such as Sarbanes-Oxley, HIPAA, FISMA, etc. Failure to comply with regulatory requirements can lead to stiff fines and other penalties. It’s prudent to plan your document storage policy and controls in such a way that they will stand up to scrutiny in the event of an audit or incident.
It is outside the scope of this post to give legal advice, and we recommend that you consult with your organization’s legal and/or security team regarding the specifics of regulations that impact your organization and what measures are required to meet them. However, we will provide an overview of options available for auditing and securing data in your Google Drive environment. Coverage of these options will be broken up into features available with a basic Google for Work subscription, additional features added with a Google Apps Unlimited subscription, and those available using third-party applications, such as BetterCloud.
Google Drive Data Auditing
Auditing is an effective strategy for passively monitoring compliance with established data sharing policies. Because in most cases you will not be actively interfering with end users’ use of Google Drive, it is a low-touch approach to enforcing policy. Compared to a more active strategy (e.g., a data loss prevention policy which alters document permissions or sends alerts), passive audits give the admin the flexibility to decide which sharing issues to address. Even if your organization does not have a strict or clearly defined policy, a periodic data audit will offer valuable insight into how data is being sharing both internally and externally. The scope of external data exposure revealed by a Drive audit can help you decide whether more aggressive measures need to be taken to prevent a data breach.
Google for Work
With a basic Google for Work subscription, the ability to audit Drive is somewhat limited. However, as an admin you are able to view some basic information about your Drive environment using the “Reports” section of the Google admin console. Under “Apps Usage Activity,” a high-level report can be generated showing Drive storage utilization, new file creation by type, file upload count, total edits, total views, and number of shared files. Additionally, using the “Reports > Security” menu, a report can be generated showing 2-step verification enrollment status and total number of files by sharing permission (e.g., publicly visible, externally shared, etc.). While this information is user-specific, it is not document-specific, and there is not a way to audit individual documents with a basic Google for Work subscription.
Google Vault
Google Vault is designed for legal discovery and data archiving, and as such does not feature a comprehensive set of tools for auditing Drive data based on specific events or permission settings. Although Google Vault allows Vault admins to run searches against the Drive data of one or more users, Vault supports searching only based on account, date range, and/or specific search terms. This severely limits Google Vault’s usefulness when searching for documents based on external visibility, and Vault should not be considered a substitute for the auditing features found in Google Apps Unlimited or BetterCloud.
Google Apps Unlimited/Drive for Work
Unlike the basic Google for Work subscription, Google Apps Unlimited (GAU) allows for granular auditing of Google Drive. In addition to all of the options available to admins with a Google for Work subscription, GAU adds a “Drive” menu under “Reports > Audit” in the Google Apps admin console. Drive audit features include the ability to filter results based on specific events (e.g., creation, upload, location change, permissions change, etc.), date/time range, owner, document title, document ID, or username. Additionally, you as the admin are able to actually view the files or folders included in the search results. We strongly recommend using this feature to conduct periodic audits of your organization’s Google Drive data, with a focus on externally shared files. Using the date range filter, you can search for any files whose visibility has been changed since the last audit, view the applicable documents, and notify the user(s) in question if the information being shared is a security risk.
BetterCloud
Although the features included in Google Apps Unlimited are sufficient for basic audits, greater ease of use and functionality is gained by using a third-party application such as BetterCloud. Additionally, if your organization has only a basic Google for Work subscription, and does not need the extra storage or Google Vault capability of Google Apps Unlimited, BetterCloud provides a lower cost option to gain all of the auditing functionality of Google Apps Unlimited, plus extra features as well.
The best place to start with an audit in BetterCloud is the “Drive Dashboard,” which provides a high-level view of Google Drive document exposure. This report is more granular than the Google Apps Admin console in that it provides a count of externally visible documents based on sharing permissions. Clicking on each row in this view automatically generates a list of the documents in question, allowing you to easily see the owner, collaborators, and the document itself. You can also see at a glance which documents have been marked as compliance violations, flagged for review, or marked as exceptions.
A more organized method of conducting Drive audits is to generate reports at regular intervals. For instance, you could create a report of all publicly visible documents in your Google Drive environment and schedule the report to run weekly at a specific time. BetterCloud’s reports are fully customizable, you can save and schedule multiple reports if needed. Note that there is a distinction here between simply gathering data and actually enforcing policy, which will be detailed in the section below.
Google Drive Data Loss Prevention and Compliance
If passive auditing has revealed a large amount of external data exposure, or your organization routinely deals with documents containing confidential or personal information, you may want to consider a more active approach with regards to data loss prevention. This strategy provides the most effective means of preventing data loss via Google Drive sharing by actively scanning permission status and/or Drive content. As described below, Google Apps Unlimited provides the capability to alert admins when certain permissions are detected (e.g., public exposure); however, more advanced scanning and automated actions (such as changing permissions on docs that contain certain types of information) requires a third-party solution, such as BetterCloud.
Google for Work
The basic Google for Work subscription does not include any provision for setting admin alerts based on Google Drive activity or document content. Therefore, it is strongly recommended that Google for Work subscribers consider adding a third-party application, such as BetterCloud, to help prevent data loss and enforce Google Drive policies.
Google Apps Unlimited/Drive for Work
Despite allowing for much better reporting than basic Google for Work, Google Apps Unlimited does not feature functionality which supports traditional data loss prevention. There is no provision for scanning internally or externally shared documents for specific content (e.g., regular expressions). However, via “Reports > Audit > Drive,” administrators can create basic alerts which will help them enforce sharing policy. For instance, a report can be delivered to specific email addresses in the event a document is shared publicly.
BetterCloud
For true data loss prevention and compliance, administrators must turn to third-party solutions such as BetterCloud. BetterCloud allows administrators not only to conduct advanced audits of Drive content, but also to set policies which can be enforced. For example, using BetterCloud’s Drive Compliance Policy Creator feature, you can create a policy that encompasses every user in the domain, specific organizational units, or individual users. Policy violations can be programmed to include content, file permissions, file size, file name, etc. Additionally, you can choose what action to take when a policy violation is detected. Actions can include changing sharing settings, removing document collaborators, transferring ownership to an admin, or simply flagging as a violation.