How to Create a Google Apps Security Program in 3 Steps

As IT departments, and CISOs in particular, learn more about data security in the cloud and the pitfalls of a firewall-free reality make themselves known, demand for added security around file storage, creation, collaboration and the use and installation of third-party applications has increased.

While the cloud brings with it tremendous benefits – the ability to access data from anywhere, mobility, flexible third-party add-ons and extensions – this new paradigm has left CISOs grasping for new strategies and frameworks their organizations can implement to ensure data security.

So, how, in cloud-enabled organizations where data lives off-premises and outside of firewalls, do CISOs empower end users to create and share data inside and outside the company, while also maintaining proper oversight, protection and control? The answer lies in a truly comprehensive approach involving user training, insight and monitoring as well as sophisticated data loss prevention (DLP) technologies.

Step 1. Establish an End User Training Program

User training is key to a successful roll out of Google Apps, vital to continued adoption of the platform, and instrumental to developing an iron-clad cloud security strategy.

Educate Users on the Risks

First and foremost, educate end users on the role they play in corporate data security and highlight potential risks associated with operating in the cloud. Often times, users overlook risks or aren’t aware they exist in the first place. So, by educating your users, you’re ensuring they’re attune to potential threats and breaches.

Organizations should also take this training opportunity to educate users on all of the company’s policies and procedures around data security. This includes data stored in the cloud, on a device (laptops, desktops, mobile devices and thumb drives) or stored on-premises in a traditional server environment.

When it comes to Google Drive, make sure users understand implications associated with various document sharing settings, sharing rights and email attachment options (via Drive vs. traditional file attachments).

Security best practices tell us that when possible, users should avoid sharing documents externally, externally with a link and publicly. It’s also helpful to grant view-only access when appropriate and avoid attaching files to emails using the traditional attachment method. The latter will keep all data securely stored on Drive and within the user’s and organization’s control.

For users installing third-party applications via the Google Apps Marketplace, Chrome Web Store, Play Store and others, they should know that all applications installed will have some access to their Google Apps account information. Before installing an application, users should ask themselves if the permissions requested by the application match its purpose. If they match, then it’s likely fit to install. And, when a user inevitably isn’t sure about a certain application, make sure they know it’s okay to go to the IT team first for approval. By opening up lines of communication and establishing trust, end users won’t feel the need to operate underground, beyond the scope of your security framework.

Differentiate Data Access & Policies Based on Roles

Once all users are aware of proper sharing processes and third-party app installation protocols, introduce some flexibility based on an employee’s role within the organization. Separate users into breakout groups to focus on the role they play within the organization’s security policy. For example, your C-level execs (and maybe their assistants) need to understand that they have access to extremely sensitive and valuable data, and thus more stringent policies will apply to them.

Empower Users

Lastly, make sure your employees know the implications their actions have on the security of the company. By following practices put in place, employees will have more freedom to create and collaborate as they see fit and install the applications of their choosing. By following IT’s guidelines for security, users ultimately have more freedom to work the way they choose.

To ensure users consistently follow your security policy, implement regular education through in-person meetings, one-on-one sessions, webinars, email newsletters and more.

Step 2. Gain Insights & Monitor Activity

Once you’ve established and educated users on security best practices, your IT team should continuously monitor how carefully these guidelines are being followed. Regular monitoring allows you to stay on top of any improper actions or security breaches and also gives you insight into how quickly users are adopting new protocols.  As with all IT functions and processes, the more automated this monitoring is, the more secure your environment will remain.

While the Google Apps Admin Console does make some of this information available, it’s not easy to find and, in most cases, not actionable. Organizations that are serious about security should look to third-party products for more comprehensive monitoring and alerting, such as what you’ll find in BetterCloud’s Domain Health & Insight Center®.

With Domain Health & Insight Center®, IT and security staff are proactively alerted to potential security breaches. The Center® allows you to view more than 30 alerts across six major areas of the Google Apps suite including Directory, Gmail, Google+, Sites / Calendars and of course third-party apps and Google Drive. Alerts range from critical security risks to helpful usage statistics and information, such as percent of documents shared publicly in your organization compared to the average Google Apps domain. You can even set alert thresholds based on what your own organization deems critical, unsnooze or disable alerts.

And when an alert is in fact deemed critical, you can use BetterCloud’s DLP technology to take automated and decisive and action.

Step 3. Leverage a Policy-Based DLP Solution

Despite users’ best intentions and your IT team’s best efforts to train employees and monitor for policy violations, breaches do still happen and mistakes can be made. And in extremely rare cases, you may encounter malicious activity, which is why it’s vitally important to bolster education and monitoring with technology – specifically DLP technology for Google Drive and third-party applications.

DLP for Third-Party Applications

While you’ve instructed users on what to look for when installing third-party applications, it’s often difficult to evaluate the true scope of access an application gains to account data. In fact, it’s typically the most useful applications that request the highest level of access – after all, integration is one of the cloud’s best selling points. So, to ensure only approved third-party applications are in use, your IT team can use a DLP solution like BetterClouds’s Apps Explorer.

Apps Explorer allows IT and security administrators to establish policies based on the scope of access requested by third-party applications. BetterCloud will then notify the IT and security teams, and if you choose, users in violation, HR and the CISO when policy violations occur. IT can also manually whitelist or blacklist applications based on custom-defined policies and later use BetterCloud to automate these same policies to proactively enforce compliance.

 

DLP for Google Drive

BetterCloud also features a Drive Compliance Engine, currently in beta, that enables IT and security teams to enforce acceptable use policies in real-time and identify exposures of sensitive information like PII, SSN and credit card numbers or even student IDs using both pre-built and custom regular expression strings.

Once violations are identified, IT and security personnel can correct these violations and build content-aware policies to ensure ongoing detection and compliance. With the proper policies in place, BetterCloud will then alert the appropriate stakeholder and auto-correct any violations (if you so choose) as they are detected, saving your team time and enhancing data security across the organization.

Final Thoughts

End users have never been more free to work the way they choose, from installing third-party applications to working on a variety of devices and collaborating across teams, companies and countries. The cloud empowers users like nothing ever before. But, this freedom means the IT department must work harder than ever to ensure security policies are followed and data security remains intact. With a three-pronged approach – education, monitoring, and DLP technology – your IT team and CISO can gain peace of mind knowing sensitive corporate data is secure.