Google Drive data is most likely to be lost via end user negligence/malice or compromised endpoints, and a proper evaluation of Google Drive’s security functionality should focus on these vulnerabilities.
Google Document Sharing
Due to the open and collaborative nature of Google Drive, data loss via incorrect sharing practices is an inherent and persistent threat. This is certainly not a risk unique to the Google Drive platform, and fortunately Google provides native reporting features which help admins keep tabs on externally shared data. First, let’s take a closer look at how sharing works in Google Drive and which practices represent a data loss threat.
Link-based sharing is the most convenient way to disseminate information stored in Google Drive. Consequently, link-based sharing also poses the highest risk to data if misunderstood or misused. It’s also important to note that link-based sharing can result in unintentional sharing of confidential information internally, such as human resources files.
In Google Drive, end users can share file links in several ways. Choosing the “get shareable link” option will result in the file being shared to anyone inside the organization with the link. Users can also choose to share files externally, either to “anyone with the link,” or at a “public” setting. Obviously, the latter is the most dangerous in terms of accidental data exposure, since the file will be available to anyone on the internet. When sharing links, users can elect to share with or without edit rights. It is worth noting that editors can re-share a file without receiving permission from the original owner of the file.
As an alternative to broader, link-based sharing, Google Drive content can also be shared with specific individuals based on their email address. This method is far more secure than link-based sharing, since collaborators are forced to authenticate themselves with a Google sign-in in order to view or edit the file. Google Groups can be leveraged for invite-based sharing to expedite the process when a large number of individuals need access to a specific file or folder. For sensitive data, invite-based sharing either individually or by Group should be encouraged in lieu of link-based sharing options.
One area of concern for admins is that shared Google Drive files can be downloaded by either viewers or editors. However, viewers can be prevented from downloading or printing individual files in non-Google Docs formats via the details pane on the Google Drive home screen (drive.google.com).
Google Drive Sharing Admin Controls
The Google Apps admin controls offer a wide range of options for configuring default sharing settings for Google Drive. Below we will review each available setting as well as any potential implications.
Google Apps for Work vs. Google Apps Unlimited
Both Google Apps for Work (GfW) and Google Apps Unlimited (GAU) feature the administrative controls described below. However, an Unlimited subscription allows administrators to define sharing permissions at the organizational unit level, rather than making changes that impact the entire organization. This added granularity better accommodates organizations with distinct business units and user roles. For example, a marketing department may have a legitimate use case for sharing documents publicly, and be permitted to do so, whereas finance department users are restricted to internal sharing only.
OFF – Files owned by users in yourdomain.com cannot be shared outside of yourdomain.com
Choosing this setting disables the ability of users to share Google Drive content outside of your domain. Although this is the safest setting in terms of preventing data loss, it also negates much of the collaborative advantage of Google Drive and should be used only if external collaboration is not a factor, or if security takes precedence over productivity.
Allow users in yourdomain.com to receive files from users outside of yourdomain.com
This setting can only be enabled if sharing outside the domain is disabled. Enabling this setting allows users in your domain to receive Google Drive files sent from outside the domain. Users will be able to view, edit, and collaborate on documents owned by outside parties, although they will still be prevented from sharing documents that originated inside your domain. Generally this option is low-risk and is often enabled if external sharing is disabled.
WHITELISTED DOMAINS – Files owned by users in yourdomain.com can be shared with Google accounts in compatible whitelisted domains
This option allows you to restrict the ability of users to share outside the company to trusted domains only, and is available only with a Google Apps Unlimited subscription. Users will only be able to share data with user accounts of whitelisted domains, and sharing for all other domains is essentially turned off. This allows for slightly more flexibility than the basic “OFF” setting, although our recommendation is to restrict sharing only if security is of the utmost importance. Otherwise, such restrictions severely limit the ability of end users to leverage the Drive platform.
For files owned by users in yourdomain.com, warn when sharing with users in whitelisted domains
For data security purposes, it is highly recommended that this setting be enabled if sharing to whitelisted domains is turned on. With this box checked, end users will receive a pop-up prompt when attempting to share to an email address of a user account on a whitelisted domain.
Allow users in yourdomain.com to receive files from users outside of whitelisted domains
This setting can only be enabled if sharing is limited to whitelisted domains. Enabling this setting allows users in your domain to receive Google Drive files sent from outside the domain (even from domains which are not whitelisted). Users will be able to view, edit, and collaborate on documents owned by outside parties, although they will still be limited to sharing documents to whitelisted domains only. Enabling this option is low-risk and is recommended due to the collaborative efficiencies gained.
ON – Files owned by users in yourdomain.com can be shared outside of yourdomain.com
This is the default setting for Google Apps, which allows Google Drive users to share files outside of their own domain. Although sharing outside the domain represents a data loss risk, the convenience of file sharing and real-time collaboration is one of the biggest value-adds of the Google for Work platform. Unless there is a compelling legal reason to constrain sharing outside of the organization, Google Drive admins would be remiss to not at least consider enabling external sharing. In addition to proper user education, there are additional admin controls (see below) which limit the likelihood of accidental data exposure.
For files owned by users in yourdomain.com warn when sharing outside of yourdomain.com
For data security purposes, it is highly recommended that this setting be enabled if external sharing is turned on. With this box checked, end users will receive the following pop-up prompt when attempting to share to an email address outside their own organization:
“You are sharing to (email address of external user) who is not in the Google Apps organization that this item belongs to.”
They are then required to explicitly click “yes” to proceed. At the expense of minor end user inconvenience, the threat of accidental external sharing is greatly reduced.
Allow users in yourdomain.com to send sharing invitations to people outside yourdomain.com who are not using a Google account
If this box is checked, end users can share files to non-Google Apps addresses. The recipient will then receive an email notifying them that a file has been shared with them and providing an access link. This represents a risk because while even external Google Apps users need to be authenticated in order to view a shared file, non-Google users have no way of proving their identity in the Google system. Administrators are therefore required to choose one of two options when enabling external sharing to non-Google accounts:
Require Google sign-in for external users to view file
Forces external users to create a free Google account in order to view or edit the shared document. This option is more secure because even though the external party will be using a consumer account, they are still required to sign in with a username and password.
Allow external users to preview file without Google sign-in
This option is less secure, but more convenient for the external user. Users without Google accounts will be able to preview the document, but not make edits. Non-Google users would also be able to forward the invite along, or download the file. Therefore, this setting represents a much higher risk of data exposure than requiring a Google sign-in. Before enabling this setting, you should weigh the convenience factor against the potential security risks.
Allow users in yourdomain.com to publish files on the web or make them visible to the world as public or unlisted files
Enabling this setting permits users to change the link sharing setting of a file to “anyone with the link” or “public on the web.” The former makes the file accessible to anyone who has the Google Drive file’s URL, whereas the latter not only makes the link accessible, but also publicly indexes the file, meaning it could show up in ordinary web search results. This setting is useful for users who want to make documents easy to access by embedding URLs on internal or external websites, or by attaching to emails (e.g. sales, marketing, etc.). However, this setting poses a security risk if a sensitive document is shared publicly. The recommendation, therefore, is to ensure users are properly trained to use Google Drive to prevent accidental exposure of data.
Link Sharing Defaults
These options allow an administrator to change the default behavior of newly created documents and files within Google Drive. It’s important to note that users may still override the default, but they will need to take that action on each document, file, or folder individually.
This is the default setting for Google Apps. With link sharing defaulted to “off,” a new file will remain private to the owner until the owner specifically chooses to the share the file, or moves the file into a shared Google Drive folder. This is the most secure setting, and is highly recommended for all but the most transparent organizations.
ON – Anyone at yourdomain.com with the link
If the default for link sharing is set as “on,” every new file or document created can be viewed by anyone in the organization, but only if they have the exact URL. Because Google Drive URLs are very complex, it’s unlikely that the document could be found, although this setting does create the risk of accidental internal data exposure and is generally not recommended.
ON – Anyone at yourdomain.com
If this setting is enabled, every new file or document created will be visible and searchable internally. This setting carries the highest risk of accidental internal data exposure because any user within the organization may find any other user’s documents by searching Google Drive. Therefore, this setting is generally not recommended.
There are four primary tactics for mitigating data loss due to improperly or maliciously shared files:
- restriction of sharing capabilities
- user education
- passive monitoring (audits)
active monitoring (policies)
Of these tactics, restriction of sharing and user education is possible for basic Google for Work subscribers, while a Google Apps Unlimited subscription allows admins to conduct basic audits. Advanced passive and active monitoring requires a third-party application, such as BetterCloud.
Restriction of Sharing Capabilities
Restriction of sharing capabilities is typically the instinctive reaction for admins concerned about security. However, this approach often discourages the use of Google Drive and has a counterproductive effect.
We strongly recommend comprehensive user training as an effective mitigation strategy for data loss due to policy violations. Training should describe in detail individual sharing permissions (e.g. viewer, editor, commenter) and link sharing options. The curriculum should also include a review of restrictions which can be enabled on the end user side, such as the ability to restrict editors from re-sharing a document, or the option to prevent viewers from being able to download certain file types. This ensures that users know exactly what happens when choosing sharing settings and can reduce the risk of accidental data exposure.