Top 10 Questions to Secure Your Google Workspace

Google Workspace is the go-to platform for companies of all sizes–and for a good reason. It's a suite of storage, collaboration, and productivity tools designed to make it easy to collaborate in real-time and access various Google applications from anywhere. However, with the evolving cyber threats, security has become a growing concern among organizations that use cloud platforms, including Google Workspace. 

We must acknowledge that Google invests millions in its cloud structure's security. But note that it also operates on a shared responsibility model. For your own part, there are a few security practices you can follow as the domain administrator and protect your data and users against growing attack surfaces. This article compiles 10 security questions you need to ask yourself to achieve that. 

Good to know: Google offers a passive security checklist and a simple Security Checkup to let you assess your Google Workspace security on an account level. 

1. Have you strengthened the user identity verification process?

Google helps organizations protect their users and data with its threat indicators as well as its BeyondCorp security model. On top of that, as an administrator, you can make use of Cloud Identity to monitor users, devices, and applications in your workspace from the Google Admin Console. Nonetheless, organizations should adopt a zero-trust approach to minimize intrusion. That being said, in order to fend off security threats focused on users, such as account breaches or password cracking, you can:

  • Enforce strong passwords: Send regular password change reminders to users and monitor password difficulties.
  • Ensure all users deploy two-factor authentication (2FA): In order to protect sensitive data or against credential theft, enforce two-step verification for user logins.
  • Set up multiple factor authentication (MFA) for users: For increased protection against phishing, MFA is one of the best security practices for Google Workspace.
Related query in Resmo
SELECT primaryEmail FROM gsuite_user WHERE isEnforcedIn2Sv = false

2. Have all users in your Google Workspace configured a recovery email and phone number?

Setting up a recovery email and phone number might be easy to overlook, but they play a critical role in regaining access to your Google accounts. If any of your workspace users lose access to their accounts and they have no recovery email or phone number configured, they might lose access to the account forever. 

In the realm of possibility, employees might unknowingly cause insider threats by simply skipping this step. Therefore, as the workspace administrator, you must take over responsibility for ensuring and monitoring proper recovery account configurations to avoid data breach incidents.

Related query in Resmo
SELECT primaryEmail FROM gsuite_user WHERE recoveryEmail IS NULL

3. Do the groups in your workspace have proper permissions?

Google Workspace allows organizations to form groups to streamline communication and collaboration across teams. Administrators can use groups to configure features, services, and permissions for different groups of users in a workspace. Practical as it may be, unmonitored and misconfigured groups might turn into a source of security vulnerabilities.

Not so long ago, in 2020, to be exact, Google announced a new beta feature that enables creating "security groups." That feature is now generally available. Security groups help you quickly monitor, audit, and regulate groups used for permission and access control reasons by adding a security label. Admins can assign and manage a security group. This will help ensure that external or non-security groups cannot have incorrect permissions.  

Whether or not you implement the security groups feature, make sure the following group permissions are set correctly in your Google Workspace:

  • Member moderation permissions
  • Content moderation permissions
  • Metadata moderation permissions

There are many permission control queries in Resmo; the examples used in this article are only a few of them.

Related query in Resmo
SELECT name, whoCanModerateMembers FROM gsuite_group_settings WHERE whoCanModerateMembers = 'ALL_MEMBERS' 

4. Are you aware of synced apps and devices in your Google Workspace?

Synced apps and devices in a Google Workspace may lead to unwanted security incidents. As the number of applications and devices increases, so does the attack surface expansion. Luckily, there are a lot of security measures you can take to secure your Google Workspace environment.

  • Review all apps and their permissions and enforce approval before adding third-party apps.
  • Block access to less secure apps in your domain.
  • Control access to Google core services such as Drive, Gmail, and Calendar.
  • Control app access to Google Workspace data.
  • Apply device restrictions in your workspace.
  • Regularly monitor synced devices and assess based on your company's device policy.
Related query in Resmo
SELECT deviceId, customerId, devicePasswordStatus, email, resourceId FROM gsuite_mobile_device WHERE '<email>' IN email

5. Have you improved users' email security?

Phishing emails, spoofing, or other threats that crawl into organizations' mailboxes form another cybersecurity attack surface that should be guarded well. A few best practices to strengthen your Google Workspace users' email security are listed below.

  • Use Email DLP: Gmail DLP allows you to leverage predefined content detectors to scan inbound or outbound emails and detect sensitive data.
  • Reconsider auto-forwarding: Auto-forwarding enabled in Gmail settings might cause security vulnerabilities.
  • Detect and delete malicious emails: Google lets you identify all users in your domain that have received a specific email or malicious emails and delete it with the Investigation Tool. (Premium feature for Enterprise Plus or Education Plus accounts)

Suggested reading: Top 10 Slack Security Tips

6. Do you manage users and assigned roles in Google Workspace?

Managing role-based access controls is a cornerstone of a secure Google Workspace. With incorrectly assigned roles, you might face security accidents or insider threats. To avoid risks, super admins can limit the number of admins in an organization, who have access to audit logs, the investigation tool, the security dashboard, and more. 

Additionally, you can add and remove specific admin privileges. Regularly, if not continuously, monitor user roles for security and privacy purposes. Administrators can view user roles and privileges in a workspace environment from the Admin Console. 

Related query in Resmo
SELECT, u.primaryEmail, r.roleName FROM gsuite_role_assignment a, gsuite_role r, gsuite_user u WHERE a.roleId = r.roleId AND = a.assignedTo

7. Are Chrome browsers securely used in your workspace?

As an administrator, there are a few Chrome security best practices you can implement in your Google Workspace environment to protect users. These include the following:

  • Enforce a relaunch on Chrome browser update for the latest security patches.
  • Set basic Chrome browser policies: Allow password manager and enable Safe Browsing.
  • Set up advanced browser policies to prevent unauthorized access, unsafe downloads, and data leaks. These policies are:
  • AllowedDomainsForApps: Allow access to your Google services and tools only to users from a domain you specify.
  • SitePerProcess: Enable each site to run in Chrome browsers as a separate process to prevent malicious sites from stealing data from another website.
  • DownloadRestrictions: Block dangerous downloads.

8. Have you ensured Google Drive security?

Google Drive is a widely used online storage and file sharing solution for many organizations, so it is necessary to manage Drive settings for data protection and security. Some of the best practices are:

  • Set up a default for link sharing based on your company's policies.
  • Automatically warn users when they try to share files outside your domain.
  • Disable offline access to files in order to prevent local storage.
  • Set up Drive DLP rules to protect sensitive data.

9. Are your Google Workspace domain names verified?

Domain verification helps you guarantee that no one outside your organization is using your domain for Google services without your knowledge. If not verified, bad actors may misuse your domain, edit, steal, delete, or spread sensitive information.

Related query in Resmo
SELECT domainName FROM gsuite_domain WHERE verified = true

10. Have you enabled advanced phishing and malware protection?

We have briefly mentioned some methods of ensuring Gmail security for your users in an earlier question, but Google's phishing and malware protection settings are worth mentioning separately. Using the advanced security settings, you can turn on:

  • Attachment protection
  • Suspicious email protection for IMAP users
  • Spoofing and authentication protection
  • External links and images protection

Are you performing regular security audits for your Google Workspace?

All these best practices for Google Workspace can take your security posture a few steps further, but security efforts only pay off when practiced continuously. Resmo was born out of that very need; the ability to harness the power of centralized visibility and continuous monitoring for security and compliance. It lets you see all your cloud and SaaS assets and configurations in one place, including Google Workspace.

Google Workspace security query on Resmo

You can:

  • Automatically audit your Google Workspace configurations and user permissions.
  • View all resources in one place without needing manual controls across siloed native or third-party solutions
  • Query your Google Workspace assets with SQL 
  • Set up notification rules to receive real-time alerts when someone in your organization configures settings against your rules. Find the actor, and close security gaps faster.

Continue Reading