Google Workspace is the office automation platform that enables organizations of all industries and sizes to work securely and improve productivity and collaboration even on the move, whether from a phone or a PC.
If you have access as a Google Console administrator, you can increase corporate privacy and security with some best practices which we have summarized below for you.
What is a Google administrator account and what does it allow you to manage?
If you work with Google Workspace you already know that there are two types of accounts, the user account and the administrator account.
The user account has an email address with the company domain and an account that allows it to access Google Workspace services. You can create accounts to use as mailing lists and assign alternate email addresses to users.
If you have an administrator account (admin) you have access to an internal application called Google Console, with which you can perform advanced actions through the use of the interface.
You can manage users and devices, here are some examples:
- customize Google Workspace accounts by adding the company logo, which will be visible within the pages of services such as Gmail, Calendar and Drive
- forcibly enable two-step verification for all users in the organization in order to preserve corporate data from suspicious access so we recommend enabling it for everyone
- configure in Gmail a footer for all messages outgoing by adding information about GDPR for example
- enable Gmail offline from the Console for all users to work on email even without connection (each individual user later can enable the feature)
- in the case of turnover, to delete an account we recommend changing credentials to prevent data access to employees no longer active in the company and use the data backup service Google Takeout if you use the Google Workspace Starter and Standard versions. If you use advanced versions such as Google Workspace Plus and Enterprise, you must activate Google Vault. In both cases the administrator can use the deleted user license to activate new accounts.
Let's turn instead to the 10 practices cthat you can implement to improve the security of your work environment by using all the features of the administrator account.
1. SSO access with Google
Single Sign-on (SSO) is a feature that allows you to authenticate using Google credentials to access multiple independent software systems.
This means that if you use multiple enterprise cloud applications, you will not have to re-enter your information each time you choose to log in. This feature is integrated with secure identity verifications such as multi-factor authentications.You can configure SSO on all Chrome devices and browsers.
2. Chrome browser
Chrome is the browser that allows you to safely and securely access your account, through integration with HTTPS, the leading encryption mode for Internet browsing.
With this browser, you can use Google Workspace products andview personalized search results by synchronizing favorites and settings across your devices, making browsing easier and more effective.
The Google Console administrator can block access to websites deemed dangerous in addition to managing Chrome for the company's organization by monitoring installed web extensions or browsing history.
The browser has integrated Chrome Web Store from which you can install applications to enhance web page navigation by integrating numerous features.
You can also configure automatic updates on Chrome to keep your browsing data protected at all times.
3. Drive Management
Through the application of Google Drive, the company's cloud storage space,the content you upload is always protected even when you share folders, documents and files with other users who can view, comment or edit them.
In addition, the administrator can block any sharing of content to the outside world or allow it to be processed only by certain stakeholders.
Data can be moved (if you use the Google Workspace Standard, Plus, Enterprise version) to different sections of the shared Drives (dedicated perhaps to different teams) or to users' personal ones with the administrator's ability to monitor access and be updated in a timely manner on any loss of content through notification rules set by Console.
Company files and folders that have been deleted or unintentionally deleted can be restored and archived by an administrator for up to 25 days depending on the Google Workspace license you have (with Google Vault in the Plus and Enterprise versions you can archive Drive content indefinitely).
4. Advanced MDM
Advanced MDM (Mobile Device Management) is a feature available from the Google Workspace Plus and Enterprise version.
If you have a lower version you will equally have access to its features but can handle less detailed controls.
With the MDM you can manage all Android, Ios, and Google Sync mobile devices and monitor account accesses made from the computer as well.
As an administrator, you can force users to log in only from corporate devices registered to the Console via the hardware serial number and centrally install a variety of work applications for your users even from the Chrome browser.
Notifications about any suspicious access are reported to the administrator who can act promptly by denying or approving authorization even from other devices if deemed safe.
Modes of control vary depending on the type of device.
If the device is corporate, thus registered by the organization, the administrator will have full control of the data.
He will be able to apply more restrictions and forcing to these because they will be directly monitored by the console.
With advanced MDM, it is possible to manage corporate work profiles to divide work applications (installed directly by the administrator) from personal ones, so as to avoid contamination of information with external apps.
5. GDPR
With Google Workspace in Standard, Plus and Enterprise Standard versions you are always protected in compliance with GDPR regulations.
Google Workspace and Cloud Identity use the Cloud Data Processing Addendum or ATCD to meet all legal, security, and contractual requirements for the transfer and processing of data in accordance with the laws of the European Union, United Kingdom, and Switzerland.
6. Data storage based on geographical location
In the Google Workspace Standard, Plus and Enterprise Standard versions, it is possible to store corporate data in two geographic locations or data centers present in Europe and the United States, allowing the administrator to choose according to his or her needs related to privacy and legal compliance of corporate data use. In particular in the Enterprise Plus version you can manage by regions your data by organizational units or specific groups of users.
7. Ask administrators and primary users to provide further proof of their identity
To have no doubt about the identity of those accessing your business data, we recommend using two-step verification (V2P).
This procedure is especially important for administrators and users who work with sensitive data, such as financial records and employee information.
If someone steals a password, two-step verification can prevent them from accessing your account.
With V2P users must verify their identity through something they know, the password, andsomething in their possession, such as a physical key or a passcode received by text message or phone call on their cell phone.
Where possible, it would be best to verify access with a FIDO-compliant security token, i.e., a USB key containing a code specific to that user and required to access Google.
The security token is a sensitive access mode authenticated solely by the hardware installed on the device.
8. Create an additional super administrator account
A business should have more than one super administrator account, each managed by a different person.
If one account is lost or hacked, Google Workspace gives the super backup administrator the ability to perform critical tasks while the other account is restored.
You can create another super administrator by assigning the role to another user directly from the Console.
9. Don't stay connected all the time
Google super administrators do not have to stay logged in to their account all the time. Logging in to perform specific tasks and then logging out is best in terms of security.
Remaining logged in to a super administrator account when not performing specific administrative tasks can increase exposure to malicious activities.
All those functions that require daily maintenance should be performed using an account with limited administrative roles.
You can set up work sessions with a preset time so that once this expires, the administrator will have to log in to the account again.
10. Use reports to monitor team activity
As an organization administrator, you canuse the Reports and Audit Logs from the Console to examine abnormal behavior or to view an overview of administrative information useful for monitoring the activities of your users.
Audit reports provide a comprehensive view of your users' data such as checks on login IPs, last login, amount of space used, and emails sent and received in a given time period.
You can also monitor via reports the usage of the various Google Workspace applications, seeing how long it takes the user to work on an application, allowing you to receive feedback to improve company productivity.
Receive real-time notifications on hacker attacks, third-party attempts to tamper with your data, updates and alerts on security-related notifications from the Gmail app from mobile.
Do you use these best practices?
power2Cloud as a Google Cloud partner provides consulting, training and support.
We help you set up all Google Console functions according to your needs.