How Google Cloud can boost your company's security - power2Cloud

When it comes to data security there are two main pain points related

• to the use of office automation tools
• to the services you offer your clients.

Adoption of Google Cloud products and services can increase the protection of your data, optimize resources and thus the ROI, but it must be accompanied by a corporate culture and skillful digital transformation. 

In this article we have shared some thoughts and best practices, although it is only with a targeted advisory that you can analyze all the IT tools you use and highlight potential vulnerabilities.

Digital transformation before adoption of Google Cloud tools

Let's start with the tool we all use on a daily basis. Many people choose Google Workspace to move to a security-aware environment, but they only consider email services, so they end up not taking advantage of many features included in the suite. 

What is the risk? Exposing sensitive data. Let's see why: there are still many users who access Google Workspace, thus increasing protection against SPAM and phishing, but still store data locally on the computer, use an email client and not Google's web interface, have inadequate office automation tools, and a poorly updated operating system.

Even so, Google Cloud offers a secure work environment and enterprise tools, such as Documents, Worksheets, Presentations, and Photos, accessible from the browser, which armor customer and user data.

It goes without saying that digital transformation must precede the adoption of cloud tools to make all business processes efficient.

Google Workspace: choose the right version to boost security

If the adoption of new business tools is accompanied by a wise digital transformation, the next step is to extend security with an upgrade to the version of Google Workspace best suited to your needs. 

Monitoring and security tools are capillary with respect to users' data and activities and are directly proportional to the version of Google Workspace adopted.

Let's try to give a brief recap:

• Starter: email, data, and video conferencing are secure and protected, with implementations on password and access protection such as two-step verification and compliance policy monitoring.
• Business Standard in addition to the benefits of the previous version, you can share sensitive information and data with domains or organizations outside your own in a protected and secure manner, download reports and insights for the purpose of monitoring your data protection levels. You can also store data in a specific geographic location of your choice between Europe or the United States. 
• Business Plus to manage your company's mobile devices, data retrieval capabilities with Vault useful for storing, collecting and exporting your users' data. You can control your data on Vault and remove it when you no longer need it. With this version you will be able to manage your users' session duration times.
• Enterprise, the security approach is undoubtedly predominant over previous editions, and is suitable for larger organizations. In addition to the advanced security and compliance policies, you can manage additional policies to prevent your sensitive data (credit cards etc..), control user access based on their context and device, and download advanced reports on your organization's security.

If you are a small business, here's how to increase security

Protect your accounts

• uses unique passwords;
• enable two-factor access to verify user identity;
• add account recovery options;
• keep backup codes;
• create a super administrator account;
• add password recovery information for super administrators;
• super administrators should not remain logged into their own account;
• set automatic updating of applications and browsers.

If you use Gmail, Calendar, Drive, Documents

• enables advanced scanning of messages before delivery;
• use additional malicious file and link filtering features for Gmail;
• make sure recipients don't mark your emails as SPAM;
• limit Calendar sharing to outsiders;
• check users so they can view newly created files;
• warn when someone has shared a file with people outside your company;

If you're a large or medium-sized business, here's how to increase security

Account

Enable multi-factor authentication:

• Two-step verification;
• Security token at least for administrator and most important accounts.

Protect passwords:

• Avoid password reuse;
• Choose unique passwords.

Prevent and heal account compromise:

• enable reports and alerts on activities;
• configures email alerts for administrators;
• enables access verification for users;
• security checklists;
• disable Google data downloading when necessary;
• prevent unauthorized access when an employee leaves your company.

App  

• Restrict third-party app access to core services;
• block access to less secure apps;
• create a list of trusted apps;
• checks access to Google's core services;

Calendar 

• Limit external sharing of calendars;
• warns users when they invite external guests.

Google Chat

• Limits who can chat with external users;
• enables warning for users chatting outside the domain;
• sets rules for chat invitations.

Chrome Browser and Chrome OS Devices

• Upgrade Chrome and Chrome OS browsers;
• forces reboot to install updates;
• configure basic policies for Chrome OS devices and Chrome browser;
• sets advanced Chrome browser policies;
• sets a Windows desktop browser policy;

Drive

Limits sharing and collaboration outside the domain:

• Sharing options for your domain;
• check settings related to link sharing;
• warn users when they share a file outside the domain;
• allow file access only to recipients;
• prevent users from publishing to the Web;
• require external contributors to access Google;
• limit users who can move content from shared drives;
• exploit content sharing in new shared Drives;

Limit local copies of Drive data

• Disables access to offline documents;
• Disables access to Drive from desktop.

Checks third-party application access to data

•  Do not allow the use of add-ons within "Google Docs".

Protect sensitive data

• Block or display a warning about sharing files with sensitive data.

Gmail 

Configure authentication and infrastructure:

• Authenticate emails with SPF, DKIM and DMARC;
• configures inbound email gateways to be SPF compliant;
• forces partner domains to use the TLS protocol;
• require sender authentication for all approved senders;
• configure MX records for proper mail flow.

Protect users and organizations:

• Disable IMAP/POP access;
• disables automatic forwarding;
• enable full mail archiving;
• do not bypass spam filters for internal senders;
• add setting for spam headers to all default routing rules;
• enable advanced scanning of messages before delivery;
• enable delivery alerts to external recipients;
• enables additional protection for attachments, links, and external content;
• enables additional security measures against spoofing;

Security considerations for day-to-day Gmail activities:

• Beware when you choose to ignore spam filters;
• don't include domains in the list of approved senders;
• do not add IP addresses to the allowed list.

Protect sensitive data:

• Scans and blocks emails with sensitive data.

Google Groups

• Use groups designed for safety;
• add security conditions to administrative roles;
• set private access to groups;
• limit creation of groups to administrators;
• customizes access settings to groups;
• disables some access settings for internal groups;
• enables spam moderation for groups;

Google Cloud Platform: "lift and shift" migration or decomposition into microservices

We've talked about e-mail and the data that is carried with attachments, documents, presentations, and throughout the corporate archive, but also at risk is the performance of your services. 

If your eCommerce for example stops working due to unexpected user access (Black Friday, promotions...) the customer experience is compromised, users abandon the shop and look at your services with distrust. 

For poorly maintained services, there is a high probability that sensitive data will be overexposed and your company may lose revenue, both because of purchases that are not completed and because of the time your resources will have to devote to resolving these critical issues.

If your company exposes services on the Internet what you need to ask yourself is, can I run an efficient service or can I optimize it by breaking it down through Google Cloud features?

For those who want to migrate their services to Google Cloud Platform (GCP) there are two opportunities: 

• migration lift and shift 
• migration geared to offer the same service with tools managed directly by Google. 

This last opportunity has countless advantages in terms of security, resilience, and quality of service offered, so you can focus on the quality of what you offer and not on the burden of management.

If you dispense the eCommerce service an inexpensive provider and directly manage a virtual machine, you can migrate to Google Compute Engine; if you want to increase the level of security and want to offer your customers the same service using tools that Google directly provides you can use the database offered as Google's "platform service" ( Cloud SQL ) and perhaps make your application available on microservices (Docker) through Google Application Engine.

Through this second solution, the company doesn't have to worry about managing the virtual machine, but instead buys managed services directly from Google that allow it to not have the burden of managing the server and thus have, a higher level of security.

Why the cloud is more secure than on-premise: here are the trends

If you use an on-premise system, here are some issues you should not ignore that are driving the development of cloud security and will continue to do so for the foreseeable future.

• Economy of scale: decreases the marginal cost of security 

Public clouds are large enough to implement levels of security and resilience that few organizations have created before. Google operates a global network, builds systems, networks, storage, and software stacks, and has a default level of security that has never been seen before. Google prioritizes security, but prioritizing security becomes easier and cheaper because the marginal cost of security decreases per unit of deployment. 

Finally, where more cost is needed to support specific configurations, this has also decreased as a function of high demand and new tools available. 

• Shared responsibility model

The responsibility-sharing model that has underpinned cloud computing since its early days dictates that the cloud provider is responsible for protecting its products and services, while the customer is responsible for secure configuration, data protection, and access permissions.

• The cloud: benefits for the many from the needs of the few 

If companies are unable to apply security resources (realistically happens even in larger organizations), an optimal security strategy is to adopt every update provided by the cloud provider to protect networks, systems, and data. It is like tapping into a global digital immune system.

• Increased speed of implementation

Cloud providers use a software development model through continuous delivery/continuous integration. This is a necessity to enable innovation through frequent improvements and security updates, achieving reliability at scale. 

• Simplicity of use

A common concern related to moving to the cloud is that it is too complex. Certainly, starting from scratch and learning all the features offered by the cloud can be daunting. However, today's feature-rich cloud offerings are much simpler than previous on-premise environments, which are among other things much less reliable. 

• Sustainability

The cloud can more easily meet deployment needs close to the context in which one lives; workloads can be more easily deployed on more energy-efficient infrastructure. This, along with the inherent efficiency of the cloud due to better resource utilization, gives the cloud more sustainability.

For personalized advice and to increase security in your business book an appointment with one of our experts.