When a company initially sets up Google Workspace (GW), it comes with default security configurations designed to balance usability and protection. These baseline settings are appropriate for general business needs but don't account for the unique security challenges some organizations face, especially in industries like finance, healthcare, or government. Default settings may leave businesses exposed to potential security risks, and that’s why you need to follow the best security practices by adjusting the configuration. The reasons why security baseline configuration may not be enough may include:
Many industries are subject to stringent regulations such as GDPR, HIPAA, and CCPA, which require higher standards for data protection and privacy. The default security settings in Google Workspace may not meet these requirements, putting companies at risk of non-compliance and potential legal issues. Configuring custom security policies can help organizations comply with industry standards and avoid costly fines.
Employees are often a weak link in any security chain, whether through unintentional errors or malicious actions. Google Workspace's baseline settings may not provide adequate controls to monitor and restrict access to sensitive information. By adjusting security settings, organizations can implement advanced tools that help monitor and control data access based on user behavior, reducing the risk of insider threats.
The default access settings in GW are generally permissive to simplify collaboration, which can create security risks if not carefully managed. Adjusting access controls, like enforcing two-step verification (2SV), limiting sharing permissions, and regularly auditing access logs, adds layers of security, reducing the risk of unauthorized access to sensitive data.
As remote work becomes more prevalent, employees increasingly use personal devices to access corporate data in Google Workspace. While Workspace offers some mobile device management capabilities, the default settings may not be sufficient for companies with extensive remote workforces or sensitive data. Configuring advanced device security options allows organizations to enforce device encryption, restrict access from unauthorized devices, and remotely wipe devices if they’re lost or stolen.
The first and most important thing to do is to enable the two-step verification. Passwords can be compromised through various means, such as phishing attacks or data breaches. 2SV mitigates this risk by requiring users to provide additional verification methods, such as a text message code, authentication app, or a security key. Google provides various options for implementing 2SV. To enable this feature, follow these steps:
1. Go to the Google Workspace admin panel at https://admin.google.com
2. On the left panel, navigate to Security > Authentication > 2-step verification.
Above is the screenshot of the Google Workspace Admin Console displaying the navigation path to configure 2-step verification settings under Security > Authentication.
3. 2-Step Verification window opens. Select the scope for the change under the Security Settings. The scope can be selected based on the organizational units or group level. To enable 2SV on the organizational level (the recommended option), select the root organizational unit.
The screenshot shows the two-step verification settings in the Google Admin Console for the Testdome unit, with options for setting up extra verification methods to improve account safety.
4. On the right side of the window, under the Enforcement section, select either On (to enforce 2SV immediately) or On from Date (to give some grace period for the users).
The screenshot shows the Enforcement section on the right side of the window in the Google Admin Console, with options to select ‘On’ to enforce two-step verification immediately or ‘On from Date’ to set a future start date.
5. Use the drop-down menu under the New user enrollment period to specify how much time new users have to configure 2SV for their accounts. None or 1 day are the most secure options.
This screenshot displays the Google Admin Console drop-down menu for setting a time frame within which new users must configure two-step verification.
6. Enabling the Allow user to trust the device feature allows the user to skip repeated second verification on the trusted devices.
The screenshot shows the "Allow user to trust the device" feature in Google Workspace Admin Console, which lets users skip two-step verification on trusted devices.
7. In the Methods section, you can select which second step users can select for their verification. Any is an acceptable option for most of the cases. Only the security key is the most secure one, but additional administrative effort and provision of physical keys are required. Thus, this option is only used in the industries where this approach is required or only for the users who have access to highly restricted information.
This screenshot shows the Methods section in the Google Workspace Admin Console, where administrators can choose the second-step verification methods for users.
8. Selection of the Only security key option enables additional settings, such as the 2SV policy suspension period and the ability to use security codes (a backup option that can be used for one-time access in case of unavailability of a key).
It shows the settings that appear when the ‘Only security key’ option is selected in the Google Admin Console. It allows administrators to set a 2SV policy suspension period and enable backup security codes for one-time access in case the security key is unavailable.
9. Press Save to apply the changes.
Privileged accounts, such as those held by IT administrators, have elevated permissions that, if misused or compromised, could lead to serious breaches, data loss, or unauthorized changes to critical infrastructure. Proper privileged account management helps mitigate these risks by applying different security best practices, such as:
For each IT administrator, two separate accounts should be created – one with privileged access to be used only for administrative tasks and one with regular permissions for daily activities such as the usage of Gmail, Google Drive, or Chat. By limiting privileged accounts to administrative tasks only, organizations reduce the risk of credential theft and unauthorized access to critical systems. This separation also allows for stricter security policies and more precise logging and monitoring, making it easier to detect unusual activity on privileged accounts.
Break glass account is an emergency account with a Super Admin role that can be used as a last-resort access point to Google Workspace when standard administrative accounts become unavailable. Creating a break-glass account is critical to ensure continuity and access during unexpected lockouts (e.g., IT admin lost their device used for two-step verification). Having this account enables quick recovery, minimizes downtime, and allows IT teams to address urgent security incidents or resolve access issues without delay.
Over time, employees’ roles and responsibilities can change, leading to access privileges that may no longer be necessary or appropriate. By conducting regular reviews, organizations can identify and remove unnecessary privileges, thus minimizing the attack surface and enforcing the principle of least privilege described below.
This principle reduces the harm in the scenario of administrator account compromise by limiting each admin’s permissions to the minimum necessary to perform their specific tasks. Additionally, the Principle of Least Privilege helps to comply with regulatory standards, as many frameworks mandate strict access controls for sensitive data. In Google Workspace, you can restrict privileged access using built-in and custom administrative roles.
For example, you have an IT engineer responsible for the administration of user accounts, groups, and organizational units. None of the built-in administrative roles fits this purpose – The user Management role doesn’t allow management of organizational units, and the Super Admin role provides excessive permissions. In this scenario, you should create a custom administrative role:
1. In the Google Workspace admin console, navigate to Account > Admin roles on the left pane.
The Account > Admin roles section in the Google Workspace Admin Console allows admins to create and manage custom roles, ensuring secure privileged account management.
2. In the Admin roles window, select Create a new role.
The ‘Create a new role’ button is highlighted in the Admin roles window. Administrators can use this option to define new roles for managing privileged accounts and user access.
3. In the Create role wizard, enter the name for the new role and press Continue.
The 'Create role' wizard in Google Workspace Admin Console allows you to enter a name for the new role. After entering the name, click ‘Continue’ to proceed to the next step in the role creation process.
4. On the Select Privileges page, select the permissions you want to provide to the role and press Continue.
Here, it shows the ‘Select Privileges’ page in the Google Workspace Admin Console, where you can assign specific permissions to the new role. After selecting the desired permissions, click ‘Continue’ to proceed with the role creation process.
5. On the last page, select Create Role.
In this screenshot, the final page in the Google Workspace Admin Console is shown, where clicking ‘Create Role’ completes the role creation process with the selected permissions.
6. Back in the admin console, select Assign members.
The image shows the ‘Assign members’ option in the Google Workspace Admin Console after creating a new role. This step allows you to assign users to the newly created role.
7. Specify the users you want to assign the created role to and press Assign Role.
This process involves selecting users to assign the newly created role in Google Workspace Admin Console. After selecting the users, click 'Assign Role' to apply the role to them.
GW has the functionality to notify administrators about any abnormal activity (e.g. removal of user accounts, spam activity from an internal address, suspicious login, etc.). Some of the alerts are enabled by default, while others are disabled. To customize the notification rules, perform the following steps:
1. In the Google Workspace admin console, select Rules on the left pane.
The image displays the ‘Rules’ option selected in the left pane of the Google Workspace Admin Console. This is where you can configure the notification rules for monitoring suspicious activities.
2. On the Rules page, press Add a Filter.
The "Add a Filter" button is selected on the Rules page in the Google Workspace Admin Console. This step enables the creation of custom filters for monitoring suspicious activity.
3. From the drop-down menu, select Type.
Here, it shows the ‘Type’ option selected from the drop-down menu on the Rules page in the Google Workspace Admin Console. This step helps you choose the type of activity to filter for monitoring.
4. Enable the System Defined checkbox and press Apply. It will filter all the rules to show only system-defined ones.
This image shows the ‘System Defined’ checkbox enabled and the ‘Apply’ button selected in the Google Workspace Admin Console. This step filters the rules to display only the system-defined ones.
5. From the list, click on the inactive rule you want to activate.
This step shows the process of selecting an inactive rule from the list in the Google Workspace Admin Console. It is part of the procedure to activate the chosen rule for monitoring activity.
6. On the Rule Details page, press the Edit button in the Actions section.
Here, it shows the ‘Edit’ button selected in the Actions section on the Rule Details page in the Google Workspace Admin Console. This step allows you to modify the settings of the selected rule.
7. On the Edit rule wizard, enable both checkboxes and press Next: Review.
The image shows the Edit rule wizard with both checkboxes enabled. After selecting the checkboxes, you proceed by pressing ‘Next: Review’ to finalize the rule configuration.
8. On the last page, press Update Rule.
Here, the screenshot displays the last step in the Edit rule wizard, where the 'Update Rule' button is clicked. This confirms the changes and updates the rule settings in the Google Workplace Admin Console.
After that, notifications related to the selected rule will be sent to the administrators.
As it was announced by Google, support of legacy authentication protocols ends in January 2025, and only modern authentication will be used to access Google Workspace services. It is a big step to increase the security of the product, however, some of the legacy protocols are still enabled by default. For example, IMAP and POP protocols can still be used to access the Gmail mailbox. To turn off these outdated protocols, perform the following steps:
1. In the Google Workspace admin console, navigate to Apps > Google Workspace > Gmail on the left pane.
The image displays the Google Workspace Admin Console, highlighting the path to Gmail settings under Apps > Google Workspace > Gmail on the left-hand menu. This is the first step to managing email protocols in Google Workspace.
2. On the Gmail page, scroll down and select End User Access.
The ‘End User Access’ section is displayed in the Gmail settings of the Google Workspace Admin Console after scrolling down the page. It is the next step in managing user access settings for Gmail.
3. On the End User Access page, press the Edit button near the POP and IMAP access options.
Here, this screenshot shows the 'Edit' button near the POP and IMAP access options on the End User Access page in Google Workspace Admin Console, where administrators can make changes to these settings.
4. Clear both checkboxes and click Save to apply the changes.
The image demonstrates the final step in disabling POP and IMAP access by clearing the checkboxes and clicking ‘Save’ to apply the changes.
Endpoint management in Google Workspace is important because it allows organizations to control, secure, and monitor devices that access their Google Workspace environment, helping protect sensitive data and maintain compliance with security policies. With endpoint management, administrators can enforce device policies, such as requiring screen locks, enabling device encryption, and enforcing password policies, which help prevent unauthorized access if a device is lost or stolen. The availability of features depends on the subscription you use (Enterprise-level subscriptions provide more advanced policies than Business-level subscriptions). Two examples of the implementation of useful device protection features are shown below.
One of the policies you should consider is to enforce passwords for the managed devices. To apply it, do the following steps:
1. In the Google Workspace admin console, navigate to Devices > Mobile & endpoints > Settings > Universal on the left pane.
Image of the Google Admin console highlighting the navigation path to Universal settings under Mobile & endpoints, used for managing device settings and access.
2. On the Universal settings page, click on Turn on device management and password controls
The Google Admin console displays the Universal settings section with an option to enable device management and password controls for data access.
3. On the settings page, press the Edit button near the Mobile management option.
Here is the screenshot of the Google Workspace Admin console displaying Mobile management set to 'Custom' and Password requirements set to 'Basic' for users in the 'testdom' domain.
4. On the mobile management page, select the Custom option, and from the drop-down menu, select Advanced for the platform to which you want to enforce the policy. Then press Save to apply the change.
Mobile management settings screen offering options like Basic, Advanced, or Custom management by device type in Google Workspace Admin console. Apple Push Certificate setup is required for iOS.
5. Back on the settings page, press the Edit button near the Password Requirements option.
The mobile management settings page for 'testdom' offers options for Basic and Custom management, along with configuration settings for password requirements in Google Workspace Admin console.
6. In the Choose password strength section, select Standard or Strong. Specify the minimum number of characters to use for the device password, inactivity time for the screen to lock, and password lifespan.
Above is the image of password strength settings, choose between Standard or Strong strength, set minimum password length, screen lock inactivity time & password lifespan in Google Workspace Admin console.
7. On the same page, scroll down and configure Block expired passwords (history of passwords that prevents re-usage of the passwords used before) and Wipe device after
failed attempts (remove corporate data from the device after several failed attempts to unlock the device) settings. Press Save to apply the changes.
Scroll down to configure settings to block expired passwords and wipe corporate data after multiple failed unlock attempts. Press Save to apply changes.
On the password requirements page, only the Minimum characters setting is mandatory; all others are optional. Be careful with the Wipe device after the failed attempts option; the wipe action cannot be undone.
Another useful feature designed for device protection is to allow access to the GW services only from approved devices. If it is enabled, when a user tries to access their Google Drive or Gmail from a new device, the IT administrator receives the notification and should approve or reject the request. It helps prevent unauthorized access to the data in a scenario of user account compromise. To enable this feature, do the following:
1. In the Google Workspace admin console, navigate to Devices > Mobile & endpoints > Settings > Universal on the left pane.
In the Google Workspace admin console, the screenshot shows how to navigate to Devices, Mobile and Endpoints, Settings, and Universal in the left pane.
2. On the Universal settings page, scroll down to the Security section and click on it.
On the Universal settings page, the screenshot shows scrolling down to find and click on the Security section to access relevant security settings in Google Workspace.
3. On the Security page, click on the Edit button near the Device approvals option.
On the Security page, the screenshot shows clicking the Edit button next to the Device approvals option to modify device approval settings.
4. Enable the checkbox, specify the email address to which you want to receive the approval requests, and press Save.
Enable the checkbox, enter the email address for approval requests, and press Save to apply the changes for receiving device approval notifications in Google Workspace.
Cybersecurity vulnerability scanning is a fundamental practice for any organization aiming to maintain a solid security posture and protect its data, systems, and networks. This proactive approach should include SaaS products, such as Google Workspace, to allow detection of security weaknesses and misconfigurations that could be exploited by cybercriminals. By identifying these vulnerabilities early, organizations can address potential threats before they result in a costly and damaging breach.
While Google Workspace has strong built-in security features, it may not cover all aspects of configuration management, compliance monitoring, and advanced threat detection; that’s why integration of a third-party SaaS Security Posture Management (SSPM) solution such as Reco is recommended.
Reco continuously monitors Google Workspace configurations, ensuring that security settings align with best practices and organizational policies. It can identify misconfigurations, such as overly permissive access controls or unprotected data-sharing settings, that increase the risk of unauthorized access or data leakage. It also helps to mitigate the identified threats by providing the necessary context and risk categorization. Reco also streamlines compliance reporting, which is particularly valuable for organizations bound by strict regulatory requirements like PCI-DSS, HIPAA, and GDPR.
Another advantage of using SSPM is that it can offer centralized monitoring across multiple SaaS applications, allowing security teams to manage the security of all SaaS tools, including Google Workspace, from a single interface. This unified approach enhances operational efficiency and provides a comprehensive view of an organization’s security posture across all cloud-based tools. Overall, Reco provides a layer of proactive security, automating critical security tasks, maintaining compliance, and strengthening the security posture of Google Workspace in ways that built-in tools may not fully cover.
Google Workspace is a multifaceted product, and it has enough security features for a whole book, but this topic cannot be covered in one article. Other practices worth looking into may include:
Google Workspace provides a solid security foundation, but it's designed as a flexible, general-purpose platform. Many organizations require security configurations beyond the default baseline to mitigate unique risks and meet compliance requirements. Customizing security settings in Google Workspace and applying best practices can help companies better protect sensitive data, manage access, and meet regulatory standards, enhancing overall security and resilience against cyber threats. Adjusting these settings lets your organization use Google Workspace with the confidence that sensitive data is secured.
