Google Workspace is a flexible, cost-effective, and easy-to-use cloud productivity platform. Google Workspace provides a suite of productivity services that you can use to manage your business. This paper is targeted at customers’ internal security, risk and compliance teams and their external auditors who may have a need to assess the use of Google Workspace.
This paper provides a checklist to support assessments of Google Workspace based on the following domains:
- Google Workspace Super Admins - Admin accounts come with elevated privileges, they're valuable targets for hackers and cyber criminals. Every developer or user on your network with administrative privileges adds risk of account compromise.
- Google Workspace Identity Access Management - Identity management and access control is the discipline of managing access to enterprise resources to keep systems and data secure. As a key component of your security architecture, it can help verify your users' identities before granting them the right level of access to workplace systems and information.
- Google Workspace Resources - Customers are responsible for maintaining the security of anything they install / store on their internal storage or connect to their tenant. Secure management of your resources means knowing what resources your organization is using (asset inventory), securely configuring the guest OS and applications on your resources (secure configuration settings, patching, and anti-malware), and controlling changes to your resources (change management).
- Google Workspace Chat & Conferences - Make sure your users is not vulnerable to Meeting Bombing, Malicious Links In a Chat, and Stolen Meeting Links. Making sure your videoconferencing is set up securely can help prevent these attacks from being successful.
- Google Workspace Email Security - Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with email systems.
- Google Workspace Certificates - SSL, and its successor TLS, are industry standard protocols for encrypting network communications and establishing the identity of websites over the Internet. SSL/TLS provides encryption for sensitive data in transit and authentication using SSL/TLS certificates to establish the identity of your site and secure connections between browsers and applications and your site.
- Google Workspace Incident Response - Protect the organization's information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker's presence, and restoring the integrity of the network and systems.
Automate your Google Workspace ISO / PCI compliance process and prevent misconfiguration.
1. Google Workspace Super Admins
Admin accounts come with elevated privileges, they're valuable targets for hackers and cyber criminals. Every developer or user on your network with administrative privileges adds risk of account compromise.
1.1. Admin Account Protection
Title | Action | Overview | Services |
|---|---|---|---|
| Enforce Admin MFA | Ensures 2-Step Verification for admin accounts is enforced | Because super admins control access to all business and employee data in the organization, it's especially important for their accounts to be protected by an additional authentication factor. | Google Workspace Admin |
| System Admins Collector | Collect all privileged users in the organization | Your employees are the most vulnerable part of your security program, and privileged users, those who have been granted significantly greater access and authority within a cloud applications, are especially vulnerable. | Google Workspace Admin |
1.2. Admin Recovery
Title | Action | Overview | Services |
|---|---|---|---|
| Multiple Super Admins | Detects if multiple super admin accounts is set | A business should have more than one super admin account, each managed by a separate person. If one account is lost or compromised, another super admin can perform critical tasks while the other account is recovered. | Google Workspace Admin |
| Admin Recovery Options | Detects if there are recovery options to admin accounts | Add a recovery phone number and email address to admin accounts so can send a new password via phone, text, or email. | Google Workspace Admin |
| Multi Security Key | Detects if a spare security key is enrolled | Admins should enroll more than one security key for their admin account and store it in a safe place. If their primary security key is lost or stolen, they can still sign in to their account. | Google Workspace Admin |
2. Google Workspace Identity Access Management
Identity management and access control is the discipline of managing access to enterprise resources to keep systems and data secure. As a key component of your security architecture, it can help verify your users' identities before granting them the right level of access to workplace systems and information.
2.1. Multi Factor Authentication
Title | Action | Overview | Services |
|---|---|---|---|
| MFA enforcement | Ensures MFA is enforced for all users | MFA helps protect a user account from unauthorized access should someone manage to obtain their password. | Google Workspace IAM |
| MFA disable detection | Detects Users without MFA enrolled | MFA helps protect a user account from unauthorized access should someone manage to obtain their password. | Google Workspace IAM |
2.2. Insider Threats
Title | Action | Overview | Services |
|---|---|---|---|
| Inactive users | Detect inactive users in your organization | Inactive profiles are user profiles that have not been used in the last 90 days or more. They create a security exposure because these accounts are not actively maintained by their users, which make them prime targets for hijacking. | Google Workspace IAM |
2.3. Secrets Protection
Title | Action | Overview | Services |
|---|---|---|---|
| Strong password policy | Enforce strong password policy | Passwords should have at least ten characters and include uppercase and lowercase letters, numbers, and symbols. | Google Workspace IAM |
| Password Expiration | Ensures password policy enforces a password expiration. | A strong password policy enforces minimum length, expirations, reuse, and symbol usage | Google Workspace IAM |
3. Google Workspace Resources
Customers are responsible for maintaining the security of anything they install / store on their internal storage or connect to their tenant. Secure management of your resources means knowing what resources your organization is using (asset inventory), securely configuring the guest OS and applications on your resources (secure configuration settings, patching, and anti-malware), and controlling changes to your resources (change management).
3.1. Secure Access of 3rd Party Applications
Title | Action | Overview | Services |
|---|---|---|---|
| Review third-party access to core services | Collect all third party applications and map their access rights | Know and approve which third-party apps can access your tenant. | Google Workspace Apps |
3.2. Limit calendar sharing
Title | Action | Overview | Services |
|---|---|---|---|
| Discover publicly accessible calendars | Detects if calendars are publicly accessible from the internet | Restrict external calendar sharing to free/busy information only. This reduces the risk of data leaks. | Google Workspace Calendar |
| Limit calendar sharing | Enforces calendars to restrict publicly accessible from the internet | Restrict external calendar sharing to free/busy information only. This reduces the risk of data leaks. | Google Workspace Calendar |
3.3. Limit file sharing
Title | Action | Overview | Services |
|---|---|---|---|
| Discover publicly accessible files | Ensures users can not share files with externals | Confine file sharing within the boundary of your domains by turning sharing options off. This reduces data leak and data exfiltration risks. If sharing is required outside of a domain because of business needs, you can define how sharing is done for organizational units, or you can designate domains on your allowlist. | Google Workspace Drive |
| Limit file sharing with externals | Ensures files can not be shared with users outside the organization | Confine file sharing within the boundary of your domains by turning sharing options off. This reduces data leak and data exfiltration risks. If sharing is required outside of a domain because of business needs, you can define how sharing is done for organizational units, or you can designate domains on your allowlist. | Google Workspace Drive |
| Limit file sharing publicly to everyone | Ensures files can not be shared with users outside the organization | Confine file sharing within the boundary of your domains by turning sharing options off. This reduces data leak and data exfiltration risks. If sharing is required outside of a domain because of business needs, you can define how sharing is done for organizational units, or you can designate domains on your allowlist. | Google Workspace Drive |
4. Google Workspace Chat & Conferences
Make sure your users is not vulnerable to Meeting Bombing, Malicious Links In a Chat, and Stolen Meeting Links. Making sure your videoconferencing is set up securely can help prevent these attacks from being successful.
4.1. Secure Conferences Calls
Title | Action | Overview | Services |
|---|---|---|---|
| Warn users when chatting outside their domain | Ensures users get warned when chatting outside their domain | Show users a warning when they chat with people outside their domain. When enabled, group chat conversations are split when the first person from outside the domain is added to the discussion. This prevents external users from seeing previous internal discussions and reduces the risk of data leaks. | Google Workspace Hangouts |
5. Google Workspace Email Security
Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with email systems.
5.1. Authentication & Infrastructure
Title | Action | Overview | Services |
|---|---|---|---|
| Require mail to be transmitted via a secure connection | Ensures TLS with your SMTP partner domains is enforced | Require that mail be transmitted using TLS to ensure a secure connection. Configure the TLS setting to require a secure connection for email to (or from) partner domains. | Google Workspace Gmail |
5.2. Data Protection
Title | Action | Overview | Services |
|---|---|---|---|
| Disable automatic forwarding | Ensures automatic forwarding is disabled | Prevent users from automatically forwarding incoming mail to another address. This reduces the risk of data exfiltration through email forwarding, which is a common technique employed by attackers. | Google Workspace Gmail |
6. Google Workspace Certificates
SSL, and its successor TLS, are industry standard protocols for encrypting network communications and establishing the identity of websites over the Internet. SSL/TLS provides encryption for sensitive data in transit and authentication using SSL/TLS certificates to establish the identity of your site and secure connections between browsers and applications and your site.
7. Google Workspace Incident Response
Protect the organization's information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker's presence, and restoring the integrity of the network and systems.
7.1. Security Notifications & Alerting
Title | Action | Overview | Services |
|---|---|---|---|
| Compliance Notification Mails | Ensures Email assigned to be notified on security event | Enabling security alerts to be sent to admins ensures that detected vulnerabilities and security issues are sent to the subscription admins for quick remediation. | Google Workspace Security |