Google Apps for Work Security Guidance: Administrator good practice
Published 2 November 2015
This document gives deployment security considerations when using the Google Admin Console (GAC) to configure the Google Apps for Work (GAFW) web service. The secure configuration of this cloud hosted service aligns with government’s guidance on implementing the Cloud Security Principles. Please send any feedback you may have to enquiries@cesg.gsi.gov.uk.
1. Google Admin Console
The GAC allows an administrator of Google Apps for Work to configure users’ settings and privileges, including restricting user access to Google Apps.
-
When GAFW is initially deployed, a number of Google Apps and services are available by default. CESG recommend that an administrator takes the time to familiarise themselves with the apps and services available by default to users and to consider their relevancy to the enterprise. There should also be continued careful observation of the services available to users as Google develops its product range. User access to an App or service can be configured under
Admin console | Apps
. -
New Apps and services can automatically be made available to users as they are released by Google. CESG do not recommend this setting as services may start being used before their suitability has been assessed. The manual addition of new services by an administrator from the dashboard can be set under
Admin console | Company profile | Profile | New products
.
The GAC provides security options that need to be addressed under Admin console | Security | Basic settings
-
Password length and complexity should meet existing guidance. Settings are found under
Password management
. -
The decision to enable two-step verification should be assessed as part of an enterprise’s authentication practice and as an option to enhance the security of user access. CESG strongly recommend its adoption for at least administrative users.
2. Organisational Units
Google Apps for Work uses Organisational Units (OUs) as user groups to control which Apps, services, features and settings are available to users. When initially deployed, GAFW defines a single OU and configured settings apply to all users and devices under it. To assign different settings to groups of users, follow Google’s documentation to create a new lower-level OU.
-
To assign settings for a single user or device, create an OU for the individual user or device.
-
A number of Apps (such as the Google Development Console) may only be needed by a few users. These users can be put into an appropriate OU and given access as a group.
-
Consult Google’s Organisational policies FAQ for further possibilities in building an enterprise’s GAFW OU structure.
The removal procedure of a user from GAFW should ensure that all information associated with the user and their account is securely handled, and that the removal of an account is a smooth administrative process. Both a user’s enterprise and GAFW cloud account will need attention.
3. Administrative controls
Users can be granted administrative privileges by assigning Admin Roles to them. These roles determine which dashboard controls an administrative user can see in their GAC, and therefore what information they can access and which management tasks they are allowed to perform. Google offer pre-built or custom roles:
-
Pre-built roles allow common business functions to be fulfilled, such as a Help Desk Admin
-
Custom roles allow a combination of privileges to be selected from those assigned to pre-built roles
The principle of least privilege should be adopted when:
-
assessing each user’s administration requirements; in the first instance and when suitable, a Google pre-built role can be used
-
fulfilling good practice for administrative users by assigning them separate, non-privileged accounts to be used when they carry out non-privileged work
-
allowing users to have multiple admin roles; creating multiple custom roles with fewer privileges is more secure than creating and assigning one role with many privileges (if a user handles a number of tasks, multiple granular roles can then be assigned to them)
The pre-built Super Admin role grants a user access to all features in the GAC. They can manage all aspects of the enterprise account and as an example can see all users’ calendar information. Ensure this role is only assigned to a small number of users; its elevated access permissions are not required for many administrative tasks. In addition, having too many Super Admin users in a Google Apps for Work deployment will affect recovery options when administrator passwords are forgotten.
4. Sharing controls
Google Apps for Work is a collaborative toolset and working environment; rather than using the traditional model of only sharing information through email, there are many ways in which enterprise information can be shared using GAFW. For example, it is easy to share documents with others using the GAFW Google Drive App. By default, when a document is created, it can only be read and edited by its author. When a document is saved into a shared folder, it will automatically inherit the access permissions of that folder, and can be stored locally or in the Google cloud.
Documents can be shared outside of an enterprise’s GAFW instance and can be accessible either to invited individuals or to anyone that has the document link. CESG recommend that where sharing is to extend outside of the enterprise, it is done using the invitation mechanism rather than by making the documents available to anyone.
If an enterprise is handling sensitive information, CESG recommend that as a minimum an administrator should implement the option to warn a user when they send a document created internally to a recipient outside of the GAFW instance. This option is available under Admin console | Apps | Google Apps | Settings for Drive | Sharing settings | Sharing options
. Also, there is a range of sharing configuration options available under Sharing options
, which an administrator of GAFW should carefully consider. Additionally they should review Google’s documentation on sharing permissions.
A further and significant sharing consideration is Google+ for Work, a social media service designed to operate across GAFW. The sharing implications of an enterprise using Google+ for Work needs careful deliberation before users are given access to the service. The security of the collaborative features of Google+ for Work should be assessed with some of these features outlined here:
-
Google+ for Work profiles contain a user’s full name in addition to any other information they choose to hold in their profile.
-
Control over the default sharing of Google+ for Work posts can be defined by an administrator, though users can override this for individual posts and for communities they create. This can allow users to publically publish information to the Internet with the identity of their enterprise.
-
It is possible to send emails from a Google+ profile using Gmail. Implementing email in Google+ for Work gives users the option to allow third-parties in their Google+ Circles to mail them, even if the user’s email address is unknown. An administrator can manage Google+ for Work profiles’ email settings under
Admin console | Apps | Google Apps | Settings for Gmail | Advanced settings | End User Settings | Emailing Profiles
. -
Google+ for Work is not a Google Apps core service and does not have the same level of Google+ Technical Support provided by Google compared to their core services.
5. Data privacy
Google Apps for Work allows additional controls (above the standard terms and conditions of Google) to be added that govern how and what Google are able to do with an enterprise’s data. The European Parliament has issued a directive (95/46/EC), which describes the protection of individuals with regard to the processing and free movement of personal data. From the GAC, this is presented as an amendments opt-in under Admin console | Company Profile | Profile | Security and Privacy Additional Terms
. CESG recommend that both terms of the option are reviewed and accepted:
If an enterprise purchased GAFW from an authorised reseller, it is then possible for the reseller to access the enterprise’s administrative controls via the GAC. The option to enable this can be found under Admin console | Company Profile | Profile | Reseller Access
. Google recommend enabling reseller access to improve troubleshooting issues when managing an instance of GAFW purchased through an authorised reseller. However, the reseller will need to be trusted since they will have access to enterprise data. The extent of a reseller’s access to an enterprise’s information via this setting has not been ascertained by CESG.