Hard on the Outside, Soft on the Inside: 10 Tips To Secure Google Workspace

Most startups rely on Google Workspace for critical business operations. Whether its sending docs, creating emails, or leveraging Google Cloud Platform, Google Workspace is often seen as the first step into getting a company operational. Although Google offers a lot of secure by default features, here are 10 things to consider when hardening your Google Workspace.

1. Single-Sign On (SSO) is a great way to limit access to third party applications (i.e. Zoom, AWS, Slack, etc.) to ensure that only users with a company email can access those applications. Google’s SSO gives you the ability to permissions groups and users which follows industry best practices around Zero-Trust.
2. Creating a trusted list of used applications reduces the chance of supply chain attacks and data leakage. As supply-chain attacks become more common, access Control is a critical part of reducing your attack surface.
3. Enabling 2FA is the first step when considering any type of authentication, as this reduces 80% of attacks. For best practices, consider deploying hardware tokens (i.e. yubikey) as the required step for MFA.
4. Leveraging Login Challenges creates an opportunity to stop bad actors from authenticating to your Google Workspace. These login challenges look at various data points (user agent, IP, etc.) as a way of determining if user’s activity is anomalous.
5. Pre-delivery message scanning allows Gmail to use its threat intelligence to look for malicious emails. This is a great way to reduce phishing attacks coming to your organization. Although it can be aggressive in its detection, enabling attachment protection can help quarantine malicious attachments.
6. Turning on TLS is a great way to comply with most banking requirements and to ensure your email is encrypted in transit.
7. Setting up SPF, DKIM and DMARC is a must for any company looking to reduce spoofing campaigns for their company. These are standards used to specify how email is sent, received, and verified.
8. Blocking access to less secure apps allows you to block risky apps from having access to your google drive and other services.
9. Limit the amount of administrators by creating an admins group. This is a privilege that shouldn’t be shared but also shouldn’t be limited to one user (single point of failure is a large risk).
10. Disable forwarding rules in gmail to stop leaking sensitive information. Most attackers will create forwarding rules to snoop for sensitive information over a long period of time before using permissions. Blocking forwarding rules is a great way to be proactive with security.

Curious to learn more about how to protect your Google Workspace account? Need guidance for protecting your company? Visit our website at www.magellansec.com for more information.