Sysadmins, enable a safe file-sharing environment in Google Workspace
It all starts in the Admin Console Don’t block external file sharing, because we’ll guide you step-by-step on how to get the best of both worlds - namely, data security and external collaboration. The two most important security settings that need to be made will be found under Apps and Security. Access admin.google.com with your credentials to get presented the following screen. (Note: Only people with the right permissions can access the Admin Console).
The Drive and Docs Settings
We’ll start off with the Google Drive App, as it’s somewhat easier and faster to configure.
Apps > Google Workspace > Drive and Docs
From here you’ll be presented with the following screen. However, we’ll be focusing exclusively on the “Sharing settings” section. Use the checklist and the screenshots in the upcoming section as guidance.
Checklist for “Sharing settings”
(Disclaimer: This checklist must be adjusted accordingly to each organisation and its industry. Use this checklist as a guidance, but feel free to contact us if help is needed)
Extra security measures (Optional)
Although we won’t be covering these extra measures, they are worth mentioning. Feel free to contact us if help is needed.
Please note that this part could be adjusted accordingly to the different OUs, Groups, or Users. However, for the sake of simplicity, we’ll apply the following settings across the whole domain.
Shared drive creation
The Security Settings
Still afraid that your users will leak any customer files, HR reports, business plans or any other sensitive data?
Data Loss Prevention (DLP) is a solution that catches emails and documents with sensitive data and prevents them from being leaked. In Google Workspace it’s called “Drive DLP” and needs to be configured via the Admin Console.
Security > Data Protection
From here you’ll be presented with the following screen. Make sure to turn on the “Data scanning and report”.
There are two key concepts you need to understand before getting started with Drive DLP - namely, rules and detectors.
We have written a more detailed guide about DLP in Google Workspace, which you can download here. However, here’s a quick 101 on DLP.
How the DLP engine works
Whenever a sender wants to share files, it must first go through a “DLP engine” before it gets sent to the recipient. The DLP engine detects if the file contains any sensitive data and reacts based on rules created by the admin e.g. block files with sensitive data from being shared.
This ultimately means that the DLP engine will only be as effective as what it has been configured to detect and react upon.
Google has built 9 ready-to-use templates, which literally take less than a minute to configure. From the data protection dashboard - click on:
Manage Rules > Add Rule > New rule from template
Try using the “Prevent financial information sharing” template to stop credit cards, bank accounts and other financial data from being leaked with external parties.
While the templates are great, they might not always suit your needs. That’s when detectors come in.
Detectors inform your DLP engine when a document contains one or more sensitive keywords (e.g. confidential, restricted, internal use only, copyright, etc). They can also be configured to detect more advanced patterns via regular expressions (e.g. employee and customer ID numbers). From the data protection dashboard - click on:
Manage Detectors > Add Detectors
Once you have created your detectors, it’s time to enforce an action through DLP rules.
You can configure rules to:
- Disable shared files from being downloaded, printed or copied
- Warn users on external sharing
- Block external sharing of sensitive data
- Alert admins about external file sharings
From the data protection dashboard - click on:
Manage Rules > Add Rule > New Rule
Checklist for DLP
We have written a more detailed guide about Drive DLP in Google Workspace. It covers everything related to configuring your DLP engine from scratch (with screenshots) and teaches you the basics of regular expressions. Download it here.
Extra Data Security Measures
Did you know that sysadmins can use GAM scripts and Tricent Compliance Tool to remove the file permissions of external collaborators?
Both methods help organizations to audit, protect and revoke any file that has been shared externally. In other words, files that have been distributed as email attachments, public links, or via a non-Google Drive environment cannot be remediated in the case of potential data leakage.
Google Apps Manager (GAM) is a command-line tool that essentially carries out a series of operations in the Google Admin Console (see screenshot). It’s primarily used for automation and bulk operations, but it can also be used to audit your Google Workspace environment - for example:
- View how many Google Drive files your organization has
- Check how many of them are shared externally
- Revoke some or all company files shared with 3rd-parties
… and much more
We have written a more detailed guide about GAM, which you can download here.
GAM gives the sysadmin the power to monitor and control all file sharing activities taking place inside and outside the organisation. While GAM is great for the sysadmin, it doesn’t help the non-technical people to understand and protect their file sharing activities.
The Tricent Compliance Tool is a web app that makes it simpler for everyone in the organisation to audit and clean up their shared files. It lets users collaborate externally, sysadmins to control the file sharing activities and organisations to comply with data protection policies.