When enterprises move to cloud productivity suites like Google Apps, they must address the same three security considerations as with on-premise data:

While the infrastructure security of a cloud provider is out of your control, information security is both within your control and is your responsibility. The following guide presents practical steps organizations must follow to secure their data and accounts in Google Docs, Google Sites, and Google Drive.

Phase 1: Discovery

The first step in Google Drive security is discovering all  data in the domain, understanding who has access both internally and externally, and finding out which 3rd party apps have access to data and accounts in the domain.

1. Understand Who Has Access To Data In Google Drive – CloudLock Collaboration Security makes it easy to understand who has access to sensitive data, and what is accessible to whom, both inside and outside the domain.

2. Discover, Classify, and Decide Which 3rd Party Apps to Allow in Your Domain -CloudLock Apps Firewall lets organizations effectively discover 3rd party applications that have been granted access to their Google Apps domain, and shows:

• All applications with access to the domain
• All users that have granted access to a specific application
• All applications that a specific user has added

Phase 2: Classification

1.  Find and Protect Personally Identifiable Information (PII), PCI Data, and Toxic Data In Google Docs and Drive – CloudLock Compliance Scan is an industry-first pattern matching engine that identifies, classifies, and secures sensitive information including:

• Credit card numbers
• Personally Identifiable Information (PII) like Social Security numbers
• PCI data like Credit Card Numbers
• Toxic data

2. Classify 3rd party apps based on their risk profile – Allow or ban applications based on the access rights granted to each app. First, review the risk profile for each application:

• Check the scope of each application, the resources it has been granted access to, and the extent of the access rights granted to each application
• Understand what each application does
• Review the vendor profile for each application – Is it a trusted and known entity that has passed security and other audit certifications?
• See who has granted access to this application: how many users, whether the app has been added by domain administrators (privileged domain users) or regular domain users.

Then, classify each application based on the above review. Applications can be classified as:

• Banned – Apps that should not be added to the domain
• Allowed – Approved applications that are safe to use
• Not Trusted – The default app classification

Phase 3: Policy Creation and Employee Awareness

1. Create Content Aware Security Policies for Google Drive Data and Educate Employees:CloudLock’s Content and Context Aware Security Policy Engine provides organizations the framework necessary to define keyword-based policies and make sure that collaboration practices are monitored and remain compliant with company policies and procedures.

With CloudLock’s Security Policy Engine organizations can:

• Enforce Acceptable Use Policies – Define acceptable use policies to enforce internal governance and sharing
• Put Data Security on Autopilot – Providing ongoing monitoring and continuous scans to alert when policies have been violated
• Educate End-Users – Notify end-users when they violate corporate sharing policies in Google Drive

2. Establish Approved Application Policies for Google Apps - Despite the fact that end users can give third party web and mobile apps access to corporate data in Google Apps, the IT department is still charged with reviewing apps security and adding trusted apps to the corporate Approved Applications Policy (AAP). In order to create a flexible, yet secure approved application policy for a Google Apps domain, enterprises must ask:

• What level of access should applications be allowed to have?
• What types of applications should be allowed?
• How trustworthy is the vendor that created the app?

CloudLock Apps Firewall

• Maintains control of sensitive information and intellectual property without blocking user productivity
• Provides effective, ongoing monitoring and discovery of new apps added to the domain
• Drives user productivity by promoting safe, approved applications
• Protects the domain from unapproved application access
• Supports a distributed and mobile workforce, applying consistent security regardless of endpoint device

Phase 4: Enforcement and Remediation

1. Fix Data Exposure and Remove Excessive Rights In Google Drive – Once you’ve identified data exposures, use CloudLock Collaboration Security to set effective permissions on Google Docs, Sites, and data in Google Drive.

2. Remediate and Revoke 3rd Party Apps from Your Google Apps Domain – Notify the Users of Unapproved Application(s)
To notify a single user or all users that they have granted access to an unapproved application(s) using CloudLock Apps Firewall:

• Select the applications
• Choose <Notify Users> from the actions menu
• Customise your message to explain to why the selected application(s) should be removed from the domain

Revoke Access From The Application(s)- When applications pose a significant security threat to the organization and need to be removed from the domain immediately, CloudLock Apps Firewall lets domain administrators revoke unapproved applications domain wide for specified apps, or for a specified user.

Additional Resources

• CloudLock Collaboration Security - See how CloudLock Collaboration Security can help your organization manage sharing policies based on content patterns, keywords and metadata
• CloudLock Apps Firewall - See how CloudLock Apps Firewall can detect potential risk created when 3rd party apps are authorized by employees and apply mitigating controls
• Securing Data in Google Drive: The Enterprise Guide - In this whitepaper, we discuss what Google Drive is, what it means to businesses, and how to secure sensitive corporate data and intellectual property in Google Drive.