Last week, Google announced a new set of visualizations, reports, and changes to the administrative control panel for Google Apps users that will make it easier than ever to see “how many Hangouts, Docs, Sheets and Slides your organization created, who is close to reaching their Drive and Gmail storage quota and how many files have been shared outside the company”. We are tremendously excited by this announcement, as it validates something we have long believed: auditing, domain management, and administrative tools are essential parts of the Google Apps suite, and nobody is better aligned to provide functionality in these areas than Google themselves.
With this new functionality, Google is emphasizing the importance of visibility and security for its platform. This announcement comes as part of a broader industry discussion around the role of security for cloud; there is growing consensus around the idea that risk in cloud platforms is not the same as risk in traditional on-premise IT systems. In legacy environments, password management, account login tracking, and basic security required external tools to manage. As Google demonstrates today, many of these essential controls should be (and now are) available from the cloud service provider directly. Significantly, cloud risk and strategies for responding to it must address end-user action and behavior, not just outsider threats.
We believe that the best response to these risk areas — a topic we recently discussed at length with John Pescatore from the SANS Institute — is to foster a culture of education and to implement risk appropriate controls. We see many successful organizations implement effective cloud security programs by implementing five things:
- Content and context aware policies that can automatically differentiate sensitive and non-sensitive data (e.g., PCI, PII, or IP containing files)
- Automated end-user alerts and educational emails that help data owners directly respond to and fix potential exposures
- Selective use of strong encryption to provide defense-in-depth and additional security over highly sensitive information
- Application whitelisting/blacklisting, allowing for domain control over third party applications
- Comprehensive coverage of information exposure in all core Google channels (Drive, Sites, Google+, and via third party apps)
A sophisticated cloud security program will, of course, be based on a common foundation of strong password management, domain visibility, and application awareness. With this week’s announcement, it is now possible for organizations that take cloud security seriously to gain that kind of visibility and control without needing to rely on external vendors, and to then augment their security programs with the types of best practices outlined above.
Ready for More?
In our eBook, you will learn strategy and tactics every organization can leverage to complement Google’s data protection capabilities, with a specific focus on behavioral security.
The eBook discusses data security and compliance within Drive, dives into the power of securely enabling collaboration, speaks to the value, risk, and potential controls around 3rd party SaaS apps, examines the benefits of file-level encryption, and finishes with actionable tips to make it all happen.