There are lots of great reasons for MSPs to offer Google G Suite as a managed service: It ensures that your clients can access their productivity applications from anywhere and at any time; it centralizes their documents and other data in the cloud, and it frees you from having to install and manage office applications that are installed on local PCs.
However, with the flexibility of G Suite come some additional challenges, not least in the realm of security. When you replace your clients’ local office applications with a cloud-based solution like G Suite, you face a whole new set of security requirements that you must address -- such as managing cloud-based accounts and file-sharing settings -- in order to offer G Suite securely as a managed service.
This article walks through the key security challenges of G Suite, along with tips on how MSPs can secure G Suite effectively.
Secure G Suite User Accounts
Google G Suite is only as secure as the accounts that your users rely on to access the platform. If their accounts are compromised, there is little you can do to prevent their sensitive documents from being stolen or deleted.
That’s why it’s critical to secure G Suite accounts by requiring multi-factor authentication for all users. You may also consider using security keys (which require users to have access to a physical key in order to log into their accounts), at least for high-value accounts.
Further reading Multi-Factor Authentication (MFA) as a Must-Have for MSPs
Likewise, it’s a best practice to create password policies that enforce strong password requirements for user accounts. If your configuration allows it, you can also set up active password detection to add extra security to G Suite accounts.
Further reading Password Management Best Practices for MSPs
You can also set up admin email alerts so that you receive notifications about potential breaches or suspicious activity involving a user account. And you should have a predefined response in place to handle breaches when they do occur. Typically, you’ll want to revoke access to the user account data and prevent further log-ins by that account until the situation is resolved.
Protect G Suite Admin Accounts
Admin accounts that you use to manage G Suite must be rigorously secured, too.
In addition to following the basic best practices of requiring multi-factor authentication, security keys, and strong passwords for admin accounts, you can enhance admin security further by creating multiple accounts for each user within your clients’ organizations who require admin access. That way, if one admin account is compromised, the other accounts will remain operable, preventing a situation where your clients can’t access the G Suite admin console. In addition, having multiple accounts makes auditing easier, because you can track the activity of individual users within the audit log, rather than only being able to track the activity for a single admin account that is shared by multiple individuals.
You should also avoid allowing your clients to use admin accounts for everyday G Suite activities. For those activities, they should use regular user accounts.
Of course, more admin accounts mean more overhead to manage. To help address this challenge, enable recovery options for admin accounts so that your clients can self-service if they need to recover a password. Enrolling spare security keys for the admin accounts can also reduce the risk of your clients becoming locked out because they lose their primary security key. Taking the time to set up backup codes, too, can help your clients regain access to their accounts quickly if they need
Although Gmail isn’t strictly required for companies that use G Suite, in most cases MSP clients who adopt G Suite will also use Gmail as their email solution. If they do, securing Gmail is another critical requirement toward achieving overall security for G Suite.
There are a variety of steps that MSPs should take to lock down Gmail services for their clients:
- Validate email by enabling Sending Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).
- Set up inbound email gateways to work with SPF.
- Enforce TLS with your partner domains.
- Require sender authentication for all approved senders.
- Configure MX records for correct mail flow.
Beyond these technical tweaks to the way Gmail works, you can take additional steps to mitigate Gmail security vulnerabilities:
- Disable IMAP/POP access.
- Disable automatic forwarding.
- Enable comprehensive mail storage.
- Don't bypass spam filters for internal senders.
- Add the spam headers setting to all default routing rules.
- Enable enhanced pre-delivery message scanning.
- Enable external recipient warnings.
- Enable additional attachment protection.
- Enable additional link and external content protection.
- Enable additional spoofing protection (using a third-party anti-spoofing service).
Secure Google Drive
As the backbone of file sharing within G Suite, Google Drive is another essential component that must be properly secured.
A basic best practice for securing Google Drive is to restrict the sharing of files outside of your clients’ domains. Configure the Drive sharing settings so that files are private by default, and disable automatic link sharing for new files. You can also enable warnings for users when they share files outside of their domain and disallow users from outside your client’s organization from moving a file within the client’s shared drive to an external shared drive.
Requiring external collaborators to sign in whenever they access a shared file will improve security, too (although not by a huge amount, given that it’s not hard to create a Google account).
Disabling desktop access to Drive and preventing offline access to documents stored in Drive will enhance security as well by reducing the chances that malware or unauthorized access on a local device will expose private data stored in Drive.
Finally, disabling add-ons for Drive (as well as for other G Suite components) will mitigate the risk of users installing malicious or insecure add-ons.
Secure Google Calendar
Google Calendar may not contain as much sensitive data as other parts of G Suite, but your clients still won’t want their employees’ calendars to be visible to unauthorized parties. To mitigate this risk, limit calendar sharing options in G Suite.
Secure the Chrome Browser
Although G Suite works with any browser, it integrates best with Chrome, Google’s own browser. In order to provide your clients with the best G Suite experience, then, consider setting a desktop policy that requires them to use Chrome, unless they need a different browser for a specific reason.
Be sure also to enable automatic updates for Chrome on your clients’ systems.
Back up your client’s Google G Suite Data
No matter how secure your G Suite installation is, data loss is always a risk. You can never guarantee that malicious actors won’t destroy your data or hold it for ransom. And, of course, there are a variety of other ways in which data loss could occur, such as accidental data deletion by your clients.
This is why backing up G Suite data is a critical step in the overall G Suite security process.
MSP360 Managed Backup makes it easy to protect your G Suite data. The product offers full support for backing up Gmail, Google Calendar, Google Drive, and other critical data repositories within G Suite. You can also configure data retention policies to determine how long your backup data remains available. And because MSP360 automatically encrypts data at rest as well as in transit, you can be confident that your backups will always remain secure against unauthorized access.