The increase in remote work has triggered the use of cloud storage and collaboration applications to share documentation and files between teams within a company and with other external users. Sharing through local folders on file servers has given way to cloud storage in what is known as “Enterprise File Sync & Share (EFSS)”, applications, including Google Drive, One Drive or Box among others.
In this article we are going to focus on Google Drive, specifically Google Drive and Google Drive for Business security offered within the Google Workspace suite of applications.
- Extended use of Google Drive
- Protecting data at rest in Google Drive for Business
- Protecting data in transit in Google Drive for Business
- In use protection and digital rights control in Google Drive for Business
- Additional protection needs for a corporation and limitations
- How can we improve security in Google Drive?
- How SealPath improves security in Google Drive
Extended use of Google Drive
More than 2 billion users use Google Drive to store their data in the cloud and collaborate with others. In the field of workplace digitization, Google Workspace has been chosen by organizations of all sizes, from SMEs to large corporations, to manage their documentation.
Google Drive eliminates some of the problems associated with local data storage, such as the ability to access data from anywhere (accessibility), offers a simple and convenient way to store and collaborate with files (usability), enables automatic backup storage (backup), and offers additional security features to local document storage.
In relation to this last point, what level of security does Google Drive offer to companies?.
We are going to see it in depth by analyzing it from the point of view of data protection at rest, in transit and in use.
Protecting data at rest in Google Drive for Business
The information a user uploads to Google Drive is stored in Google’s data centers with encryption at rest. Google uses 128-bit or 256-bit AES keys depending on the type of Backup storage device.
When Google stores the data, the content is divided into smaller fragments, each of which is encrypted with its own security key, and at the same time, this security key is encrypted with another key. The latter key is protected and managed by Google’s key management service
(KMS-Key Administration Management), stored separately from the data and protected and also encrypted at rest.
It is important to note that, despite these security measures, , Google is in possession of both the content and the keys so it has the ability to decrypt and access the content. Although Google’s past security breaches have not been directly related to Google Drive, having the content and encryption keys at the same provider can make our data more susceptible to being accessed in a potential attack on the same provider.
According to Google and Google Drive’s privacy policies and terms of service, we retain ownership of our data. However, the service may scan your documents to obtain information to improve the targeting of its advertisements and reserves the right to turn over your information if required by law enforcement.
Protecting data in transit in Google Drive for Business
Google uses TLS (Transport Layer Security) to protect data in transit to and from Google Drive and prevent man-in-the-middle or data interception attacks. It should be noted that TLS secures the communication channel through the HTTPS protocol, but does not guarantee security once the content has been shared with a third party. The protection is not applied persistently to the file, so once it is accessed there is no way to control security.
The risks are even greater when public links are made on the files giving total control over them, since anyone, and not only the receiver of the link, can read the content, modify it, copy it, print it etc. In addition to the fact that these public links can potentially be accessed by anyone, there is nothing to prevent the recipient of a link from forwarding it or sharing it with third parties.
In use protection and digital rights control in Google Drive for Business
The most basic version of Google Drive included in Workspace does not include granular permissions control in order to meet the confidentiality and compliance requirements needed in organizations.
One way to avoid the problems of public links to Google Drive files is to allow sharing only with certain people. However, if we want to limit what the user can do with our data once they receive it, we need to be able to control the permissions on the content.
Additionally, and depending on the subscription level, Google Drive allows some basic control of digital rights associated with files and folders such as modify, comment, view only, download, etc.
In a company, the administrator can also restrict access to certain roles or departments by disabling sharing or printing. Google Drive allows working with Google Groups. It is possible to create a group and add people with whom we want to share a file or folder. Removing users from the group removes their access permissions to the files that have been shared with them.
These features allow us to meet various corporate security requirements, but do not provide effective in-use data protection in certain collaboration scenarios with third parties. Data protection does not travel with the documents so once the data leaves Google Drive the user and the company lose control over the shared data.
I can leave “view only” on a file shared with Google Drive or “edit” with the Google Docs web interface, however, if the user can download the content to be able to work with Microsoft Office locally, for example, Google Drive will have lost control over that documentation.
Additional protection needs for a corporation and limitations
In virtually every organization there is sensitive documentation that needs to be kept under control and should only be accessed by certain people. This includes management documentation, financial data, documents with personal data managed by the user department, legal documentation, sensitive business-related data that can have an impact if it gets into the hands of a competitor, etc.
When it comes to this type of documentation, sharing through links so that anyone who has the link can access the content is not an option. In addition, the fact that users can manage their own links increases the probability of oversights, leaving links open that should not be, etc.
Similarly, using more advanced subscriptions to control digital rights individually by users also increases the risk on this documentation since:
- Digital rights management is individual per file or folder and not based on policies or templates. As with links, the likelihood of oversights is increased.
- In the absence of policies, users must determine the rights for each type of content and for each user each time it is shared. This is impractical and causes users to avoid such controls for “agility”.
- Even if these permissions have been assigned, once the content has been shared and downloaded we will not be able to control it since the protection does not travel with the files.
While Google may cover regulatory compliance requirements such as GDPR, HIPAA, ITAR, etc., the ultimate responsibility for the data rests with the organization and how it manages its data to safeguard data security. If documents are accessible on public links, with downloadable content, the ultimate responsibility lies with the data controller, the organization.
How can we improve security in Google Drive?
There are basic controls that can prevent data from being accessed by third parties in a potential attack:
- One of them is to have a two-factor authentication to prevent anyone from getting our password and accessing the data.
- • As mentioned above, it is not a good practice that whoever has access to the content also has access to the encryption keys. Having end-to-end encryption where control of the keys does not rest with the owner of the storage platform undoubtedly increases the level of security.
There are multiple tools to encrypt documents or folders before being uploaded to Google Drive or that apply additional encryption on the data synchronized on the computer, however, it should be noted that these solutions only improve data protection at rest by including keys not controlled by Google, but nothing prevents that once the document is shared a third party can do with it whatever they want since, again, these tools only provide encryption at rest but not in use or control of digital rights.
- Protection that travels with the files: A substantial improvement in security is to allow that, even if the documents are downloaded by third parties, whether internal or external to the organization, we can still maintain control over the data: Who can open the document, with what permissions (view only, edit, print, etc.), etc. and to be able to revoke access to the files, even if they are already physically on other users’ computers.
- Additional controls over documentation: When the information is sensitive, having watermarks to prevent screenshots can mitigate the likelihood of a data leak. On the other hand, having the ability to control the IP or subnets from which sensitive information is opened can be critical in certain cases with highly confidential documents, where we are not interested in a user being able to access certain information from home and download it.
- Improve security over public links and external sharing: Public link management in Google Drive is widely used as it is convenient for users. They only need to pass the link for a third party to download it. Protecting the data accessible over that link, making security travel with it and remain under control wherever it goes, will ensure to minimize the risk of leakage. Access can be revoked even if the document has been downloaded.
- Improve monitoring and auditing controls over data: Google Drive can give an administrator information about downloads and file access while the documents are on the platform. However, when data is confidential or under regulatory control, it is critical to be able to know who accesses it, when, if someone tries to access it without permissions, etc. even if these documents have already been shared and downloaded by third parties.
Google has taken care to keep sharing simple for users and administrators and this is a feature that is highly valued by those who choose to use Google Drive. It is important that, if additional security measures are implemented, the simplicity of use is kept to a minimum, preventing the use of the solution from being compromised by the complexity of the security tools adopted.
How SealPath improves security in Google Drive
Within the types of technologies specialized in data protection at the corporate level and those that fall within the security scope of a “Zero-Trust” protection strategy, SealPath allows persistent protection to be applied to the files that travel with them, even if they have already been downloaded to other networks. Protection is at rest, in transit and in use.
- By encrypting the data with SealPath, we separate control of the storage (Google) from control of the encrypted data. Even if the Google platform were compromised, the attacker would not have access to the data.
- Permission control goes beyond the Google Drive environment. Even if the data has been downloaded, we can limit who can view, edit, copy and paste, print or have controlled access to the files.
- The revocation of access not only applies to data hosted on the platform, but even if they are on computers and networks external to our organization.
- Additional controls such as watermarking, IP control, etc. are added to the documentation to minimize the likelihood of data leakage.
- It offers powerful document auditing and traceability capabilities both within and outside the Google Drive platform, on files downloaded to any computer and device. Audit data can be integrated with any SIEM to manage access alerts to certain information.
- SealPath allows you to automate the protection of documentation stored in Google Drive, since the administrator can decide which folders in the organization should be automatically encrypted. The same applies to users, who can set automatic encryption rules on certain folders.
- SealPath has taken the utmost care with the user experience:
It allows working on the files directly in the browser and without agents through SealPath Secure Browser whose add-in can be activated at the individual user and domain level in the organization. The user does not need to download the protected documents to access them. SealPath Secure Browser also adds watermark and permission controls on the documentation accessed in the browser.
Allowing to work directly with Google Drive agents, either the Backup and Synchronization , agent or Google Drive File Stream. It is possible to automatically protect folders in both, including File Streams, so that when a user moves or copies files to them, they are automatically protected. Through Google File Stream, no local space is occupied, but only references to files stored in the Google Drive cloud are maintained.
Contact us and we will show you how SealPath works in an integrated way with Google Drive to increase and provide additional security to the data stored in this platform, thus minimizing the possibility of data leaks.