Protecting Data with Google Drive

• Introduction
• Security
  • Intrusion
  • Credential Misuse
  • Device Loss
• Privacy
  • Sharing
  • Auditing
• Continuity
• Advice

How to best protect and secure confidential data using Google Drive and Google Apps / G-Suite

Introduction

Perfect security doesn’t exist, but better security does. Better data protection means thinking pragmatically about the likely threats that you face, and then doing something to mitigate the chances of them happening.

This is a common sense guide to protecting data, with a particular focus on the challenges faced in education. It is structured around using Google Drive to protect your data, as part of the G-Suite for Business (Basic, Business or Enterprise), Non-Profit or Education plans.

While Google Drive is likely going to be the most secure option for most organisations, many of these principles will apply to other cloud storage systems too. Why is it so secure? Read on to find out …

• Google encrypts your data in when it is on the move (in transit) and when stored (at rest)
• Supports 2-Factor authentication, which is essential to help protect your accounts
• Wide device support and allows remote data/account removal on secure devices (e.g. tablets, phones, Chromebooks)
• Allows simple sharing rather than relying on emailing files as attachments
• Robust and straightforward auditing and logging, to see who has accessed data

Security

We are taking information security to mean how well protected your data is from unauthorised access and disclosure. Typically the potential risks are your information storage system (servers, laptops, databases etc.) being broken into or your credentials being impersonated/stolen to gain access to your systems.

Intrusion

Securing systems, which are repositories for information, has become a constant process of staying ahead of vulnerabilities. Any software and systems are designed and implemented by people and by that very nature, is potentially insecure and flawed. Mistakes are always made, whether they are spotted or not. When these mistakes come to light (as they inevitably do), there is a vulnerability in your system. This could be from design, coding or configuration, but it will often open the door to your information. It is vital to keep on top of these vulnerability disclosures and ensure your any system upon which you store data is well-configured and stays patched against potential problems.

For organisations of any size, and particularly schools, this is an onerous task and one that frequently is not done as diligently as we would like! A large number of security breaches and intrusions are caused by old system flaws that have not been patched. Hosting your data in the cloud isn’t a solution to this problem, but you have to be pragmatic about this; who has more resources to ensure systems are kept patched, well-configured and secure? Is it you? Or is it a multi-national cloud provider, such as Google.

Of course, these larger providers are a much more attractive target for people who want to break into information systems, but they also have much better defences and a lot more money and time to throw into the fight. You might think that your organisation is too small for someone to spend the time targetting it, and you are probably right. But most attacks now are automated and they are indiscriminate and destructive. They don’t assess the value of a target before trying to compromise it; they try to exploit known vulnerabilities. Organisations of all sizes are caught up in the collatoral damanage. Security through obscurity is really no security at all.

Putting your information into a well-respected cloud storage provider helps minimise the likelhood of your information being exposed through an intrusive attack. The scale of these systems means that security monitoring is much more pro-active than you could ever hope to achieve, and draws upon a high-level of expertise that does not exist in most organisations.

Credential Misuse

This is probably the most common cause of unauthorised information access for most organisations. Security through passwords is a fundamentally weak model, not because passwords are themselves a security risk, but how we manage them is. There is a shocking rate of password re-use amongst most users, and this creates a huge security problem. Google spends millions on ensuring their systems are secure, but that doesn’t matter at all if you have signed up to another weaker site or app using the same username/password that you use for your Google account. All it takes is one intrusion into a less secure system, and your username/password is going to be available for all to see and misuse.

If you are responsible for managing confidential or personal information (and almost everyone who works in education is), then you must ensure you have secured your accounts with 2-factor authentication. If you don’t, you are being negligent. Two-factor authentication, often abbreviated as 2FA, requires the use of two tokens when you log on. A password is something that you know; the second token is from something you have. Typically this takes the form of a numerical code generated by an authenticator app (on your phone or tablet), a code delivered by SMS to your phone or (even better) a USB security key. On the Google platform, this form of authentication is free to use and takes just a few seconds to setup. If you are not using, stop reading right now and go do it.

Using 2FA to secure your account helps to instantly minimise the chance that your credentials will be misused. By requiring another piece of information, generated from something that you have, an attacker cannot gain access to your account and data with just your username and password. By doing this, you massively increase the security of your information in a single act.

Device Loss

Lost USB keys, laptops left on trains, hard drives not wiped before computers are sold. These are all horror stories of data loss, and they are worryingly familiar. We all lose things, expensive electronics are always an attractive target for theft, so what can we do about this to improve our information security?

Like credential security, you can make significant improvements very simply:

1. Don’t use portable media devices, such as external hard-drives or USB keys for personal or confidential information.

   There is no need in the modern connected world to rely on these sort of tools. Stick your files on Google Drive, and access them on all your devices, wherever you are. Ensure you have a secure password/PIN on your phone and tablet, and a strong password on your computer.

   The convenience of this sort of access will help stop you copying essential files to insecure portable devices, and this will increase security. If you are not sure what type of educational information is personal or confidential, have a look at our handy guide.

2. Only use devices which natively encrypt your data.

   You cannot get away from the fact that even with the best cloud service, data is going to be stored and cached on your local device. Encryption at rest is essential. This means that if you lose physical control of your device, your data is still encrypted, generally with a key that is derived from your account credentials.

   Without this encryption, it is trivial to access any data on a device, including confidential information! If you use windows servers or laptops, you need to ensure they have been encrypted properly using a full-disk encryption system such as Bitlocker.

If you use Chromebooks to access your data offline then you will be benefiting from their native (and default) encryption, making them an extremely secure device to access your data from, without requiring any extra management or technical configuration time. Other tablet/phone devices, such as those running Android 7.0/IOS 4 (or later) also natively encrypt data - protecting them in case they are lost. Leaving confidential data in an unencrypted state is just inviting trouble.

Should you discover you have lost your mobile device, you can remove these devices from accessing your Google account from your recently used devices page. Then tell your organisations Google administrator (usually a senior official or IT Support team) that you have lost a device. They should be able to remotely clear any cached email or cloud files from the device too.

Privacy

Now you have dealt with the most critical security issues by uploading your data to a secure cloud provider, secured your accounts with 2FA, and ensured that any device you use to access or store data is encrypted. Then you can turn your attention to ensuring that only the correct people have access to your protected information.

One of the unique features of modern cloud storage platforms is that they allow users to take control of data sharing in ways they haven’t done in the past. This empowers them to work more collaboratively, but this power and responsibility means they may need time and guidance to become comfortable exercising it. It is essential that all your users know what information is personal or confidential, and with whom they can share it with. They must be confident in being able to check who has access to data, and how to restrict access if need be.

Sharing

An emailed file is a lost file. Once a file has been attached to an email and sent, you lose any control over it. Confidential, personal or even important data should never be sent as an email attachment. The recipient of the email can forward it to any third party, or they can start to make changes to the file that won’t be shared back with you. Granting others access to your file is a far better way to communicate information. Ideally, you should share with a named account (e.g. an email address), but you can also use link sharing if you need to you. Anything is better than attaching! Remember that if you make a mistake with sharing, and include someone who actually shouldn’t have access, you can always rescind a share but recalling an email with an attachment is almost always impossible.

Auditing

A traffic light system to classify information security is a useful tool to help guide users in making these decisions. You can even overlay these traffic-light tags onto your Google Docs, Sheets and Slides to help ensure everyone knows that sort of data they are dealing with. You can also audit sharing permissions or (as an administrator) view audit logs to check exactly who has access to your data, as well as who has opened and edited it.

Continuity

Ensuring access to valuable data is vital. If you are keeping your files on a single server, even with a reliable backup solution, then you are putting the continuity of access at risk. To recover those files you may need to purchase a new server, wait for it to be delivered, build it, configure it and then restore the backup. If your financial system or critical supplier information was on that server, then the job is even harder. All this takes time.

Well-designed cloud services will likely have significantly less downtime that this, even in the worst case scenario. On any secure client platform, you can cache files for offline access. This technique can be used to ensure you have access to critical information, such as essential medical, contact or technical data.

Advice

• Store your files in a secure and well-respected cloud service
• Enable 2-Factor Authentication on your Google Account (any every other account you can too!)
• Don’t use portable media devices to store files
• To access your files, use a Chromebook, modern Android tablet, iPad, iPhone or Windows device with BitLocker enabled
• Never email files as attachments
• Take the time to learn how to confidently share files, how to check who files are shared with and the best ways to audit sharing