A practical guide to securing Google Workspace for a startup

261 点作者 gepeto42大约 3 年前

23 条评论

blip54321大约 3 年前

My advice is to never, ever, ever rely on Google Workspace for a startup. Office 365 is a little bit less usable, but Microsoft can work with businesses.I used Google Workspace for a startup. Startup went idle for a while. Google sent a message to me warning the account would be terminated unless I logged in on some short timeline. GMail filed its own email as spam. Boom. Everything from that startup was gone.I used Google Workspace for my family domain. Google decided to discontinue GSuite/Free. Now, I'm SOL.I've had similar experiences with Youtube. I build a major startup with Google as a partner. Videos were on Youtube. Google had 4 engineers assigned to us. Youtube has a bug which took us down. There was no way to resolve the bug, even with a team supporting us (in a different part of Google). We had to migrate off.I've more recently been involved in businesses integrating with Workspace. On the API side, Google suddenly required a security audit for our business integrations to keep working. That's tens of thousands of dollars. Many small businesses went under when Google introduced this. (<a href="https://www.prescientsecurity.com/google-oauth-api-verification" rel="nofollow">https://www.prescientsecurity.com/google-oauth-api-verificat...</a>)We also had an extension, which is in the process of breaking with Manifest V3 (<a href="https://www.eff.org/deeplinks/2021/12/chrome-users-beware-manifest-v3-deceitful-and-threatening" rel="nofollow">https://www.eff.org/deeplinks/2021/12/chrome-users-beware-ma...</a>). Again, many Google partners are going out-of-business over this.Each time I've done business with Google, I've eventually been !@#$%.These are all true stories, but they're not all the true stories I have. I have a much longer collection of stories of being !@#$% by Google. Some I can't talk about have to do with Workspace security issues. BOY was that a rabbit hole. If I could talk about it, you'd never do business with Google either. Google has excellent security for their data, but not for your data.Google doesn't mind killing your livelihood with random changes like these. It happens over, and over, and over. Everyone thinks it won't happen to them, until it does.

评论 #30474784 未加载

评论 #30474748 未加载

评论 #30475405 未加载

codegeek大约 3 年前

Nice guide. I would also suggest checking your domain's MX records to ensure you have things configured correctly including DKIM etc. Google has this tool that gives your domain a scan:<a href="https://toolbox.googleapps.com/apps/checkmx/" rel="nofollow">https://toolbox.googleapps.com/apps/checkmx/</a>

评论 #30471196 未加载

评论 #30472501 未加载

评论 #30472736 未加载

gepeto42大约 3 年前

This is how we secure Workspace here at Fleet. We figured the guide could be useful to companies of a similar size. The next step would be to enable Endpoint Verification to control access to specific apps such as Drive so it could only be done from up to date, encrypted devices, but that requires a the highest Google subscription.

评论 #30470360 未加载

评论 #30475966 未加载

评论 #30469778 未加载

staticassertion大约 3 年前

Another tip - enabled Advanced Protection Program. You can't enforce this at the GSuite level but for a small company it's easy to just audit for it.We have everyone do this as part of onboarding and we audit once a month.

评论 #30470380 未加载

评论 #30471598 未加载

评论 #30475979 未加载

rob-olmos大约 3 年前

FYI to setup an alert like "Out of domain email forwarding" -- you have to go to Reporting > Login. If you go to Rules and click "create rule" it'll take you to Reporting > Admin, which won't have the Login event types.

评论 #30474788 未加载

adev123大约 3 年前

Thoughts on using Event Threat Detection / Chronicle or exporting logs to GCP and beyond for analysis?<a href="https://cloud.google.com/security-command-center/docs/how-to-use-event-threat-detection" rel="nofollow">https://cloud.google.com/security-command-center/docs/how-to...</a><a href="https://cloud.google.com/logging/docs/audit/configure-gsuite-audit-logs" rel="nofollow">https://cloud.google.com/logging/docs/audit/configure-gsuite...</a>

评论 #30473443 未加载

71a54xd大约 3 年前

Thanks for this! THis kind of domain security is usually poorly articulated or just not out in the open. I still think the basis of most risk for small companies is their domains. Lose control of those and well.. you're fucked. Any recs for "high security" domain providers?

评论 #30470356 未加载

alphabrevity大约 3 年前

Love how everything is out in the open....big fan of transparency !

评论 #30470117 未加载

gumby大约 3 年前

I’m surprised you disable the google drive feature. We’re not that worried about local files leaking even if the laptop is stolen, given apple’s hardware encryption.On the other hand, the workflow of “manually download file, modify file in app, manually upload file” is clumsy and error prone, often leaving files stranded on the laptop.On the gripping hand, google drive (as it is called again) seems to crash every few days so perhaps your restriction isn’t much of a limitation :-(

评论 #30500115 未加载

jillesvangurp大约 3 年前

Thanks for writing this up; this is very helpful. One of my tasks is coming up with security policies for people in the startup I'm the CTO of. One of the less glamorous things I get to do in this job.

评论 #30500098 未加载

gxt大约 3 年前

It never made sense to me that large software suites like these don't offer a secure by default option on creation or as a progressive migration after creation. Why soo many steps...

评论 #30475988 未加载

qwertox大约 3 年前

I wish it had a feature in the admin section where one could disable different 2FA methods. For example, in my family everyone has SMS as a 2FA, as well as hardware tokens and device prompts. SMS was there from the beginning, so everyone has it activated. Only one account is not using hardware tokens.So what I'd like to do is to set SMS to off, and all the accounts which already have something like device prompts and/or at least one hardware token added, get SMS deactivated without user intervention.

评论 #30472118 未加载

tempnow987大约 3 年前

Turning on trust devices makes users a TON happier.You'll still get a password prompt if elevating security profile for something higher privilege in my experience.

评论 #30472769 未加载

mlrhazi大约 3 年前

Nothing about Addons/MarketApps ? should one disable all? can we manage the access they have to the domain/user data?

评论 #30471079 未加载

JaggerFoo大约 3 年前

I wonder if using tailscale and yubikeys with Workspace is a configuration that would provide security, if possible.

TheSisko大约 3 年前

I went through a very similar process earlier this month. This is a solid guide.

p0larboy大约 3 年前

I was hoping that there will be something in the guide for session hijacking.I recently seen many youtubers having their channel hijacked due to hackers taking over their Google account.

评论 #30475614 未加载

jscardella大约 3 年前

Written by a former colleague whom I trust and who knows the space! Very good explanations and easy to follow.

latchkey大约 3 年前

This article covers Macs as well.I wonder about Windows.

评论 #30471909 未加载

julienfr112大约 3 年前

Try to do the same for Azure Ad + intune + office 365 + ... Hundreds of pages....

评论 #30471802 未加载

sinderznashes大约 3 年前

This is super helpful. Passing over to the orgs using Workspace in my world.

helloworld11大约 3 年前

Given Google's capacity for freezing organizations and individuals (even those who are paying customers of its products) from Google services out of the blue and with little to no recourse, I'd most recommend that you secure your startup best by simply not even using google for key parts of its operations if at all possible.

评论 #30474789 未加载

johndfsgdgdfg大约 3 年前

People shouldn't use Google Workspace after Google decided to make exisiting legacy users hostage for money. [1] Everyone should use Office 365 or other alternatives.[1] <a href="https://thenextweb.com/news/google-gsuite-free-alternatives-analysis" rel="nofollow">https://thenextweb.com/news/google-gsuite-free-alternatives-...</a>