Businesses today are moving at a faster technical pace these days than ever before. This is largely due to the fact that organizations have access to public cloud infrastructure that is built on top of the most powerful technology companies in the world, including Amazon, Microsoft, and Google. Google’s G Suite environment provides businesses today with very robust and powerful infrastructure and software as a service (SaaS) capabilities that would be very difficult if not impossible to build out on their own.
However, by utilizing Google’s powerful infrastructure and software stack, businesses today are able to quickly have access to the same powerful infrastructure running Google’s services, as well as plug into Google’s business services such as Gmail, Google Team Drives, Google Calendar, and many other Google services.
With the advantages and quick time to value that public cloud environments bring to organizations today, there are challenges for many businesses in quickly retooling and rethinking management of their infrastructure. Google G Suite is a behemoth suite of public cloud services that can be challenging for G Suite administrators who are only familiar with on-premise environments and have not had experience with public cloud administration.
However, it can also be a challenge for seasoned G Suite administrators to keep a handle on day-to-day administration. With that being said, what are the top G Suite admin tasks every Google Administrator should do? Let’s take a look at several important G Suite administration best practices that alert and conscientious G Suite administrators take note of. Additionally, we will see how utilizing Spinbackup to augment effective Google G Suite environment administration best practices makes this much easier.
Table of Contents
G Suite Admins Monitor G Suite Environments
An effective G Suite monitoring strategy provides visibility to key performance and security indicators within the G Suite environment. Basic monitoring of G Suite will include keeping an eye on the following KPI’s in the environment:
- Security configuration, including Cloud IAM
- Shared Resources (including sensitive data)
- Third-party Apps
- Cybersecurity events
Why is keeping an eye on the above aspects of the G Suite environment important? The above items, while not all-inclusive, represent some of the more major areas of day-to-day G Suite administration. This involves the daily activities of provisioning users and other resources, to keeping an eye on security configuration and security related events in the environment.
A good G Suite administrator keeps a check on the “pulse” of the G Suite environment. The overall health of the G Suite environment can be either bolstered or hindered by any one of the above listed areas of G Suite administration. Especially keeping an eye on G Suite security is important. Malicious attackers are focusing more of their efforts on cloud environments since more companies are now running business-critical applications and data there.
Spinbackup greatly enhances a G Suite administrator’s ability to keep a pulse on the G Suite environment. G Suite environments can be complex with hundreds or even thousands of users connecting from various devices all over the world. It is quite simply impossible for a human to filter through the mass of audit information to identify issues or possible security threats. Spinbackup provides powerful machine learning algorithms that work for the G Suite administrator 24 hours a day, 7 days a week to identify anomalies in the environment as well as other factors of interest.
G Suite Admin Leverages Cloud IAM and 2-step Authentication
Proving identity and applying permissions to that identity is one of the fundamental tasks of administering any digital resource, whether on premise or in the public cloud. Proving identity can be even more of a challenge with public cloud environments since users are accessing via a number of means and devices from a number of different network resources.
It is important for G Suite administrators to make use of Cloud Identity and Access Management or Cloud IAM in implementing the overall security strategy for their G Suite organizations. What is cloud IAM? This is the mechanism that allows organizations to manage access to resources by defining who has what access to which resource. There are many aspects of the cloud IAM that Google allows organizations to implement in the G Suite organization. However, below are a few of the benefits and features of G Suite public cloud IAM:
- Access control based on identity
- Permissions that are defined by roles
- Policies based on access requirements
- Single management interface to administer cloud IAM
- Auditing functionality
- APIs that allow automation
Cloud IAM helps organizations to effectively implement the idea of “least privilege” which means that a user has only those permissions that he or she absolutely requires to carry out their role.
Spinbackup bolsters the available cloud IAM mechanism available to G Suite administrators by allowing easy implementation of certificate-based single sign on functionality based on the blockchain. While certificate-based authentication is more secure than simple username/password authentication, it is generally complex and cumbersome to implement correctly. However, Spinbackup, with a few simple steps, allows organizations to quickly provision certificate based single sign on for access G Suite resources. The signature of the certificate is stored across the blockchain. Due to its decentralized nature, the signature of the certificate is virtually impossible to compromise by an attacker, which adds a new layer of protection for identity management.
G Suite administrators also want to implement 2-step authentication. With 2-step authentication, users must use a secondary device, in addition to a password, etc, to prove their identity. Generally, this is a smartphone or other electronic device that will allow completing the 2-step authentication process. The 2-step authentication process makes it exponentially more difficult for an attacker to compromise security credentials.
Looks for Abnormal Behavior and Insider Threats
Administrators of any system today must be vigilant with regards to threats to data security. Data must be protected at all costs as it is typically what drives and fuels most businesses today. Threats can come from any vector or weak point. G Suite administrators must keep an eye out for any abnormal behavior that may constitute a breach in security. This may even come from insider threats.
What would constitute abnormal behavior or threats to data security and potential data leakage? The following events would be events a vigilant G Suite administrator would keep an eye on.
- Abnormal logins (failed login attempts, or odd geolocation)
- Generally speaking, user activity stays within a certain baseline of activity. If a user account starts receiving a wide range of failed login attempts, or is being accessed outside of the expected geolocation, this can indicate an attacker is attempting to compromise the user credentials or potentially has already compromised user credentials.
- Abnormal data download or transfer of data
- Data leak is a serious danger to G Suite organization security
- Sensitive data detection and events
- Abnormal sharing of data
- Third-party access to sensitive data
Any of the above events, could likely signal abnormal behavior that G Suite administrators would want to give immediate attention to. However, parsing events and audit logs to gain insights to potential threats is very time consuming, and again, is really impossible for humans to do effectively.
Spinbackup API-based CASB provides G Suite administrators with the around the clock, machine learning enabled protection and insights to the events listed above and others. The Domain Audit functionality that Spinbackup provides is a powerful, “single pane of glass” view of these and other events of consequence in the G Suite environment. Additionally, Spinbackup provides real time alerting of G Suite administrators to data leak and other security events so that responses can be proactive and not reactive.
Controls Third-Party Apps
Third-party Apps that integrate into the Google G Suite environment provide tremendous value in extending the default functionality and features that are found in the G Suite environment. However, with the tremendous value they bring, third-party apps that are integrated within the G Suite environment can also pose a tremendous security risk to organizations housing data in a G Suite environment, potentially resulting in data loss or data leak of business-critical or sensitive data.
Controlling third-party apps that have access to this data is imperative. Third-party apps easily gain permissions to data, assuming the permissions of the user who is granting access. Most employees blindly allow permissions that are requested by an application (storage permissions, camera, contacts, etc). Malicious third-party apps may even mask the permission set they are requesting. How can organizations control data access to third-party applications when access to these applications may be coming from BYOD devices, or any number of devices and source networks?
Google natively provides basic whitelisting capabilities for third-party apps. You can allow installation of only white listed apps, etc. However, there is no intelligence baked into the native solution. What if a whitelisted third-party app starts exhibiting signs of risky behavior or data access not seen or noticed previously? If the app is whitelisted, it will have free reign over the data is has access to
Spinbackup provides an intelligent solution to third-party apps control and G Suite security best practices that incorporates machine learning algorithms into the mix to profile application behavior and detect any change or anomalies in the expected behavior of the third-party app. This is a much more powerful solution to intelligently monitor apps rather than a simple whitelisting mechanism. Spinbackup’s automated scan and apps control allows:
- Risk analysis
- Assessing the app and description of the app
- Permission levels that apply to the app
- Employees that are making use of the app
- List of connected devices that are utilizing the app
- Allows “blacklisting” apps
Additionally, the alerting mechanism that is contained within Spinbackup allows proactive alerting of G Suite administrators with notifications and the ability to automatically revoke access based on “abnormal behavior”. Certain third-party apps may attempt to transfer data between public clouds the employees have access to or attempt to download G Suite data.
Spinbackup’s powerful Incident Response Plan includes these automatic responses to threat vectors that malicious or “leaky” third-party apps might pose. This proactive stance allows Spinbackup’s third-party apps control to be a much more robust protection mechanism than the built in basic whitelisting that G Suite includes by default.
Implements Cybersecurity Protection in G Suite
Cybersecurity is a top concern among everyone today, including business leaders. It must be viewed as important! Cybersecurity is no longer simply an IT problem, but it is a real business problem. Businesses who fail to take it seriously won’t be in business long.
Many may mistakenly think that the cybersecurity risks such as ransomware that can easily affect on-premise environments cannot affect their public cloud environments or their public cloud data. However, this assumption could not be further from the truth!
Organizations today with apps that synchronize on-premise files such as Google Backup and Sync can easily sync ransomware from on-premise file systems up to the G Suite public cloud. Additionally, if malicious third-party apps are connected to the G Suite environment, they can also be a vector for malware entering the G Suite organization. The problem with ransomware is that it silently encrypts files until announcing itself after the damage is already one.
Spinbackup provides proactive G Suite ransomware protection that recognizes when files are being encrypted, blocks the offending process responsible for the encryption, and automatically restores the encrypted files that have been damaged from the latest backup! Effective cybersecurity also includes third-party apps control and insider threats protection as we have already mentioned.
Spinbackup provides proactive reporting on all cybersecurity related events that allow G Suite administrators to stay on top of any event that is noteworthy. Additionally, G Suite administrators can turn on aggregated reports or daily G Suite security reports which provide an aggregated digest of cybersecurity related events that help G Suite administrators have a pulse on the security of the environment.
Implements G Suite Security Best Practices for Data Loss Protection
Data loss protection (backups) are arguably the most important single mechanism that organizations can utilize to ensure that data is secure and protected. Public cloud environments such as Google G Suite are built on top of some of the most highly resilient infrastructure in existence today, being located in Google’s datacenters. However, all the resiliency provided in the G Suite environment does not protect organizations from data loss as the result of end users.
As examples, what if end users mistakenly delete business-critical documents from their Team Drive? What if an end user inadvertently syncs ransomware to the G Suite environment that encrypts G Suite files? What if an attacker gains access to data and is able to delete or otherwise corrupt files, emails, etc? All the resiliency in the world at an infrastructure level does not protect you against data loss at the hands of end users, ransomware, or a potential attacker.
G Suite administrators must implement G Suite best practices for data loss prevention in their environment. Failure to do so will at some point result in data loss. Google provides no easy built-in way for organizations to restore data in their G Suite environment. At best there is no assurance from Google that data can be restored. Your data is your responsibility and must be treated as such.
Spinbackup provides tremendous value to organizations and G Suite admins to be able to protect their data in the G Suite organization – something that Google does not include. The data protection afforded by Spinbackup allows customers to choose which resources they want to include in the backups (Gmail, Team Drives, Calendars, etc). The backups of G Suite captured by Spinbackup include the following functionality:
- Automated daily backups
- After first full backup, incremental backups are taken
- Data is encrypted in-flight and at rest
- Multiple versions of files are kept for a complete “versioning” system to restore the version of the file needed
- Data is stored in the Amazon public cloud so that reliance on the underlying Google infrastructure is not a requirement
In any organization, employees will come and go. Since public cloud billing is based on usage, efficient G Suite administration includes cleaning up user accounts that have left the company. However, what if the user account is tied to business-critical resources such as Google Analytics, Adwords, or other Google services? Simply getting rid of the user account may render services inoperable or unable to be managed or maintained.
Spinbackup provides an effective way to solve both issues by quickly and easily migrating G Suite user data from the former employee’s account over to another account. This ability is based on Spinbackup data protection that backs up G Suite user data. All emails, and other data can easily be assumed by the new user account by simply selecting the different account during a restore operation.
By migrating G Suite user data, the G Suite environment can be operated efficiently and in a lean manner without excess user accounts that are simply there for historical or service purposes.
Google G Suite is a powerful, agile, and robust platform for businesses today who are looking to scale into the cloud. G Suite administrators have a number of built-in tools that provide basic data leak and G Suite security functionality. There are a number of top G Suite administrative tasks that G Suite administrators will find themselves performing in day-to-day G Suite operations.
Among those are monitoring the G Suite environment, implementing and administering cloud IAM and 2-step authentication, looking for abnormal behavior and insider threats, controlling third-party apps, implementing cybersecurity protection, ensuring data loss protection, and migrating former employee G Suite user accounts and data. Spinbackup provides the powerful, machine learning enabled tooling that allows organizations to effectively carry out these extremely important tasks in the G Suite environment.
Explore our new G Suite Security Features!