When employees leave G Suite and a company, there are normally certain procedures and policies that companies institute to take care of access to various business critical resources the employees may have had access to. This would include file shares, email access, VPN access, company devices, and other items.
When employees leave a G Suite organization that maintains on-premise resources, the process to migrate user data over to another employee is fairly straightforward. However, with organizations today utilizing the public cloud, G Suite in particular, to house business-critical processes, services, and resources in general, the process to migrate user data of employees who have left can become a challenge.
Since public cloud resources are generally based on a subscription model per user. There prove to be many challenges with employees leaving when public cloud resources are involved. Specifically, with Google G Suite environments, how can organizations handle employees who leave when Google G Suite resources are involved? What are some of the challenges in redirecting resources? How can organizations alleviate the G Suite complexities when employees leave?
Employees Leaving – G Suite Security Challenge for Organizations
Redirecting data access in the G Suite public cloud can be more challenging that with on-premise systems. Public cloud data such as exists in the Google G Suite environment cannot easily be migrated with native Google G Suite tools. Simply deleting the user account can yield disastrous consequences if the user held a more privileged account that is tied to several organization services. Google Analytics, Google Adwords, or potentially other services can often be tied to a specific user account. Deleting the user can effectively render the service inoperative or unmanageable from that point forward. Once a user is deleted, the integration with those services can be broken for the entire organization.
Leaving an account for employees who have left is also not desirable from a cost standpoint. Since G Suite cost is based on the total number of user accounts, leaving old accounts around forever simply to not lose access to data, is not a good option.
Google G Suite provides a data migration service for G Suite data migration scenarios, however, there are various challenges and concerns with the data migration tool especially from a complexity and security standpoint. One security point to note, Google’s own documentation, recommends enabling less secure apps as part of the process to enable the data migration service to work in various scenarios. There are also added steps that are involved with using the data migration service including creating an app password for 2-Step Verification enabled accounts. Additionally, IMAP needs to be turned on for user
One of the first steps of this process states that “In your old G Suite account, ensure that access by a less secure app is permitted for all users. For instructions, see Enforcing access to less secure apps for all users. We recommend that you disable less secure apps once the migration is complete.”
It would seem counterintuitive for organizations to lessen overall organization security to enable data migration capabilities of any sort to simply allow effectively moving data around.
There is another Google utility called Google Takeout that allows exporting Google products data for archiving or when an account needs to be retired. Google Takeout creates archives that are available to be consumed at a later time via .zip archives. The Takeout archives can be used to import into a new Google account to perform data migration between accounts.
However, when thinking about Google Takeout, other challenges are presented by the archives that are created with the Google Takeout export. The format for mail export is created in the .mbox format. Google does not support a direct import of .mbox files. This presents a problem as you are now left with an archive of mail that is in a format that is not natively supported to reimport back into a new G Suite email account. This would not really be a feasible solution for needing to reimport mail messages into another Google G Suite account from a “backup” or export created with Google Takeout.
The time that it can take for Google Takeout to perform the export data operation can be extensive as well, depending on the amount of data that exists in the account. Google Takeout performs a full backup when ran. When thinking about effective G Suite data migration, organizations would have to first wait for exporting data before reimporting data when using tools such as Takeout that utilize full backups of data. When thinking about data availability when migrating between accounts, having the quickest path to getting the data migrated is always the best path forward.
G Suite Best Practices When Employees Leave
In thinking about employees who leave or who are terminated, what are important G Suite best practices to follow with G Suite public cloud data? There are a few items that need to be addressed when assuming access from an employee that has left the organizations.
- Remove sign-in cookies and mobile device access and change passwords/disable password recovery
- Create a backup of the existing employee G Suite data (mail, drive, calendar, contacts, etc.)
- Transfer G Suite data to another G Suite account:
- Transfer data to another G Suite account
- Add an SMTP alias on the new account after account is deleted
- Delete the original G Suite account
Removing Sign-in Cookies and Mobile Device Access
Removing sign-in cookies immediately revokes access to active.
When thinking about G Suite best practices when removing access for a former employee, whether they leave on good terms or not, access must be revoked immediately. This follows with best practices from a cloud security and compliance standpoint. Resetting sign-in cookies for active sessions ensures that even if the former employee has devices with cached cookies that are allowing access, this access is revoked immediately.
Changing the password also ensures the previous password no longer works. Additionally, disabling password recovery prevents the former employee from using the password recovery mechanism to change the password to reestablish access.
Any mobile device access will need to be removed also. If this is a company owned and managed device, the device can be wiped or the account only can be wiped from the device. This ensures that mobile devices are not still able to access company data and email services.
Create a backup of the Existing Employee’s G Suite data
Creating a G Suite data backup of the employees G Suite data is a best practice that allows a point in time backup of the data as it sits with the existing/former employee’s data intact. This creates a means for archival if data needs to be retrieved and also creates a failsafe if data is changed or deleted. Using Google’s native tools such as Google Takeout, there are challenges and limitations to think about. We will look at a much superior solution to backing up data in existing G Suite user accounts that alleviates the challenges found in Google Takeout. However, backing up the G Suite account before migration is a good best practice on the checklist to follow when an employee leaves.
Transfer G Suite Data to Another G Suite account
After former access has been revoked and backups have been made of the existing account, the actual data transfer operation can be performed. Google’s data migration service is a viable solution, however, as mentioned above, there are challenges with the native data migration service that can present challenges technically that can add complexity to the process. It can be utilized to accomplish this operation if need be. Again, there is a much superior solution to get this work accomplished that is much more streamlined and efficient that organizations can utilize to transfer data.
Additional actions to be completed both during and after a migration are to forward email from the original account over to the new G Suite account. Also, after the data transfer has completed and the original account may be deleted, an SMTP alias can be created on the target account so mailflow to the original email address is still successful after the account is deleted.
Delete the Original G Suite account
The final step is to delete the G Suite account. Deleting the original account helps organizations to keep G Suite environments lean. Keeping G Suite accounts around simply to access data is extremely inefficient since organizations are still charged for using these accounts. Deleting the accounts allows organizations to reuse these funds for new employees instead of maintaining access to old employee dat
G Suite Data Migration Tool
As mentioned, here are challenges when using the native G Suite data migration service as well as using Google Takeout for backups, including:
Added complexity and security concerns with the data migration services
- Need to allow “less secure apps”
- Need to enable IMAP for users
- Have to create an app specific password for 2-step Verification enabled accounts
Google Takeout limitations
- Email exports utilize a nonstandard format – .mbox
- G Suite backups are made using full backups
- The only versions organizations have are the manual backups made with Google Takeout.
Spinbackup, an API-based CASB provides a powerful alternative to the native Google data migration and backup tools that mitigates the complexities found in those native utilities. Spinbackup provides a robust all-in-one solution that contains backup functionality and migration functionality all in a single pane of glass interface. While organizations that use native Google utilities have to traverse multiple interfaces and different utilities to perform the same functions, Spinbackup provides all the features and functionality that organizations need in the same, easy-to-use interface that allows easily backing up and migrating G Suite user data. Let’s look at Spinbackup’s backup and migration functionality.
G Suite Data Backup
- Automated daily backups of G Suite data
- G Suite data backups are efficient, incremental backups
- Powerful G Suite data versioning system that allows keeping a myriad of restore points
- Lost and Found protection that covers files that have been deleted either intentionally or accidentally
- G Suite Backup and G Suite Data Restore functionality built into the Users dashboard
- No additional technical complexity is introduced with restore functionality. Once Spinbackup is integrated into the G Suite environment, the backup and restore functionality is seamless
- G Suite Security Policies
G Suite Restore and G Suite Data Migration
- Migration is as simple as changing the target of the restore operation
- No need to relax security to restore/migrate mail/files
- Allows restoring single files as well as all files to a different G Suite user
- There is no need to export all the data and then deal with the complexities of transforming files into a useable format to reimport
- Gmail, Calendar, Google Drive, Google Team drives, and other items are all restored from within the same interface
Additional Benefits for G Suite Organizations
Spinbackup is not only a powerful G Suite backup and migration utility. Spinbackup API CASB also allows organizations to have powerful Data Loss Protection and Data Leak Protection, enabling organizations to:
- Control High Risk Third-party applications
- Control leaking G Suite data
- Control sensitive data
- Enable powerful G Suite Ransomware Protection
- Detect Insider Threats
- Leverage Machine Learning to protect G Suite data
One of the many challenges that face organizations who look to manage data and user resources in the public cloud is dealing with and migrating data of employees who have left the company. Google’s G Suite provides native tools that allow organizations to have rudimentary control over employee data, both in terms of backups and migration capabilities.
However, the native functionality provided by Google for G Suite administrators has certain limitations and gotchas that create unnecessary complexities and make the process much less efficient and seamless. Spinbackup allows organizations to have a robust solution to manage employee G Suite data and avoid data leak. It allows G Suite administrators to have access to automated daily backups and restores/migration capabilities, all within a single pane of glass interface. However, the capabilities of Spinbackup’s solution do not end there.
The Data Loss Prevention and G Suite Data Leak Protection abilities, and advanced G Suite security features of the solution round out the already robust offering to create a total solution to protect, migrate, secure, and monitor the G Suite environment from cloud threats and vulnerabilities, both outside and within.
8,550 total views, 9 views today