G Suite Security Best Practices for Data Leak Prevention

As we discussed in the previous post, G Suite administrators have to take security concerns very seriously, especially when it comes to keeping their organizational data secure. This involves two aspects: Data Loss prevention and Data Leak prevention. As we discussed previously, data loss can be the result of accidental deletion, such as when an employee may inadvertently delete files. However, even more alarming is data loss as the result of intentional means, such as targeted ransomware attacks.

Data can be deleted through either of these ways, and G Suite administrators must be prepared with cloud-to-cloud backups and ransomware protection. We looked at how Spinbackup is able to deliver powerful cloud-to-cloud backups of G Suite organizational data, as well as how it can provide state of the art ransomware protection and remediation of corrupted files due to ransomware attacks. In this post, we will focus in on data leak protection including:

Let us discuss how each of the above  cloud security concerns are important for G Suite administrators, making sure that your G Suite data is secure and does not leave the organization unexpectedly. Let’s also look at how Spinbackup can help address the concerns of organizations in regards to data leak protection.

High Risk Third-party Apps Control within G Suite Domain

G Suite environments provide powerful integrations from third-party applications that allow extending the default cloud functionality and productivity of Google’s G Suite environment.  Along with the exciting features that can be integrated with G Suite environments from third-party applications, tremendous security concerns are also introduced.

What if a user integrates questionable third-party applications with potential malicious intent into the environment? What if a third-party application is accessing data that it shouldn’t access? What if a third-party application is pulling data from the G Suite organization and copying sensitive data outside? All of these potential scenarios are security concerns for G Suite administrators and must be addressed. Third-party applications can present security concerns in the following ways:

  • They have access to G Suite services
  • They can access data stored within G Suite
  • Once given access, they retain this level of authority until it is manually revoked.

A real-world scenario may present itself with end-users who utilize BYOD (bring your own device) policies, using their smartphones to access company data. End users might not be concerned when a newly installed application requests permissions to various resources, including Google Drive by means of their Google accounts. Once permissions are granted, this application is able to read or delete data from that person’s Google drive, or even copy sensitive data to another unapproved public cloud location.

One of the many security challenges that G Suite administrators have is keeping a handle on the third-party applications that are integrated within their G Suite environments, since the attack vector is quite large, including all connected mobile devices, etc. G Suite administrators need the ability to perform an automated risk analysis of integrated third-party applications to discern whether these applications present security risks to the G Suite organization.

Organizations must provide end user training to help them be more discerning when it comes to downloading and installing risky applications. Additionally, BYOD policies must be enacted so that there are guidelines in regards to using personal devices at work, the use of third-party applications, application permissions that may or may not be granted, and types of data that may be accessed or downloaded onto personal devices. Along with end user training and policies, technology solutions can help G Suite administrators enforce guidelines and G Suite security policies regarding third-party applications and acceptable use of corporate data.

Spinbackup allows organizations to gain the visibility into which applications are accessing organizational data, and thus which might be risky. The third-party applications audit cybersecurity functionality allows G Suite administrators the ability to scan and analyze third-party applications that have been integrated into the G Suite environment and are accessing organizational data on a daily basis.  This is done in an automated fashion, under the single pane of glass administration dashboard that Spinbackup affords G Suite administrators. Risky applications can easily be identified and quickly disabled.

Spinbackup provides detailed information regarding each application found during the third-party applications audit and color codes the resulting list so that dangerous third-party applications can be quickly identified. The detailed information contained in the third-party applications audit contains the following information:

      • Risk level of the app
        • detailed description of possible risks
      • Application type and description
      • The employees who have access to the particular third-party application
      • Permissions granted to the application in the G Suite environment

G Suite Security dashboardSpinbackup’s dashboard quickly displays applications that may pose a risk to your G Suite organization

Spinbackup provides the functionality to automatically blacklist an application against a known blacklist containing already discovered risky applications. This list is constantly updated to include the latest potential security risks coming from new third-party applications added to the G Suite marketplace. Spinbackup analyzes applications against powerful algorithms and analytics to quickly identify applications presenting risks to a G Suite environment.

G Suite administrators must give due attention to the huge G Suite security concerns that third-party applications bring to a G Suite environment. Risky applications can gain access, copy, or even delete data if granted the permissions to do so by an unsuspecting end user. By using a powerful security tool such as Spinbackup to analyze and have the ability to see permissions granted by all third-party applications gives G Suite administrators the visibility needed to protect organizational data. Being able to quickly or even automatically disable risky applications allows G Suite administrators to be proactive in taking care of security concerns with third-party applications.

Sensitive Data Control

Aside from the risks of potentially malicious or covert third-party applications and other risks related to data leak, one of the most crucial types of data that must be protected by G Suite administrators is sensitive data. Sensitive data is any type of data that falls under the “personally identifiable information,” or PII, which may include social security numbers (SSN) or credit card numbers (CCN). Organizations can also deem other types of information as sensitive. Organizations today must be concerned with protecting these and other types of PII data that could inadvertently or intentionally be leaked outside the G Suite boundary.

G Suite administrators will certainly want to take a look at Google DLP as part of the G Suite environment. What is Google DLP? Google DLP, or Data Loss Prevention, is an automated set of functions that monitor both Gmail and Google Drive items for certain triggering content that is specified by the G Suite admin, preventing those criteria from being leaked or lost. G Suite administrators can define:


          • The messages that are scanned – This can help G Suite administrators meet up with company policy and prevention levels as defined for messages received or sent both from the outside or within the defined scope.
          • The content that is detected – Content can be matched based on specific expressions, metadata attributes (source IP, size, TLS settings, etc), or a predefined content match, including many detector patterns such as CCN, passport numbers, SSN, IBAN, etc.
          • Actions for detected content – Messages can be modified, rejected, or quarantined.

Drive Data

          • Data that is outside the domain, that may be shared.
          • Specific expressions, or predefined content can be detected, as with Gmail.
          • Actions include notifications and blocking of files shared.

Spinbackup’s data leak protection augments and even greatly extends the default feature set that is included with Google DLP.  It allows greater visibility into G Suite organizational data and in particular, sensitive data.  The “single pane of glass” view of organizational data and threats that Spinbackup provides enables G Suite administrators to quickly see data shared outside the domain and by which users.  Other information includes:

        • The name of the file or folder shared
        • The owner of the data
        • The email addresses of the users the information is shared with
        • The data that was shared

          Information shared with third partiesSpinbackup easily displays Information shared with Third-Parties

          Credit card numbers found in Gmail can be detected by Spinbackup and administrators can be proactively notified in the event this type of PII is found within email messages.

          Spinbackup displays messages containing CCNs

Spinbackup displays messages containing CCNs

CCN detection is configured in Custom Policies

CCN detection is configured in Custom Policies. There is the default policy for CCNs

Spinbackup differentiates itself from Google DLP in several ways:

          • Google DLP only helps prevent data leakage, while Spinbackup provides powerful monitoring tools that enable G Suite administrators to protect your data as well.
          • It augments Google DLP by providing a single pane of glass for G Suite administrators to detect sensitive data or be notified when sensitive data is detected.
          • It is a separate G Suite security solution on top of the built-in security mechanisms that Google DLP provides.

Insider Threats

While many security threats are presented from outside the G Suite organization, G Suite administrators need to remain vigilant to threats that come from within.  In other words, what are the organization’s G Suite users doing?  What apps are they installing?  What data are they sharing with others, perhaps outside the organization?

Using Spinbackup Domain Audit for insider threat detection, these types of insider threats can be quickly discovered.  With the G Suite Domain Audit functionality, G Suite administrators can see user activity, the time of every activity, the activity risk level, the G Suite user, type of action, name of application, IP, country, and city where the activity took place.

Viewing Domain Audit information along with the risk level

Viewing Domain Audit information along with the risk level associated with the user activity

Additionally, with Spinbackup’s Domain audit, by clicking on the user, you can even view the real time activity of a user in question, including all connected third-party applications! Access can immediately be removed from this view using the Domain Audit dashboard.

real time view of user activities, granting G Suite administrators tremendous visibility

Spinbackup provides a real-time view of user activities, granting G Suite administrators tremendous visibility

Spinbackup provides tremendous power to G Suite administrators and their ability to monitor user activity, which translates into having much greater visibility into the internal security of the G Suite organization. As shown, it helps discover insider threats that may have otherwise remained undetected without the Spinbackup domain audit.


G Suite administrators must protect their organizations against data leak from third-party applications, sensitive data getting into the wrong hands, and insider threats. The G Suite marketplace includes many great third-party applications that help to extend the features and functionality provided by default with Google G Suite. However, third-party applications and integrations within Google G Suite must remain closely monitored as malicious applications can steal or copy data outside of the organization. Also, many applications may request permissions beyond what they actually need to integrate into with the G Suite environment. Data leak prevention includes protection against leaking sensitive information, including credit card numbers, social security numbers, and other personally identifiable information.  Detecting insider threats is also especially important to determine the risk level of G Suite users and the activity being performed within the environment. Utilizing Spinbackup for Data Leak Prevention provides tremendous power to G Suite administrators, granting them the ability to proactively monitor, manage, detect, alert, and remediate threats from high-risk applications, sensitive data leakage, and insider threats. G Suite administrators must remain alert to emerging security threats. By utilizing the GDPR compliant powerful tools that Spinbackup provides, G Suite administrators are able to meet best practices when it comes to securing the organization against data leak and potential disaster.

Explore Cloud Security Expertise that Spinbackup CASB Brings to the Table!

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy. We won't track your information when you visit our site. But in order to comply with your preferences, we'll have to use just one tiny cookie so that you're not asked to make this choice again.Learn more