Home»Google Workspace Security»Google Workspace Security Best Practices for Data Leak Prevention

Google Workspace Security Best Practices for Data Leak Prevention

As we discussed in the previous post, Google Workspace administrators have to take security concerns very seriously, especially when it comes to keeping their organizational data secure. This involves two aspects: Data Loss prevention and Data Leak prevention. As we discussed previously, data loss can be the result of accidental deletion, such as when an employee may inadvertently delete files. However, even more alarming is data loss as the result of intentional means, such as targeted ransomware attacks.

Data can be deleted through either of these ways, and Google Workspace administrators must be prepared with cloud-to-cloud backups and ransomware protection. We looked at how SpinOne is able to deliver powerful cloud-to-cloud backups of Google Workspace (G Suite) organizational data, as well as how it can provide state of the art ransomware protection and remediation of corrupted files due to ransomware attacks. In this post, we will focus in on data leak protection including:

Let us discuss how each of the above cloud security concerns are important for Google Workspace administrators, making sure that your Google Workspace data is secure and does not leave the organization unexpectedly. Let’s also look at how SpinOne can help address the concerns of organizations in regards to data leak protection.

High Risk Third-party Apps Control within Google Workspace (G Suite) Domain

Google Workspace environments provide powerful integrations from third-party applications that allow extending the default cloud functionality and productivity of Google’s Google Workspace environment. Along with the exciting features that can be integrated with Google Workspace environments from third-party applications, tremendous security concerns are also introduced.

What if a user integrates questionable third-party applications with potential malicious intent into the environment? What if a third-party application is accessing data that it shouldn’t access? What if a third-party application is pulling data from the Google Workspace organization and copying sensitive data outside? All of these potential scenarios are security concerns for Google Workspace administrators and must be addressed. Third-party applications can present security concerns in the following ways:

  • They have access to Google Workspace services
  • They can access data stored within Google Workspace
  • Once given access, they retain this level of authority until it is manually revoked.

A real-world scenario may present itself with end-users who utilize BYOD (bring your own device) policies, using their smartphones to access company data. End users might not be concerned when a newly installed application requests permissions to various resources, including Google Drive by means of their Google accounts. Once permissions are granted, this application is able to read or delete data from that person’s Google drive, or even copy sensitive data to another unapproved public cloud location.

One of the many security challenges that Google Workspace administrators have is keeping a handle on the third-party applications that are integrated within their Google Workspace environments, since the attack vector is quite large, including all connected mobile devices, etc. Google Workspace administrators need the ability to perform an automated risk analysis of integrated third-party applications to discern whether these applications present security risks to the Google Workspace organization.

Organizations must provide end user training to help them be more discerning when it comes to downloading and installing risky applications. Additionally, BYOD policies must be enacted so that there are guidelines in regards to using personal devices at work, the use of third-party applications, application permissions that may or may not be granted, and types of data that may be accessed or downloaded onto personal devices. Along with end user training and policies, technology solutions can help Google Workspace administrators enforce guidelines and Google Workspace security policies regarding third-party applications and acceptable use of corporate data.

SpinOne allows organizations to gain the visibility into which applications are accessing organizational data, and thus which might be risky. The third-party applications audit cybersecurity functionality allows Google Workspace administrators the ability to scan and analyze third-party applications that have been integrated into the Google Workspace environment and are accessing organizational data on a daily basis. This is done in an automated fashion, under the single pane of glass administration dashboard that SpinOne affords Google Workspace administrators. Risky applications can easily be identified and quickly disabled.

SpinOne provides detailed information regarding each application found during the third-party applications audit and color codes the resulting list so that dangerous third-party applications can be quickly identified. The detailed information contained in the third-party applications audit contains the following information:

      • Risk level of the app
        • detailed description of possible risks
      • Application type and description
      • The employees who have access to the particular third-party application
      • Permissions granted to the application in the Google Workspace environment

Google Workspace Security dashboardSpinOne’s dashboard quickly displays applications that may pose a risk to your Google Workspace organization

SpinOne provides the functionality to automatically blacklist an application against a known blacklist containing already discovered risky applications. This list is constantly updated to include the latest potential security risks coming from new third-party applications added to the Google Workspace marketplace. SpinOne analyzes applications against powerful algorithms and analytics to quickly identify applications presenting risks to a Google Workspace environment.

Google Workspace administrators must give due attention to the huge Google Workspace security concerns that third-party applications bring to a Google Workspace environment. Risky applications can gain access, copy, or even delete data if granted the permissions to do so by an unsuspecting end user. By using a powerful security tool such as SpinOne to analyze and have the ability to see permissions granted by all third-party applications gives Google Workspace administrators the visibility needed to protect organizational data. Being able to quickly or even automatically disable risky applications allows Google Workspace administrators to be proactive in taking care of security concerns with third-party applications.

Sensitive Data Control

Aside from the risks of potentially malicious or covert third-party applications and other risks related to data leak, one of the most crucial types of data that must be protected by Google Workspace administrators is sensitive data. Sensitive data is any type of data that falls under the “personally identifiable information,” or PII, which may include social security numbers (SSN) or credit card numbers (CCN). Organizations can also deem other types of information as sensitive. Organizations today must be concerned with protecting these and other types of PII data that could inadvertently or intentionally be leaked outside the Google Workspace boundary.

Google Workspace administrators will certainly want to take a look at Google DLP as part of the Google Workspace environment. What is Google DLP? Google DLP, or Data Loss Prevention, is an automated set of functions that monitor both Gmail and Google Drive items for certain triggering content that is specified by the Google Workspace admin, preventing those criteria from being leaked or lost. Google Workspace administrators can define:


          • The messages that are scanned – This can help Google Workspace administrators meet up with company policy and prevention levels as defined for messages received or sent both from the outside or within the defined scope.
          • The content that is detected – Content can be matched based on specific expressions, metadata attributes (source IP, size, TLS settings, etc), or a predefined content match, including many detector patterns such as CCN, passport numbers, SSN, IBAN, etc.
          • Actions for detected content – Messages can be modified, rejected, or quarantined.

Drive Data

          • Data that is outside the domain, that may be shared.
          • Specific expressions, or predefined content can be detected, as with Gmail.
          • Actions include notifications and blocking of files shared.

SpinOne’s data leak protection augments and even greatly extends the default feature set that is included with Google DLP. It allows greater visibility into Google Workspace organizational data and in particular, sensitive data. The “single pane of glass” view of organizational data and threats that SpinOne provides enables Google Workspace administrators to quickly see data shared outside the domain and by which users. Other information includes:

        • The name of the file or folder shared
        • The owner of the data
        • The email addresses of the users the information is shared with
        • The data that was shared

          Information shared with third partiesSpinOne easily displays Information shared with Third-Parties

          Credit card numbers found in Gmail can be detected by SpinOne and administrators can be proactively notified in the event this type of PII is found within email messages.

          SpinOne displays messages containing CCNs

SpinOne displays messages containing CCNs

CCN detection is configured in Custom Policies

CCN detection is configured in Custom Policies. There is the default policy for CCNs

SpinOne differentiates itself from Google DLP in several ways:

          • Google DLP only helps prevent data leakage, while SpinOne provides powerful monitoring tools that enable Google Workspace administrators to protect your data as well.
          • It augments Google DLP by providing a single pane of glass for Google Workspace administrators to detect sensitive data or be notified when sensitive data is detected.
          • It is a separate Google Workspace security solution on top of the built-in security mechanisms that Google DLP provides.

Insider Threats

While many security threats are presented from outside the Google Workspace organization, Google Workspace administrators need to remain vigilant to threats that come from within. In other words, what are the organization’s Google Workspace users doing? What apps are they installing? What data are they sharing with others, perhaps outside the organization?

Using SpinOne Domain Audit for insider threat detection, these types of insider threats can be quickly discovered. With the Google Workspace Domain Audit functionality, Google Workspace administrators can see user activity, the time of every activity, the activity risk level, the Google Workspace user, type of action, name of application, IP, country, and city where the activity took place.

Viewing Domain Audit information along with the risk level

Viewing Domain Audit information along with the risk level associated with the user activity

Additionally, with SpinOne’s Domain audit, by clicking on the user, you can even view the real time activity of a user in question, including all connected third-party applications! Access can immediately be removed from this view using the Domain Audit dashboard.

real time view of user activities, granting Google Workspace administrators tremendous visibility

SpinOne provides a real-time view of user activities, granting Google Workspace administrators tremendous visibility

SpinOne provides tremendous power to Google Workspace administrators and their ability to monitor user activity, which translates into having much greater visibility into the internal security of the Google Workspace organization. As shown, it helps discover insider threats that may have otherwise remained undetected without the SpinOne domain audit.


Google Workspace administrators must protect their organizations against data leak from third-party applications, sensitive data getting into the wrong hands, and insider threats. The Google Workspace marketplace includes many great third-party applications that help to extend the features and functionality provided by default with Google Workspace (G Suite). However, third-party applications and integrations within Google Workspace (G Suite) must remain closely monitored as malicious applications can steal or copy data outside of the organization. Also, many applications may request permissions beyond what they actually need to integrate into with the Google Workspace environment. Data leak prevention includes protection against leaking sensitive information, including credit card numbers, social security numbers, and other personally identifiable information. Detecting insider threats is also especially important to determine the risk level of Google Workspace users and the activity being performed within the environment. Utilizing SpinOne for Data Leak Prevention provides tremendous power to Google Workspace (G Suite) administrators, granting them the ability to proactively monitor, manage, detect, alert, and remediate threats from high-risk applications, sensitive data leakage, and insider threats. Google Workspace administrators must remain alert to emerging security threats. By utilizing the GDPR compliant powerful tools that SpinOne provides, Google Workspace administrators are able to meet best practices when it comes to securing the organization against data leak and potential disaster.

Explore Cloud Security Expertise that SpinOne CASB Brings to the Table!