This is the second article in a 2-part series on Google Drive security. View Part One here.
Google Drive has made powerful collaborative capabilities accessible to all businesses, of all sizes. Enterprises—and small businesses alike—using Drive must support that collaboration with controls that extend Google Drive’s native security. Adding enhanced control features that protect the data at the object level ensures that data remains private when stored in the cloud and secure when shared with external parties.
Google Drive Security At-A-Glance
Keeping documents secure while supporting internal and external sharing is a balancing act in Google Drive. Google Drive sharing settings and rights management controls support many corporate security requirements, but cross-platform sharing workflows may present challenges. Native Google Drive security within G Suite Business and G Suite Enterprise gives organizations basic data protection functionality. However, organizations in highly regulated industries often find that they must add enhanced security and control functionality, in addition to the native Google features listed below, to ensure private, compliant file sharing workflows in Google Drive.
In-Transit Encryption: TLS
Google Drive uses Transport Layer Security (TLS) to protect data in motion and prevent eavesdropping and tampering. TLS secures the communication pathway that allows you to create, edit, and share documents in Drive. While helpful as a baseline security measure, TLS doesn’t protect the data itself, only the communication channel, so you don’t get persistent protection and control over a Drive document throughout its full lifecycle. Files may become vulnerable once they are shared externally, and with each additional share, risks multiply.
Data leak risks are highest when users create publicly accessible links, which allow anyone on the internet to access the document. External collaborators may forward this link to unauthorized third parties, who can then forward the link to other unauthorized users, drastically increasing your risks for data loss. In this scenario, TLS encryption does nothing to prevent unauthorized access to your Drive files.
At-Rest Encryption
Google also encrypts data at rest. As users create data in Google Drive, that data is written to disk and broken downinto subfile chunks. Each chunk is protected with an encryption key, and that “chunk” key” is then encrypted with another encryption key, called the wrapping key. The wrapping keys are protected and managed by Google’s Key Management Service (KMS), stored separately from the data they protect and always encrypted at rest.
These native at-rest protections go a long way in securing data stored in Drive, but it’s important to mention that data at rest is only one click away from becoming data in motion due to Google Drive’s rapid collaboration workflows. So even with these state-of-the art encryption practices, you’re still vulnerable to data loss as documents are shared externally.
When to Add Layered Security for Defense-in-Depth
Google Drive has made powerful collaborative capabilities accessible to all businesses, of all sizes. But, Drive files often contain regulated personal information and corporate private data, so regulatory compliance and corporate privacy are chief concerns for organizations adopting G Suite. A defense-in-depth approach with layers of additional protection and control is necessary to support collaboration with controls that extend Google Drive’s native security.
Regulatory Compliance
G Suite can support the requirements of organizations subject to regulatory compliance such as HIPAA, GDPR, CCPA, CJIS, ITAR, and more.
For example, Google supports HIPAA compliance by signing a Business Associate Agreement (BAA) with the customer organization. However, the responsibility ultimately falls on the customer to organize their data and establish processes to properly safeguard protected health information (PHI). Many organizations ensure PHI stays protected by adding data-centric protection to reinforce Google Drive’s native controls.
Similarly, CJIS holds law enforcement and government agencies directly responsible for securing sensitive criminal justice data—everything from fingerprints to background checks. When criminal justice information is created, stored, or shared in the cloud, the information must be immediately protected via encryption, since it’s moving beyond the boundary of the agency’s physical data centers. Direct control of the encryption keys that protect these files is also mandatory; key management cannot be delegated to security or cloud providers. Organizations most commonly meet these requirements by implementing data-centric protection measures that encrypt the data end-to-end and offer customer-hosted encryption keys.
Corporate Privacy
Organizations of all sizes and across all sectors have private corporate data that should be protected from unauthorized access. When organizations embrace G Suite and employees begin creating, storing, and sharing data in Google Drive, security teams should be hyper-aware of privacy concerns around confidential data in their files.
When sensitive legal contracts are exposed, critical deals fall through, trust among partners and customers plummets, and damage to your company’s brand piles up. Leaked internal accounting information, M&A plans, sales projections, and other financial records can wreak havoc on your company’s operations if they’re breached. Meanwhile, Human Resources departments constantly collect and process sensitive data including social security numbers, tax records, and salary and benefit information, and when that data falls victim to unauthorized access, your employees are susceptible to identity theft.
Similarly, the value of intellectual property is difficult to quantify, but when your product specifications, code, proprietary research, sales and marketing plans, and other trade secrets falls into the wrong hands—such as your competitors or corporate spies—your organization can quickly lose its competitive advantage.
Key Features for Ultimate Security
Adding enhanced control features that protect the data at the object level ensures that data remains private when stored in the cloud and secure when shared with external parties. Organizations that require protection beyond native Google Drive security features should enact a defense in depth approach using the following functionality:
- End-to-end protection encrypts files before they ever reach Google’s servers to prevent access by Google and unauthorized third parties.
- Enhanced access controls strengthen Google’s native information rights management features, with the ability to watermark documents to prevent data exfiltration.
- Granular audit gives your organization visibility over who has accessed and reshared documents, wherever they travel, with the ability to integrate with any SIEM.
- Secure external sharing allows you to keep control over Drive documents—whether they’re shared with Microsoft users or anyone else—without forcing collaborators to create new Google accounts or creating open share links that increase data leak risks.
- Customer-hosted encryption keys give customers direct control of the keys protecting their Drive files, preventing government surveillance and shielding your most sensitive information from Google.
- Seamless user experience ensures adoption with security embedded directly in the native Drive interface, and without requiring local client software, separate applications and passwords, or new workflows.
Virtru provides these capabilities with our Google Drive Encryption solution, providing organizations with the enhanced protection and control necessary to keep Drive files private and secure.
Virtru for Google Drive Encryption
As a leading Google encryption partner, Virtru adds a critical layer of advanced security that unlocks Drive’s potential for private, compliant, and controlled file collaboration.
Virtru gives organizations persistent protection and control for any Drive file, everywhere it’s shared. Enterprises can create, store, and share files in Google Drive, while preventing Google and other third parties from accessing confidential and sensitive data and complying with the most stringent regulations.
Virtru’s seamless user experience is embedded directly into Google Drive, never requiring local client software, separate applications, or new workflows. End users protect files on-demand with the click of a button for ease of use that minimizes support costs. Authorized external collaborators don’t even need to set up a Google account. Enhanced access controls like document watermarking secures external sharing workflows even further.
Virtru Drive Encryption also comes with flexible key management options that give customers direct control of the encryption keys that secure Drive documents, preventing unauthorized access and government surveillance. Customers can choose between hosting in a hybrid cloud or on-premise, with hardware security module (HSM) integrations that support your existing cryptographic operations. Virtru also provides granular audit capabilities that enterprises need for complex compliance reporting workflows, with fine-grained visibility into who has accessed and shared content (with details on when and where) and SIEM integrations.
Get in touch with us to learn more about how Virtru can encrypt Google Drive files to give your organization the protection and control necessary to keep files private and secure.
