MAINTAIN GOOGLE WORKSPACE USER PASSWORD SECURITY (AND ENSURE LOGIN EASE)
Ever thought about how many passwords your users enter every day?
From that first password they use in the morning, to recurrent ones they enter multiple times a day.
Now think about how you (and your users) protect these passwords.
Do you have a bullet-proof process to secure Google Workspace users’ Logins?
According to Google, 75% of Americans feel frustrated trying to maintain and keep track of their passwords. Meanwhile, stolen passwords are one of the simplest and most common causes of data breaches.
As an admin, you need to strike the right ‘’secure-login-ease’’ balance to ensure a smooth process for your users.
In this post we’ll show you how to achieve that while protecting your users (and domain) against unauthorized Google Workspace access:
The 8 GOOGLE WORKSPACE USER PASSWORD SECURITY PRACTICES FOR ADMINS
1. ENABLE TWO-STEP VERIFICATION (2FA)
Two-step verification adds another login protection layer, even if a password becomes known or is brute forced.
Therefore, you need to push out 2FA to your users, especially admin accounts and users who deal with more sensitive information or are more likely to get attacked.
According to Google, ”A hacker could steal or guess a password, but they can’t reproduce something only you have”.
TWO-STEP VERIFICATION BEST PRACTICES
- Audit which users have 2FA on. Get alerted on disabled 2FA for your users to make sure they’re always protected.
- Combine 2FA with a managed company phone for additional protection.
2. SECURE IDENTITY VERIFICATION WITH CONSTANT ZERO TRUST MFA
Want ultimate Google Workspace user password security?
Constant user identity verification using Zero-trust MFA is your answer then.
Zero trust verification extends user login protection from being a ‘once at login’ act, to an ongoing user identity verification process.
The best thing about this approach is that it doesn’t complicate things for your users as it typically relies on biometric authentication (like a user’s unique typing style).
It automatically works in the background, constantly verifying as the user is logged in, without them having to go through any additional steps.
Remember: Zero Trust= Never Trust, Always verify!
3. SEND OUT USER PASSWORD SECURITY REMINDERS
FACT: 90% of data breaches are caused by human error or negligence!
For example, 53% of users use the same passwords for multiple accounts. That’s the perfect recipe for credential stuffing.
Simple human errors can often be avoided with constant reminders that stick in, and ultimately raise employees’ security awareness.
That’s why it’s important to send out regular password security reminders to refocus your users’ attention.
BONUS: Share our 10 Dos and Don’ts of Google Workspace Password Security with your users to get the ball running.
4. AUDIT USER PASSWORD SECURITY ACTIVITY:
Review suspicious user login activity across your domain regularly. This will help you catch any login-related threats on time.
Here’s what you want to check:
- User accounts audit log: Review things like account password changes, and recovery email changes, with details like IP associated with the action.
- User login attempts report: Audit failed login events regularly to spot account compromise attempts on time.
- Failed device password attempts report. Monitor the number of failed login attempts on your company devices during a specified time range.
- Review Logins from unexpected areas: This is another area you want to audit, especially when you have users working remotely from different places around the world.
You can use GAT+ to set up location-based alerts for logins from outside whitelisted areas.
5. SET UP TIME AND AREA LOGIN CONTROL
Another way to get more granular on users’ login processes is by restricting login based on ‘Time and Area’ windows.
This means that users can only log in during certain hours you specify, and can only do so from particular locations.
This more strict type of Login control can be particularly useful for protecting more ‘’at-risk’’ users who have fixed working hours and work from unchanged locations.
Note: You’ll need a 3rd party Google Workspace Security tool to set this up for your users.
6. SECURE THIRD-PARTY ACCESS:
Too often users unknowingly give massive access permissions to apps (or extensions) that don’t really need that much access to their Google Workspace account.
This can result in unexpected security breaches.
While user security awareness plays a crucial role here, as an admin you need to:
- Use Google’s app access control to determine which apps can access sensitive domain data.
- Control access to less secure apps. You can allow users to turn access to less secure apps on or off, or disable their ability to allow less secure apps altogether.
- Allow or block apps and extensions in Google Chrome.
7. WISELY HANDLE COMPROMISED ACCOUNTS:
‘Timely detection is one of the most important factors in minimizing the damage a compromised account can cause
SEE The 4 Tell-tale Signs of a Compromised Google Workspace Account.
After you’ve successfully identified a compromised account, how do you deal with it? — Here’s our recommended drill:
- Deactivate the account right away.
- Review and fix any damages/ breaches caused.
- Reset the password and reactivate the account.
- Revoke old tokens and cookies.
- Reset App passwords for all devices used to access this account.
- Reassign the account to the user.
8. ENFORCE LEAST-PRIVILEGE ACCESS:
The principle of least privilege (PoLP) is an InfoSec concept where a user is given the minimum levels of access – or permissions – needed to carry out his/her job functions.
For example, a user account created for a payroll doesn’t need admin rights, while a programmer doesn’t need access to HR records.
This best practice helps you better audit and protect your Google Workspace domain, and facilitates damage control actions in the event of a breach.
Learn more about enforcing the least privilege with role recommendations in Google Cloud.
Closing thoughts
Locking your domain’s Google Workspace password security and authentication processes is exactly like securing your company’s virtual gates — You need to make sure the system is impeccable.
This requires a combination of powerful Google Workspace security and auditing practices that work in line with users’ security awareness to always stay one step ahead.
Food for thought: A Passwordless future?
Now that we’ve talked about the importance of passwords, what do you think of a passwordless future? — According to TechRepublic, that passwordless future is already here.
Let us know your thoughts on the subject at help@gatlabs.com 😉.
Stay in the loop
Sign up to our newsletter to get notified whenever a freshly baked blog post is out of our content oven.
