Let’s make Google Drive Management a whole lot simpler!
Google Drive Management is a wide umbrella that many sysadmins can occasionally feel lost under.
However, when you keep your eyes on the most important areas and develop best practices for them, you’re far from lost.
In this playbook we’ll cover the TOP 10 Google Drive management areas and provide Admins with best practices there — in line with the most recent Google Workspace updates for 2021 to date.
With these practices not only will you FULLY cover your organisations’ Google Drive management operations, you’ll also learn to do so with minimal effort.
Let’s get started then, shall we?!
Google Drive Storage: NEW Limits
Starting June 1, 2021, Google’s new storage policy for Drive will kick in. With that, any newly created Drive files from that date will count toward the storage limits for users in your domain.
So there’s no better time than the present for your organisation to adopt new storage-friendly practices — and that starts with clearing out Drive clutter or debris.
What users can do:
- Clear out ‘My Drive’ Clutter.
Share this blog post with your users to teach them how to clear out Drive clutter and keep ‘My Drive(s)’ organised by adopting a simple minimalist approach.
What Admins can do:
1.As an admin, you can view and monitor domain storage quota in the admin console here.
(Look for a graph called ‘Storage used by apps’ in reports, under accounts).
2. You can also view how much storage each user have used and which user(s) have most storage here.
(You’ll see a column that shows this information for Drive, Gmail and Photos).
3. Finally, make sure to identify and delete duplicate files. These alone can eat up a huge chunk of your Drive storage quota.
(Use GAT+ to dig beyond the Admin console for things like file types and more).
So what’s your organisation’s Shared Drive structure like?
This question is super important when most of your Google Drive management operations constantly prompt you to re-examine your Shared Drive structure for improvements.
It’s also integral to Drive Data Loss Prevention (DLP) since it largely determines who has access rights to what, when and allows you to better customise your Drive DLP rules accordingly.
*To explore the 3 different Shared Drive structures most organisations deploy checkout this blog post.
Once you’ve got the best Drive structure in place, you can apply any needed tweaks and move files and folders to the right place more easily.
One final option to consider is restricting users from moving content outside your organization. That of course may not be feasible for every organisation, but it’s an option worth exploring.
File ownership permissions are another important part of your Google Drive Management operations. After all, file owners enjoy some of the most powerful Drive privileges of all.
File ownership is also core to security goals like Drive Data Loss Prevention (DLP) and information security. Therefore, how well you handle file ownership and sharing at your organization is ESSENTIAL.
* Checkout our blog Manage Google Drive File Ownership like a Security PRO for best Drive file ownership practices.
File Sharing Exposure Audit
Yes, we highlighted this one in RED for a reason — it goes at the top of your priority list.
With many of us now working remotely, our file sharing activities have most likely multiplied. Over time, the number of shared files (internal and external) accumulates and becomes tricky to manage.
Also, sometimes sensitive data may be accidentally shared or added later on to folders already shared externally to unauthorised parties — Exposing data this way can have HUGE data security repercussions.
External File Sharing
So external file sharing is obviously a priority area for sysadmins and CIOs. Here’s how manage it more easily:
- Review external file sharing using the Google Workspace File Sharing Exposure report available in the Business edition.
- You can also set different sharing permissions for different Organizational Units if you have the Business (or higher) edition.
These options, however, provide limited flexibility and require regular manual reviews of shared items and sharing permissions.
A better and easier way is to automate your file sharing exposure audit. This will save you plenty of time and effort.
How to Automate the Drive file sharing exposure audit task?
You can automate the file sharing exposure audit and correction task through GAT’s many toolsets, one of which is GAT+, for example you can use it to:
- Assign granular sharing policies, monitor file sharing using pre-built aggregated reports, and configure file sharing exposure triggers in a fully automated way. Thus, saving plenty of time and effort.
- Create a DLP alert rule every time any given user, selected OU or group shares or downloads ‘x’ number of files with GAT+. You can also stop files that contain sensitive information from being shared out.
- Use GAT+ to create a policy for any given document to make sure that even if it’s shared out, external users will be automatically removed.
An example of GAT’s File Sharing Exposure Audit one-click report
Internal File Sharing
Let’s not forget about internal data threats. Here you need to consider a few questions:
- Is there any information that NOT all users should be sharing or have constant access to?
- What access rights do users have for sensitive files?
- What would you consider unusual internal sharing activities indicating potential malicious threat or compromised user account(s)?
One more thing to pay close attention to is sharing to personal accounts such as gmail.com, yahoo.com, hotmail.com, etc.
An example of GAT’s External domain report shares with gmail.com
Finally, remember, you can never be fully sure of who can view your most sensitive Drive files without conducting a comprehensive file sharing exposure audit.
Drive Downloads and more
But Drive data doesn’t get leaked or transferred through ‘file sharing’ only. There’s also downloading, copying and printing of sensitive files — that’s DLP 101.
To manage those things you need to Audit Event Activity. That includes download, print and related events and be done using the Google Admin Console. Here’s how:
- Go to Reports > Audit > then Drive (Drive audit log).
- Use the Filters section on the side of the page to create a filter for the event, ex. users downloading files. That’ll give you details including the user’s name, IP address, exact date, and more.
- You can also use GAT+ to view Event Activity on Files, Folders or Shared Drives Across Google Drive. Here’s how. (Disable downloading, printing, and copying of Drive files containing sensitive information that you don’t want to be shared broadly or leaked).
Google Groups and Drive
Now let’s dig a little into Groups.
While Groups allow users to share content more efficiently and collaborate better, there are a few things you need to look after for better Google Drive management:
- Identify External Members within Google Groups
Drive vulnerabilities can be introduced when a Group has many or one EXTERNAL member. Therefore, you need to audit such groups and investigate whether these members should still be present.
(You can easily do that using GAT+ by following these steps.)
2. Tweak Access rights
Say you want to share a file with a group without giving all group members the same access permission to shared files? — Break those permissions up by creating different groups with different permissions.
|Example: Create a group of beta readers, a group of editors, and a group of proofreaders. Assign the beta readers ‘viewing-only’ rights, the editors ‘editing rights’, and the proofreaders ‘commenting’ rights.
That way you’ll have more control over who can do what with the collaboration file/folder.
Target audiences are another way to control users’ Drive file sharing within your organization – or sharing directly between users or within groups.
They can improve the security and privacy of your Drive data using admin-recommended audiences, while making it easier for users to share appropriately.
Target Audience VS Groups
You might be wondering, so what’s the difference between Groups and Target Audience then?
Unlike groups, target audiences can’t be used for any other purposes, such as mailing lists, forums, or configuring access to services.
Target audiences can only be used as sharing options in users’ sharing settings for a Google service (for example, link-sharing options for Drive).
You can’t use target audiences as members of other groups or target audiences. You also can’t specify owners and set group access options directly for target audiences.
HOWEVER, Target audiences have benefits over regular groups for sharing with broad audiences — Below are a few examples for Google Drive management:
- Limiting link-sharing to employees only.
- Deploying target audiences across multiple Google Workspace accounts.
- Recommending progressively broader link-sharing options.
- Deploying target audiences according to your organization’s hierarchy.
- Recommending how broadly to link-share across multiple secondary domains.
*Target audiences are currently available only for Google Drive and Docs.
Learn more about deploying Target Audience here.
You know the expression ‘saved by the bell’ — that’s exactly what DLP alerting does. So you want to make sure that your DLP alerts configured correctly. That will save you a lot of time and stress.
Google’s data loss prevention (DLP) allows you to create and apply rules to control Drive content that users share outside your organization.
- What kind of Drive DLP rules should you set?
You want to set DLP rules for sensitive Drive information you don’t want shared outside your organization.
- Social Security numbers (SSNs) and Credit Card details.
- Sensitive data, such as internal project names, employee details, Employer Identification Number (EIN), etc.
- Other personally identifiable information (PII).
*As of March 2021, Google will start providing recommended data loss prevention (DLP) rules personalized for your organization. These can help up your DLP rules game by knowing where necessary adjustments or additional investigation is needed.
*Once you create rules for such information, DLP enforces those rules and violations trigger actions, such as alerts.
- Use Google Drive DLP to:
- Audit the usage of sensitive content in Drive.
- Warn end users not to share sensitive content outside your domain.
- Prevent sharing of sensitive data with external users.
- Alert admins or other users on policy violations or DLP incidents.
- Investigate an incident with information on the policy violation.
*Currently, DLP rules can be found in the Admin console under Security> Data protection.
- How to set Drive DLP rules?
- For Enterprise; Enterprise for Education editions, you can Scan and protect Drive files using DLP rules, covering Google Sheets, Docs and Slides. Read more.
- You can also set up more granular Drive DLP alerts, including Regex Alert Rules, for files shared outside your organisation using GAT+.
Google Drive Data Compliance
When speaking of Data Loss Prevention (DLP) our minds must always go to data compliance.
Ever since the introduction of GDPR and CCPA in 2018 the way we process and share data has never been the same, no matter what industry we work in. These regulations are also complex and impact every sector of the economy.
With Drive being your company’s main Data storage and collaboration space, you want to make sure these regulations are observed (and enforced) throughout your Drive operations.
The best way to do that is by getting granular and looking into CONTENT. That’s where creating predefined content detectors comes in.
A Comprehensive Drive Data Compliance approach requires:
- Proper workflows to ensure only approved access to sensitive and protected content.
- Real-time content monitoring of all sensitive information being typed, copied or pasted anywhere in your Google Workspace environment.
|Checkout GAT Lab’s Powerful GDPR Compliance Suite for Google Workspace
Onboarding and offboarding users (Drive)
That’s usually not a big Google Drive Management issue if you’ve got just one or two people leaving and joining your organisation/year.
But what if you get dozens of departing employees and new joiners across different departments? — How can you get to grips with such a large number? What are the documents involved? Which documents are important? How do you transfer file Ownership of suspended users?
Yup, there are many things to look after and it can get quite repetitive and time consuming as you observe the many ins and outs for every department or OU.
Offboarding users safely:
They say ‘Watch out for angry leavers’! — We say ‘Watch out for ALL leavers’, especially when it comes to Google Drive.
One of the most important Google Drive management practices you’ll want to adopt is deploying a bullet-proof offboarding process for leavers. Here’s why:
- Suspended accounts of leavers can result in the loss of important data. This is a common DLP scenario.
Also, wrongfully suspended accounts typically cause approximately 70% of data availability issues.
- You need to ensure that leavers can no longer access important corporate Drive resources once they leave.
This can bring in significant DLP hazards, especially if they choose to act on it in malicious ways.
Automating Users’ Onboarding and Offboarding:
As an admin you need a standard process for onboarding and offboarding users across different OUs.
Some admins carry this process out manually, which can be messy and time consuming. Other admins use scripts to automate the process (a few of them are available on GitHub).
However, DIY and manual approaches often result in data loss and business interruptions when the data archival and forwarding steps don’t happen on time — That’s where an onboarding/ offboarding tool can significantly help.
GAT Labs for Google Drive Management
As an admin, Google Drive management can be one of those nagging and painful tasks — there’s a lot of administrative effort needed there to feel fully in control of your Drive management game.
HOWEVER, putting proactive measures in places like monitoring and automation can relieve a bulk of that stress and offer you peace of mind when it comes to securing the areas that matter the most.
10 POWERFUL GAT Google Drive Management and SECURITY capabilities:
- Replace current sharing permissions on your Google Drive files.
- Remove ALL permissions on Google Drive shares with the exception of a single user.
- Find publicly shared Google files.
- Search for Specific File types in your Domain and change their ownership in Google Drive.
- Manage files owned by leaving users easily.
- Remove All permissions to all ‘Sensitive’ folders and their sub-folders.
- Understand Google Group activity email and file sharing.
- Remove external shares when files haven’t been accessed for a certain number of days.
- Find and Transfer Ownership of Mp3 Files.
- Detect a Sharing Policy Violation in Google Drive.