‘Bin’ or ‘Trash’ is just a folder. If a user moves a file, which was shared out, from ‘My Drive’ to ‘Trash’, the file is still shared out, still visible and still subject to changes. Files do not automatically leave trash. Users should know moving a file to ‘Trash’ is not a solution to a sharing violation.
Your audit tool must audit trash correctly. Shared trashed files must be deleted to remove the security risk. Deleted files must be kept in an audit log.
A file shared into your Domain with Edit rights is just as big a security risk as a file shared out with edit rights. Tracking files shared out of your domain only addresses part of the data leakage risk on Drive. You must be aware of the files shared in with ‘Edit’ rights. Policies must work for file shares in both directions and ideally for internal and external shares.
If you were using files in a shared folder and another user deletes the folder, the files become ‘orphaned’ on Google Drive. The files are there, but they are not in ‘My Drive’ or any other folder. Files that disappear are typically orphaned. GAT lets Admins and Users find orphaned files. Orphaned files may remain fully shared, even public. Out of site for your users does not mean out of sight for externally shared or public files.
Your audit tool should extend to the end-user. Admins are often not the right people to assess the risk or the provenance of a file. End users know their own files best. End users should be shown how to do audits and encouraged to do them frequently.
Passwords of any length and any change frequency are almost a waste of time as a security device. Most password attacks now are not dictionary driven, but keyboard scrapes. Google Apps are particularly vulnerable to password loss by this method because of the access from anywhere, anytime model. Home PCs are used to access corporate networks. Public spaces with cameras on users. Airport kiosks. All present an opportunity for a keyboard scrape. Enable 2FA and use either a code or a fob to provide additional security. If any part of your security model is solely based on passwords and frequent changes you are deluding yourself into a false sense of security. GAT reports 2FA status by user and you can schedule reports for non-2FA accounts.
Carriers often obfuscate the true location of the IP address used to make a Google Apps login, but they do not do so at random. Admins should familiarise themselves with the regular IP locations for all logins to their domain. Admins should investigate logins from unexpected locations. GAT tracks and maps IP address locations for connections to your domain. Suspicious or failed logins on Google mean very little to Admins on their own, they need to be seen in the context of where they are coming from. See this post on the subject.
With GAT, you can set an alert type based on IP address or IP subnet.
A change in user behavior is often a sign that should alert a security-conscious Admin. Changes in behavior include increased or excessive file shares or emails. It is important to know the regular volumes for your domain. GAT can alarm when it detects thresholds set by you are exceed for files shared in or out, or emails sent or received.
Marketplace Apps can be installed at Admin console level, by end-users as a document, spreadsheet or browser extensions and as browser-based apps. These are all different. Marketplace Apps reported by Google only represent a small portion of the app’s users install.
Blocking Third-Party Drive Apps does not necessarily cover Chrome extensions. If you are not restricting both these types you need an audit tool that can audit, risk assess and alarm and enforce policy on new instances of both Drive Apps and Chrome extensions. GAT can cover all these areas. It can apply a policy by a user, group or OU.
Accounts that have been idle for a long time that suddenly become active should attract the attention of an Admin, likewise accounts that have suddenly gone quiet. Is HR keeping IT up to date on personnel changes? Are departed employees coming back into their accounts? GAT can alarm you when it detects thresholds for idle account times have been breached.
Devices that have been inactive for a long period and suddenly become active may be a security risk. Likewise, a device that has gone quiet. Has the user reported it missing or stolen? Was it thrown in a drawer for a kid to use later? Is the new user suddenly reading the finance files? GAT can alarm when it detects thresholds for device syncs have been breached.