Never let a good incident go to waste.

Today, we’re using the OPM incident as an excuse to share with you our top recommendations for shoring up the security of your Google Apps for Work account.

More than 5 million companies rely on Google Apps to run their critical business functions, like email, document storage, calendaring, and chat. As a result, a huge amount of data pools inside Google Apps just waiting for an attacker to gain access to it. In any modern company, this is target #1.

This guide is for small businesses who want avoid the worst security problems while expending minimal effort. If you’re in a company with more than 500 employees, and have dedicated IT staff, this guide is not for you.

Risks

A lot that can go wrong with computers, even when you eliminate the complexity of client applications and move to a cloud-hosted platform like Google Apps. Many people tend to think too abstractly about security to reason about concrete steps to improve themselves. In this context, here are the attacks we’re concerned about:

• Password management. Users occasionally reuse passwords, surrender them to successful phishing, or lose all of them due to poor choice of password manager.
• Cross-Site Scripting (XSS). Google has an enormous number of web applications under active development. They routinely acquire and add new companies to their domain. Some new vulnerabilities might be tucked into this torrent of fresh code. Any one XSS can result in a lost cookie that logs an attacker into your Google account.
• Inadvertent Disclosure. Permissions management is hard. The user interface for Google Docs does not make it easier. Internal documents, calendars, and more can end up publicly available and indexed by search.
• Backdoored Accounts. In the event of a successful compromise of one user’s account, the attacker will seek to preserve access so they can come back later. Backdoored Google Apps accounts can continue to leak emails even after you format an infected computer.
• Exploits and Malware. Even with an all-Chromebook fleet (which we wholeheartedly recommend), there is a chance that computers will get infected and malware will ride on the back of legitimate sessions to gain access to your accounts.

Top 8 Google Apps Security Enhancements

If you make these few changes, you’ll be miles ahead of most other people and at considerably less risk to any of the above scenarios.

1. Create a secure Super Administrator account

In admin.google.com, create a new admin account for your domain. You’ll only use this account to administer your domain; no email, no chat. Stay logged out of it. Set the secondary, recovery email to a secure mail host (like your personal Gmail). Turn on 2FA or use a Security Key for both accounts.

2. Plug the leaks in your email policy

Gmail provides a wealth of options that allow users to forward, share, report, or disclose their emails to third parties. Any of these options could enable an inadvertent disclosure or provide a handy backdoor to an attacker who has lost their primary method of access. Disable read receipts, mail delegation, emailing profiles, automatic forwarding, and outbound gateways.

3. Enable 2-Step Verification (2SV) and review your enrollment reports

2SV (or, as it’s more commonly referred, 2-factor Authentication or 2FA) will save your ass. With 2FA switched on, stolen passwords won’t be enough to compromise accounts. Hundreds of services support it. You should encourage your users to turn it on everywhere. Heck, just buy a bunch of Security Keys and hand them out like health workers would condoms.

Note: The advanced settings expose an option to force 2FA on every user on your domain. To use this feature properly, you must create an exception group to allow new users to set up their accounts. tl;dr Ignore the enforcement feature and just go bop your users over the head when you see they haven’t turned 2FA on yet.

4. Delete or suspend unmaintained user accounts

Stale accounts have accumulated sensitive data yet have no one to watch over them. Over the lifetime of an account, it may have connected to dozens of apps, left its password saved in mobile and client apps, and shared public documents now left forgotten and unmaintained. Reduce the risk of these accounts by deleting or suspending them.

5. Reduce your data’s exposure to third parties

The default settings for Mail, Drive, Talk, and Sites can lead to over-sharing of data. Retain the flexibility for employees to choose the appropriate setting, but tighten the defaults to start with the data private and warn users when it is not. Currently, there is no universal control; you have to make changes to each Google app individually.

6. Prevent email forgery using your domain name

Left unprotected, it is easy for an attacker to spoof an email that looks like it came from your CEO and send it to your staff, partners, or clients. Ensure this does not happen. Turn on SPF and DKIM to authenticate email for your domain. Both require modifications to TXT records in your DNS settings.

7. Disable services from Google that you don’t need

Cross-site Scripting (XSS) and other client-side web application flaws are an underappreciated method for performing targeted hacks. DOM XSS can be used as a method of persistence. Labelling a bug as “post-authentication” means little when you stay logged into your Google account all day. Disable access to Google services you don’t use. That will help limit the amount of code your cookies are exposed to.

8. Set booby traps for the hacker that makes it in anyway

Your defenses will give way at some point. When this happens, you’ll want to know it, fast. Enable predefined alerts to receive an email when major changes are made to your Google Apps. Turn on alerts for suspicious login activity, admin privileges added or revoked, users added or deleted, and any settings changes. Send the alerts to a normal user, since you wouldn’t be logged into the Super Administrator regularly.

Security Wishlist for Google Apps

Google Apps offers one of the most secure platforms for running outsourced IT services for your company. However, even the configuration above leaves some blind spots.

Better support for inbound attachment filtering

Attackers will email your users malicious attachments or links. This problem is largely one for the endpoint (and Google offers Chromebooks as one solution), but an email provider can do more to mitigate this tactic.

The Google Apps settings for Gmail offers an “attachment compliance” feature that, while not specifically made for security, could be enhanced to protect users from malicious attachments. Gmail could prepend a message to the email subject that includes a warning about certain attachments, quarantining attachments with certain features (e.g. macros), sending attachments to a third-party service for analysis via an ICAP-like protocol, or converting attachments (say, doc to docx).

If we took this idea even further, Gmail could strip the attachments entirely and place them in Google Drive. This would make it easier to remove access to the attachment in the event it was identified as malicious and it would make it easier to perform repeated analyses of past attachments to discover previously unknown malicious content.

Better management of 2FA enforcement

Google was the first major service provider to roll out 2FA to all their users. Their support for this technology has been nothing short of tremendous. But it’s still too hard to enforce across your domain in Google Apps.

Turning on organization-wide enforcement requires setting up an exception group and performing extra work each time you add a new user to your domain. Could Google require 2FA on first sign-in, or give new users a configurable X-day grace period during which they could use just a password? How about bulk discounts on Security Keys?

Built-in management and reporting for DMARC

Domain Message Authentication Reporting and Conformance (DMARC), like SPF and DKIM, was designed to enhance the security and deliverability of the email you send. DMARC can help you discover how and when other people may be sending email in your name. If you want to turn on DMARC for your Google Apps, you’re pretty much on your own.

Google should make it easier to turn on DMARC and provide the tools to help manage it. This is a no-brainer, and it should be, considering email is their flagship feature.

End-to-end crypto on all their services

If the data for your organization were stored encrypted on Google servers, you wouldn’t have to worry as much about password disclosures, snooping Google employees, or security incidents at Google. Anyone who gained access to your data, but lacked the proper key, would be unable to read it.

Google’s End-to-End project will help users deploy email crypto. If you want this feature today, the S/MIME standard is supported out-of-the-box on Mail.app, iOS, Outlook, Thunderbird, and more. Amazon WorkMail, a competitor to Google Apps, allows client-managed keys. By encrypting 100% of your internal email, their contents are unreadable to third parties that happen to gain access to your accounts.

However, this still leaves sensitive data that lives unprotected on other services, like Hangouts and Drive. Yes, there are alternatives, but none are ideal in this scenario. You could deploy your own, in-house secure videoconferencing or consider adopting tarsnap but the inconvenience is still too great. This problem is still waiting for a solution in Google Apps.

If You Have a Problem

By now, your Google Apps domain should be less vulnerable. So, what happens if you discover one of your users has been hacked? Google has you covered here. Review the “Administrator security checklist” if you think you have a problem. Their step-by-step guide is nearly everything you need to get started responding to a security incident.

Feedback

I hope that you have found this guide useful. What do you use to help secure your Google Apps? Are there features on your wishlist for Google Apps that I missed? Did I miss something?

UPDATE 1:

GCHQ released a guide for securing Google Apps in November, 2015.