In their 2023 Google Scanner Report, Metomic discovered that out of 6.5 million scanned files on Google Drive, a staggering 40.2% contained sensitive information that could potentially lead to a data breach or cyber attack for organizations. This is particularly concerning as hackers frequently target Google Drive due to the accidental or careless sharing of confidential documents such as financial records, customer data, and personally identifiable information (PII). 

One major issue with Google Drive's security is the risk of data breaches due to incorrect sharing settings. Users may unknowingly make their files public or give access to unintended recipients, putting sensitive information at risk. This problem is made worse by the platform's easy-to-use interface, which, although meant to make sharing easier, can sometimes lead to misuse. These breaches expose personal and professional data and present serious dangers to organizational security and adherence to regulations.

Understanding and correctly configuring sharing permissions is essential to mitigate these risks and enhance data security on Google Drive. The following sections will provide detailed guidance on how to set up Google Drive sharing settings effectively to secure sensitive information and strengthen the overall data governance framework.

Understanding Google Drive Permissions and Sharing Settings

Google Drive's permissions and sharing settings are designed to ensure data security and streamline operations. Users can specify the level of access for each individual file, including viewing, editing, and commenting permissions, thereby maintaining strict control over who can access sensitive information within the drive.

Key terms:

1. Permissions: These dictate the actions that individual users or groups are allowed to perform on your files or directories, including viewing, editing, or commenting.
2. Sharing settings: Sharing settings refer to the various options for controlling how files are shared with others, both within and outside an organization. These settings can be customized to determine the level of access granted to different users.
3. Access levels:some text
   • Viewer: Users with this access level can view, download, and share the file with others. However, they are restricted from altering the document itself.
   • Commenter: Commenters have all the permissions of a viewer, plus the ability to add comments and suggestions to the document.
   • Editor: Editors have all the functionalities of viewers and commenters, in addition to being able to edit the file's content by adding, modifying, or deleting information.

Organizational Access Settings

Google Drive also provides options for managing access at an organizational level, which include:

1. Restricted: This setting only restricts access to the file or folder to individuals explicitly granted permission. It is the most secure setting and is suitable for protecting sensitive information.
2. Within the group: Files shared with this setting are accessible to anyone within your organization or a specified group. This setting is useful for documents that need to be accessed by multiple users within the same company or department.
3. Public: This setting allows anyone with the link, or in some cases, anyone on the internet, to view the file. No sign-in is required, making it the least secure but most accessible option.

Best Practices for Secure Google Drive Sharing 

1. Principle of Least Privilege (PoLP) 

The Principle of Least Privilege (PoLP) is a security principle that limits user access to the minimum necessary to perform their tasks. This helps reduce the potential damage and exposure if a user's account is compromised or misused. For instance, a user with read-only permissions should not be able to edit or delete sensitive documents. Implementing PoLP reduces the risk of unintentional or malicious changes to data to protect sensitive information.

Google Drive's default settings may go against the Principle of Least Privilege, as they often give users more access than needed. For example, when a file is shared, Google Drive might automatically grant editing rights instead of just viewing rights, resulting in unnecessary exposure to sensitive data. Users can easily share files with others by default, increasing access unintentionally.

Implementing PoLP within Google Drive

• Granting minimal access based on user roles and responsibilities

When determining the appropriate level of access for users, evaluate their roles and responsibilities within the team. For those who only need to view information, it is best to grant them "Viewer" or "Commenter" access instead of allowing them to make changes as an "Editor." Comment-only access is suitable for users who need to provide feedback without altering the content. Edit access should be reserved for individuals actively creating and modifying documents.

Google Drive can restrict editors from changing sharing settings and adding new users, preventing accidental sharing or unauthorized access. It also has options to disable downloading, printing and copying sensitive documents to minimize the risk of data leakage. To prevent unwanted changes to your shared document, click on the "Advanced" settings link and uncheck the options allowing editors to add collaborators or modify permissions.

• Setting up alerts and audit logs

Google Workspace offers powerful tools for admins to monitor and control sharing activities, such as setting up alerts for unusual patterns and periodically auditing shared files and folders. Additionally, features like link expiration, access level controls, and Information Rights Management (IRM) can ensure secure and temporary sharing while having added control over sensitive documents. Admins should regularly review access permissions to revoke unnecessary privileges and maintain appropriate access levels.

• User training

Employees should be aware of the risks of improper file sharing and your organizational security policies. As part of their training, they should also be educated on the importance of the Principle of Least Privilege (PoLP) and its role in maintaining data security. Emphasize the need for thoughtful file sharing, taking into account appropriate access levels and the sensitivity of information. They should be aware that excessive access can lead to accidental data loss and unauthorized exposure.

2. Controlling Sharing Settings in Google Drive: Internal vs. External

Google Drive offers granular control over sharing settings, allowing you to manage access within and outside your organization. Let's explore the options and their implications:

• Restricted access

Restricted access is a security measure that limits access to files or folders to only approved users. This aligns with the Principle of Least Privilege and ensures that sensitive information remains confidential. Editors can add specific users by their email addresses, granting them permission to view, comment, or edit the files. 

Use case: This is ideal for situations where sensitive information needs to be shared or collaborated on within a select group rather than company-wide or beyond.

• "Within the Group" Access

The term "within the group" access describes settings that limit access to certain users within an organization, such as a particular department or a designated group in Google Workspace. This would include anyone in the organization's designated team within Google Workspace.

Use case: This type of access is beneficial for projects or documents that require collaboration from all members within a specific department rather than the entire organization.

Sharing with external users

• "Anyone with the link"

The "Anyone with the link" access feature enables anyone with the link to view, comment, or edit the document, depending on the permissions granted. However, this setting risks overexposure to sensitive data if links are shared without discretion. This means that anyone who obtains the link, intentionally or accidentally, can access the file and potentially compromise its security.

Use case: Ideal for storing less sensitive information that needs to be shared with collaborators outside of our organization, such as clients or partners. However, caution should be taken when using it.

• Hidden search setting

Google Drive has a hidden search setting that affects how files are discovered. By default, all files and folders can be searched and accessed by users within the organization. However, administrators can change the settings to prevent certain files or folders from appearing in search results. This can increase privacy and reduce accidental access to sensitive information. While hiding a file from the search may prevent unintentional discovery, it may also make it harder for authorized users to find it when needed. 

Use Case: This is beneficial for sensitive projects or information that should not be easily discoverable even within the organization unless specifically shared.

Best practices for secure sharing:

• Understand access levels: When managing access levels for your team, it's important to choose the appropriate level based on each user's role and needs. For added security, restrict access to files and folders to signed-in users only who have been explicitly granted permission.
• Limit external sharing: Limit external sharing of files only when necessary and consider using password-protecting links or setting expiration dates.
• Review sharing settings regularly: Regularly review sharing settings to ensure appropriate access and revoke unnecessary permissions.
• Educate users: Educate users on secure sharing practices and potential risks of oversharing.
• Disabling download/copy/print: To prevent data leakage, consider disabling download, print, or copy options for files shared with external viewers or commenters. This will also help prevent easy distribution of content by external users.

3. Advanced Control of Sharing Settings

Organizations that handle sensitive healthcare and financial data should configure proper sharing settings to prevent unauthorized access and ensure compliance with regulations such as HIPAA, the Sarbanes-Oxley Act, or GDPR. Failure to have proper internal controls in place can result in serious consequences, such as data breaches and non-compliance with industry regulations. External breaches can have even more severe repercussions, including significant financial penalties, loss of patient or customer trust, and legal consequences.

Internal sharing controls

Effective internal sharing controls are essential for regulating data flow within an organization. This is especially important when it comes to confidential information, as access should be strictly limited to authorized personnel based on their specific roles. For instance, patient records should only be accessible to certain medical team members, and sensitive financial documents should only be seen by designated employees in the accounting department.

Best practices:

• To ensure healthcare data security, restricted access is used as the primary method. This means only authorized individuals with specific roles will have access, reducing the chance of unintentional exposure.
• If group access is necessary, it should be used carefully only when all members require access and are authorized to handle sensitive data. It is advisable to create separate groups for different access levels, such as doctors, nurses, and administrative staff.

Implementation: Google Drive offers custom access levels and audit logs to help you manage who has access to your data. You can restrict most users to 'View' or 'Comment' permissions, reserving the ability to 'Edit' for those who truly need it. This allows for better control over your files and protects sensitive information.

External sharing controls: External controls must be in place to manage data sharing outside our organization. Due to the sensitive nature of this data, external sharing should be extremely limited and only allowed in specific situations, always with strict security protocols in place.

Best practices:

• Avoid Anyone with the Link" Sharing: Avoid sharing sensitive data publicly through link sharing, as this can lead to privacy concerns and potential violations of HIPAA regulations.
• To enhance security, consider using one of these options for external sharing:some text
  • Directly share with specific individuals by providing their email addresses and granting them limited access levels (e.g., viewer or commenter).
  • Protect shared links with a password to restrict unauthorized access.
  • Set expiration dates for shared links to automatically revoke access after a certain period.
  • Look into Information Rights Management (IRM) solutions that offer advanced controls like preventing downloads, printing, or copying of sensitive content.

Implementation: Administratively disable the ability to share files and folders externally unless special approval is obtained. Use Google Workspace's security settings to create exceptions for external sharing, which should then be closely monitored and logged.

Best practices for managing sharing permissions effectively

• Policy and procedures: Establish clear policies for data sharing and define who is allowed to do so, under what circumstances, and with what authorization
• Training and awareness: Regularly train our staff on the importance of data protection, as well as the specific controls for external sharing and the potential legal consequences of mishandling data.
• Implement approval workflows: Implement an approval process for all external sharing requests to ensure proper authorization before any information is shared externally.
• Implement Data Loss Prevention (DLP): DLP tools can help identify and prevent accidental sharing of sensitive data outside the organization.
• Technological measures: Use Google Drive's advanced settings to enforce restrictions, including enabling Information Rights Management (IRM) to limit document downloading, copying, or printing and setting expiration dates for shared files.

4. Monitoring and auditing access

Track who accesses what data and when to ensure compliance and security. This can be achieved through a record-keeping system that utilizes the Admin console reports to monitor user activity, such as file access, sharing, and modifications. Regular access reviews should also be conducted to verify that only authorized users have access to sensitive data in environments where roles and responsibilities may change frequently. Additionally, maintain comprehensive audit trails of all access and sharing activities for valuable insights during security audits or investigations.

5. Understanding file and folder behavior

Google Drive's shared drives have permissions and sharing settings that control who can access and modify files and folders. These settings are important for maintaining data security and integrity in collaborative environments as they determine who can view, edit, or share content.

Inherited Permissions

Inherited Permissions is a system where subfolders and documents within a folder automatically inherit the access settings of their parent folder. This feature can make permission management easier, but caution is required to prevent accidental exposure of sensitive data. Any changes to permissions at the parent level will affect all items unless specific exceptions are set. While this can help make widespread access updates, it can also be risky if confidential information is accidentally shared with unauthorized users.

To effectively manage inherited permissions and reduce risks, follow these guidelines:

• Set explicit permissions for sensitive folders at the subfolder or document level to override inherited settings. This will prevent any broader access changes from affecting critical data.
• Conduct regular audits of folder structures and permissions. This will help ensure appropriate access levels as projects evolve and team compositions change.

The September 30, 2020, Google Drive update brought about a significant change in the way items are organized. Now, files can only exist in a single location rather than being duplicated across multiple folders. This simplifies the file hierarchy and reduces confusion and potential errors that may arise from having multiple instances of the same file. However, this also has implications for sharing as it now requires more deliberate actions, such as using shortcuts or shared links instead of folder-based duplication.

While it may seem simpler, there are compelling reasons to maintain manual control over subfolder permissions. This level of control allows organizations to manage access carefully and securely, particularly when dealing with confidential or sensitive information.

Establishing proper ownership of files and folders

In Google Drive, ownership refers to someone who has ultimate control over a file or folder. This includes managing its sharing settings and the ability to delete or restore it. Ownership is crucial for maintaining data security and ensuring that sensitive information is only accessible to authorized individuals. It also helps prevent data loss and maintain access control when users leave the organization or change roles.

Best Practices for Ownership Transitions

• Clear ownership policies: Establish clear ownership policies to ensure smooth operation and control over critical data and documents. This includes defining ownership responsibilities and implementing procedures for transferring ownership when an employee leaves the company or changes departments. This will help ensure continuous access and control over important information.
• Audit and review: Regularly audit file and folder ownership within Google Drive to make sure that all data is properly managed and accessible by current team members
• Communicate ownership changes: communicate any ownership changes to team members to avoid confusion and ensure everyone understands their access rights. This will help maintain organization and efficiency within the team's workflow.

Other best practices to set up Google Drive sharing permissions to prevent data loss:

• Use strong, unique passwords: Ensure all users within your organization use strong, unique passwords and enable two-factor authentication (2FA) to add an extra layer of security.
• Regularly monitor activity: Use Google's built-in audit and reporting tools to monitor user activity and identify potential data breaches or suspicious behavior.
• Train employees: Educate your employees on data security best practices, including identifying phishing emails, avoiding suspicious downloads, and safeguarding sensitive information.
• Regularly backup data: Regularly backup your Google Drive data to protect against data loss due to accidental deletion or ransomware attacks.
• Configure security settings: Review and configure security settings within your Google Workspace account to ensure maximum protection, such as enabling security alerts, managing API access, and implementing OAuth app whitelisting.
• Use third-party DLP solutions like Strac Google Drive DLP to add an extra layer of protection.

Introducing Strac DLP for Google Drive

Strac DLP is a powerful data loss prevention software with no-code integrations for secure communication across multiple channels. It supports popular platforms like Google Drive, Gmail, Slack, Zendesk, Intercom, and Office 365. With the Strac Google Drive DLP application, businesses can easily configure specific sensitive data to be masked or redacted for added security.

The list below shows a list of sensitive data that can be redacted using the Strac Google Drive DLP application:

• Identity: Drivers License, Passport, SSN (Social Security Number), National Identification Number, etc.
• PII: Name, Address, Email, Phone, DoB, Age, Gender, Ethnicity, etc.
• PHI: PII data, Medical Record Number (MRN), Insurance ID, Health Plan Beneficiary Number, Biometric, Medical Notes, etc.
• Payments: Bank Account, Routing Numbers, Credit Card, Debit Card, IBAN, etc.
• Secrets: API Keys, Passwords, Passphrases, etc.
• Vehicle: License Plate, Vehicle Identification Number (VIN), etc.
• Physical Network: IP Addresses, MAC address, etc.
• Crypto Secrets: Seed Phrase, Bitcoin, Ethereum, Litecoin Addresses, etc.
• Profanity: Curse words, abuse words, etc.
• Custom: Create your own rules or use regex

The following steps show how the Strac Google Drive DLP application protects your team's Google Drive workspace and saves your organization from data loss or leakage.

1. Strac Google Drive DLP application detects or discovers sensitive files. When integrated and turned on, the Strac Google Drive DLP application detects sensitive files shared.
2. Strac prevents file sharing. Teams can build workflows around file sharing. For example, a file can be sent only if an owner approves it. If the owner rejects it, the file will not be sent to an external party.
3. Strac masks or redacts sensitive files or files containing sensitive data while giving authorized users access to those redacted contents in the Strac UI vault.
4. Strac will send sensitive data (PII) alerts to configured users, security teams, or SIEM integration.
5. Businesses can configure a list of sensitive data elements (SSN, DoB, DL, Passport, CC#, Debit Card, API Keys, etc.). 
6. Compliance, Risk, and Security officers will get audit reports of who accessed what messages.

Ready to see Strac in action? Book a demo and secure your Google Drive with Strac!