Google Suite Security Guidelines

Here at OmniCyber Security, we are frequently getting asked about security guidelines, and what steps can be taken to make cloud services more secure. We have based the below on the Google Suite of tools, however, many aspects apply across many cloud service providers.

Strong Password

As with all online accounts, an accounts initial security is provided by the username and password. Therefore, a strong password should be implemented on all accounts to protect for added security measures.

A strong password consists of several properties;

1. At least 10 characters long

2. Contains at least 3 of the following groups:

a. Lower case alpha numeric characters (a-z)

b. Upper case alpha numeric characters (A-Z)

c. Numbers (0-9)

d. Special characters or punctuation (!”£$%^&*()-=_+[]{};’#:@~,./<>?)

3. Is changed on a regular basis, every 6 months, however not too often as this creates bad habits

There are many trains of thought surrounding the creation of strong passwords, however, it is widely regarded that a password safe (i.e. LastPass, Dashlane, 1Password) is the best way to store passwords for multiple services.

Two Factor Authentication

To further protect your accounts, two-factor authentication can be implemented to provide another level of security. Two-factor authentication requires ‘something you know’, for example, a passphrase or password and ‘something you have’ may be a token or smartcard. In most cases, a protocol known as T-OTP (Time One Time Password) is implemented, where a password is generated from a pre-shared secret every 30 seconds. The login procedure requires a username, password and code generated on a phone to complete the login.

This functionality can be setup across all users by following the steps listed here.

This forces all users on the domain to set up two-factor authentication, it also allows administrators to allow a lead time prior to enforcement and configure specific users which the enforcement of two-factor authentication does not apply to.

Application Passwords

Application passwords allow users to generate specific passwords for each application, which reduces the potential for an attacker to compromise the entire account. As a result, application passwords receive limited access to the account via a separate password, which can be revoked if the application is compromised without having to change the passwords elsewhere.

Further information can be found here.

This functionality must be setup by each account, as opposed to being enforced by the domain administrators.

Password Alerts

If for example, Google Chrome browser is used, and App Engine is enabled on the GSuite account, a password alert server can be setup to reduce the damage of a successful phishing campaign. The password alert server is configured to detect when the user’s password is entered on a site not hosted by Google. Further information can be found here

If you have any questions or would like any further information on cloud security, you can contact us.