If you use Google’s infrastructure to run your company’s email infrastructure, you should be aware of some additional security options.
If you use Google’s infrastructure to run your company’s email infrastructure, you should be aware of some additional security options.
The interface for adding a new user looks a little different.
Click the "Users" button in the admin interface.
Click the "Add new user" button.
It is imperative to secure the administration user of your Google account.
It is a good idea to have a separate user from the one you use day-to-day.
This admin user should have a secure passphrase, two-factor authentication enabled, and should likely be enrolled in the Advanced Protection Program.
Important | IMPORTANT: Secure your Admin Account It is essential to secure your administrator account properly. |
One setting that you can change on your super admin account is to disallow that account to recover its password.
This means you need to have multiple super admin accounts (preferably owned/managed by separate people), so that another super admin account can unlock the other.
You can also restrict regular users from recovering their accounts, thus needing and admin to unlock and reset the password.
To further secure your organization’s account, you can enable specific security settings.
You can enable and disable features of the Google platform on a user by user, group, or organizational unit.
Calendar
Drive
Offline Docs
Publish on the web
Sharing settings
Approved domain senders
Automatic email forwarding
Attachment safety.
These are just a few of the possible options you can enable or disable in your account.
Password and login policies are a typical setting you can also find in your Google account.
You can force strong passwords, disable password re-use, and cause password resets on a regular schedule.
You can force a session to expire after a set amount of time.
You can enforce that accounts have two-factor auth enabled.
You can disable access from "Less Secure Apps," such as third-party clients that don’t meet Google’s security standards.
You can enable "Login challenges", which will do extended verification (such as employee ID) if the login seems suspicious.
Advanced context-aware access rules are also an option.
You can set up rules that, when matched, require additional security.
First, you set access levels; tied to accounts/OUs or groups.
Then an access level is configured with one or more rules.
For example, if you wanted to create an access level 1
which limits logins to IP
addresses from the US only.
If the above settings don’t cover your needs, you can also define more advanced specific rules.
This page is where you can also tie in audit events to warn about security issues.
Google will monitor the data in your account and generate a report on what types of data are there, and how much of each type has been shared.
There is also a monitoring dashboard with some important metrics.