My advice is to never, ever, ever rely on Google Workspace for a startup. Office 365 is a little bit less usable, but Microsoft can work with businesses.
I used Google Workspace for a startup. Startup went idle for a while. Google sent a message to me warning the account would be terminated unless I logged in on some short timeline. GMail filed its own email as spam. Boom. Everything from that startup was gone.
I used Google Workspace for my family domain. Google decided to discontinue GSuite/Free. Now, I'm SOL.
I've had similar experiences with Youtube. I build a major startup with Google as a partner. Videos were on Youtube. Google had 4 engineers assigned to us. Youtube has a bug which took us down. There was no way to resolve the bug, even with a team supporting us (in a different part of Google). We had to migrate off.
I've more recently been involved in businesses integrating with Workspace. On the API side, Google suddenly required a security audit for our business integrations to keep working. That's tens of thousands of dollars. Many small businesses went under when Google introduced this. (https://www.prescientsecurity.com/google-oauth-api-verificat...)
Each time I've done business with Google, I've eventually been !@#$%.
These are all true stories, but they're not all the true stories I have. I have a much longer collection of stories of being !@#$% by Google. Some I can't talk about have to do with Workspace security issues. BOY was that a rabbit hole. If I could talk about it, you'd never do business with Google either. Google has excellent security for their data, but not for your data.
Google doesn't mind killing your livelihood with random changes like these. It happens over, and over, and over. Everyone thinks it won't happen to them, until it does.
As a Gsuite customer, I do mostly agree. I'll say I'm very pleased with GSuite, but I also think that Google is about as bad as it gets with regards to customer service, and I would never put customer data into Google Cloud since I would never risk losing that data due to their idiotic, inane systems deciding to ban me, and no support channel for getting it back.
If your business relies on it, whatever "it" is, then you probably need to pay for it, so that if it has some serious problem, you can call up a human and either beg or yell at them to fix it, depending on the situation.
I've always thought it madness to even rely on gmail for a business, who can cancel you whenever.
The problem is if you pay Google for "it," you're still treated as a statistic, same as the non-paying customers. It's deep in the corporate DNA. Google Workspace isn't free, and neither is the rest of GCP.
I've had multi-million dollar engagements with Google, and you're just as vulnerable to this stuff as the free ones. I've had things escalated through one of Eric Schmidt's direct reports, and I was still vulnerable.
And as a footnote, I do subscribe to Google One on my soon-to-be-terminated Workspace account. I'm not sure why Google is terminating a service I paid for.
If you pay Google, you can talk to human beings, perhaps, but they're no more empowered to solve your problem than their web pages.
Microsoft and Amazon have always provided real support. Things get escalated to engineers who fix things if need be. Things also don't get whack-a-moled for no reason; they're aware that bankrupting my business isn't good for their business, even if the short-term ROI on sustaining a legacy API or something is negative.
Oh right. I suppose "paying for it" is necessary, not sufficient. I wouldn't know; I've paid a much smaller company for all my services and such, though they're not super office-y; but website and email related things.
Nice guide. I would also suggest checking your domain's MX records to ensure you have things configured correctly including DKIM etc. Google has this tool that gives your domain a scan:
We did mention DMARC DKIM etc but I did not put a link to this very useful tool. Feel free to submit a PR and we'll merge it - https://github.com/fleetdm/fleet/edit/main/handbook/security... - or if you don't mind I can also add it on my side next time I make an edit.
Just wanted you to know that this made a huge difference on my most important domain, today. I appreciate your pointing it out because I assumed Gmail would automagically handle everything
Neat but inadequate. My domain passes all the checks, yet I already know that I have SPF and DMARC set, but so that spoofs get through. A proper tool should have flagged that.
I rather like easydmarc.com. They charge for analytic services but you can use their checker for free. They also have very easily digested guides and recommendations for setting up the various records.
This is how we secure Workspace here at Fleet. We figured the guide could be useful to companies of a similar size. The next step would be to enable Endpoint Verification to control access to specific apps such as Drive so it could only be done from up to date, encrypted devices, but that requires a the highest Google subscription.
We've been meaning to write about this. You can actually do it with just Google Business, but you have to then also buy their Identity service, which I forget the name of. It's packaged into Enterprise edition but also sold separately.
We also reached out to sales and got a deal, explaining we didn't want to pay prices designed for companies with 1000s of employees.
Super cool, thanks so much for publishing. I’ll even use this for my families Google business personal emails - I have found the Google apps admin to be a bit intimidating and I was nervous to adjust defaults but the quarantine options seem very approachable and valuable.
It’s also been a while since I’ve seen a nice quick Mac OS security settings list to go ahead and toggle.
My only request would be additional guide for iOS security. The iVerify app suggests some good defaults
Yes! With advanced protection you get enforced security keys, recovery only through admins, enforced safe browsing in Chrome. It's a nice way to get a bunch of improved controls in one shot.
Would be nice if Google allowed enforcing it with a grace period for new accounts though!
Agreed - there's basically nothing in GSuite about it, except the indicator on a user's page. It's enough for manual auditing at least. But since we handle it during our onboarding and we're small enough for a manual audit it works out alright.
One hundred percent agreed. Not sure why Google doesn't allow enforcement of this for Workspace accounts.
This is a great guide, I just wish Google made it easier to be "secure by default". It's very difficult to know all the various toggles you need to have switched on to be secure.
I enjoy the enhanced security that advanced protection program offers but miss being able to use gmail in exchange mode specifically because it allows receiving push notifications for new emails without having to trust gmail’s iOS app which always spooks me as being an extra tracking app on my phone
FYI to setup an alert like "Out of domain email forwarding" -- you have to go to Reporting > Login. If you go to Rules and click "create rule" it'll take you to Reporting > Admin, which won't have the Login event types.
I would be interested in hearing about experiences with these threat detection systems I general. They’re typically quite expensive, and I always wonder whether they actually produce reliable alerts. I’m conditioned by noisy virus scanners and firewalls, and wonder whether these corporate threat detection systems have a similar signal:noise ratio when it comes to alerts.
I concur, interesting but has always been expensive.
And looking this up:
> If your total annual Google Cloud spend or commit is less than $15 million, the annual cost of Security Command Center Premium is 5% of the larger of the following:
> Your committed annual Google Cloud spend (for deals up to the term of your commit), or
Your actual annual current annualized Google Cloud spend (for deals up to one year)
There is a minimum annual cost of $25,000.
Yeah I need to be a few orders of magnitude bigger before this is anything close to sane.
Thanks for this! THis kind of domain security is usually poorly articulated or just not out in the open. I still think the basis of most risk for small companies is their domains. Lose control of those and well.. you're fucked. Any recs for "high security" domain providers?
You are 100% right that the domain is the keys to the kingdom.
Definitely only use registrars and DNS providers that have 2FA. Google has a registrar now, as well as DNS in GCP https://cloud.google.com/domains/docs/register-domain and https://cloud.google.com/dns. By using those you can leverage your Google account's security (use separate accounts for admin level access on GCP and enforce hardware 2FA), and control who gets access using IAM. AWS has similar options.
This ties into a issue I preach everywhere I can: At least three different companies I've been associated with, including one F500, lost control of their domain due to the following process:
Someone in marketing got an email from some contracted SEO consultant, which said "I need your domain transfer codes". Marketing goes to a VP and overrides everyone ops, everyone in security, and basically everyone who would say "no" because tech people just get in the way.
So suddenly, the domain is transferred to Bluehost using their DNS, the MX records that served 8000 mailboxes are pointed at some "cPanel with five free POP3 accounts" service, and the subdomain that ran your SaaS no longer resolves. But your landing page has better SEO.
Cloudflare also offers a registrar and 2FA if you don’t want all your eggs in one basket (and I would recommend not putting every egg in one basket since Google occasionally does shut down accounts and you’d even future emails if you are locked out of their registrar)
I’m surprised you disable the google drive feature. We’re not that worried about local files leaking even if the laptop is stolen, given apple’s hardware encryption.
On the other hand, the workflow of “manually download file, modify file in app, manually upload file” is clumsy and error prone, often leaving files stranded on the laptop.
On the gripping hand, google drive (as it is called again) seems to crash every few days so perhaps your restriction isn’t much of a limitation :-(
I would only enable Google Drive local sync on laptops that we know are company owned. The guide didn't cover "Context-aware access". Depending on how you work, it is surprising to see that most people don't even mind that they can't sync files locally, where in other companies it would be completely impossible. I guess it comes down to how much of your work is Google Docs/Sheets vs other file types.
Thanks for writing this up; this is very helpful. One of my tasks is coming up with security policies for people in the startup I'm the CTO of. One of the less glamorous things I get to do in this job.
That is exactly what it is for! We will be adding more about how we secure Fleet to our handbook, check it again in a few weeks and it should have even more stuff that a startup CTO can use!
It never made sense to me that large software suites like these don't offer a secure by default option on creation or as a progressive migration after creation. Why soo many steps...
Secure is very subjective. One of the tasks in the article is enabling email quarantine for encrypted attachments. What if an org receives a lot of encrypted attachments as part of their business, that option would slow them down. Or what if an organization is in a country that can’t easily receive yubikeys, why would they want to enforce those?
I wish it had a feature in the admin section where one could disable different 2FA methods. For example, in my family everyone has SMS as a 2FA, as well as hardware tokens and device prompts. SMS was there from the beginning, so everyone has it activated. Only one account is not using hardware tokens.
So what I'd like to do is to set SMS to off, and all the accounts which already have something like device prompts and/or at least one hardware token added, get SMS deactivated without user intervention.
Essentially you can enforce 2FA or not, then, you can allow ANY method, any method BUT telephony based (calls and SMS), or hardware security key only.
The middle option for most people is a great one as it allows Google Prompt (push notifications) as well as Google Authenticator style OTPs, plus security keys.
That is true especially if your sessions are made very short, which requires the more expensive Google Workspace edition. But if sessions are long, the risk is users lose access to their 2FA and don't notice until it becomes a bigger problem...
The API Access section covers OAuth apps. Essentially you:
1. Mark Google services you consider critical as "restricted" (ex: Drive, gmail)
2. On Gmail and Drive, you can then allow apps that use lower levels of permissions, but not those who need "dangerous access"
3. Then on a per app basis you can mark apps as "trusted" which lets them access "restricted" Google services.
It is not super granular in the sense that you can't easily say - Calendar2000 can be used by my sales team, and should have access only to the invites date and time but not attendees, body or attachment, but it is better than nothing!
May I ask what you are using for endpoint management? Are you using JAMF, Intune, something else? Are you using an always on VPN to all users? All cloud based or on-prem infra? DNS security? Endpoint protection?
We use Jamf and DataJar for patch management, and we have been happy with both. DataJar’s customer service /sales is lousy, but they are the only game in town.
Haha.. I tried a bit and failed to get it to hang together with some poking.
One user request was to STOP the "windows hello" PIN requirement, and just have a password (+ MFA) for login. Does anyone know how to do this with either standard Office 365 subscriptions, or office 365 + Intune or similar? Would love not to have to do Azure AD outside of the office subscriptions. Microsoft has a fair number of SKU's these days that kind of overlap (and get renamed).
From the Endpoint Manager (endpoint.microsoft.com) hit "Devices" and then "Windows Enrollment". Click "Windows Hello for Business", and click "Disabled".
Given Google's capacity for freezing organizations and individuals (even those who are paying customers of its products) from Google services out of the blue and with little to no recourse, I'd most recommend that you secure your startup best by simply not even using google for key parts of its operations if at all possible.
And all the downvotes! From the same site in which so many other people complain about so many ways in which Google hurt them or their business in some way. Absurd.
People shouldn't use Google Workspace after Google decided to make exisiting legacy users hostage for money. [1] Everyone should use Office 365 or other alternatives.
I used Google Workspace for a startup. Startup went idle for a while. Google sent a message to me warning the account would be terminated unless I logged in on some short timeline. GMail filed its own email as spam. Boom. Everything from that startup was gone.
I used Google Workspace for my family domain. Google decided to discontinue GSuite/Free. Now, I'm SOL.
I've had similar experiences with Youtube. I build a major startup with Google as a partner. Videos were on Youtube. Google had 4 engineers assigned to us. Youtube has a bug which took us down. There was no way to resolve the bug, even with a team supporting us (in a different part of Google). We had to migrate off.
I've more recently been involved in businesses integrating with Workspace. On the API side, Google suddenly required a security audit for our business integrations to keep working. That's tens of thousands of dollars. Many small businesses went under when Google introduced this. (https://www.prescientsecurity.com/google-oauth-api-verificat...)
We also had an extension, which is in the process of breaking with Manifest V3 (https://www.eff.org/deeplinks/2021/12/chrome-users-beware-ma...). Again, many Google partners are going out-of-business over this.
Each time I've done business with Google, I've eventually been !@#$%.
These are all true stories, but they're not all the true stories I have. I have a much longer collection of stories of being !@#$% by Google. Some I can't talk about have to do with Workspace security issues. BOY was that a rabbit hole. If I could talk about it, you'd never do business with Google either. Google has excellent security for their data, but not for your data.
Google doesn't mind killing your livelihood with random changes like these. It happens over, and over, and over. Everyone thinks it won't happen to them, until it does.