File Encryption in Google Drive:An Administrator’s Guide
| File Encryption in Google Drive: An Administrator’s Guide 1
virtru.com
The Advantages of Cloud Storage and Collaboration
According to the RightScale 2015 State of the Cloud Survey, 93% of enterprise businesses
are already using cloud services. Even if your business hasn’t adopted cloud apps as
part of your tech policy, chances are good your employees are still using services like
DropBox and Google Drive to store and share company files.
While it may seem obvious that employees storing and sending files via cloud services
without oversight is a security hazard, it’s important to realize why — and to understand
that this might already be a vulnerability in your organization. Beyond the risk of weak
passwords and easy hacks into your employees’ individual clouds, each person your
employee sends a file to becomes another risk vector. And remember that webmail
services like Gmail are some of your most vulnerable platforms for cloud storage and
sharing.
Granted, this doesn’t mean you shouldn’t move your business to the cloud. Cloud
storage and apps — Google Drive in particular — offer unprecedented scalability,
convenience and opportunities for collaboration, all of which are requirements for
the modern enterprise. And with the right privacy and security measures, you can enjoy
the benefits of Google Drive with no added risk to your organization.
| File Encryption in Google Drive: An Administrator’s Guide 2
virtru.com
The Importance of Data Security for Cloud Storage and Collaboration
When you move to the cloud, you’re delegating your data security to your cloud
provider. While most offer a variety of protections, the data security and privacy threats
to your enterprise are invisible to your security team — that is, until you get attacked.
What’s the true price of data theft? Between loss of intellectual property, regulatory
non-compliance fines and a potential loss of customers and clients, the damage can pile
up quickly. According IBM’s 2015 Cost of Data Breach Study, the average data breach
costs 3.79 million dollars when you add up lost property, fines and other damages — and
that dollar amount has been increasing over the years.
Regulation and Compliance
If your business uses a cloud storage solution, it’s crucial that you’re aware of any
compliance protocols your company must adhere to, as well as their cloud security and
privacy requirements. Let’s take a look at five common compliance protocols and why
cloud encryption is important for each:
• HIPAA (The Health Insurance Portability and Accountability Act)
Doctors, nurses, hospital administrators and insurance professionals must all
consider HIPAA compliance on a daily basis. However, any organization that deals
with protected health information (PHI), from HR departments to universities to
government agencies, must take special care to protect health data.
The key to maintaining HIPAA compliance — and avoiding costly penalties for
slip-ups — is keeping PHI secure and private. That means that any patient data stored
in the cloud, whether it’s a brief overview of a recent appointment or a patient’s most
recent lab reports, must be stored with encryption.
• CJIS (Criminal Justice Information Services)
Law enforcement and government agencies on the federal, state and local levels
are responsible for maintaining CJIS compliance to access federal databases of
deeply sensitive criminal justice data. This data, which includes everything from
fingerprints to background checks, can often make or break a case. Agencies who
lose compliance are stymied in their ability to enforce laws and protect the public,
and face substantial fines and penalties.
CJIS compliance requires not only data protection (including encryption), but also
access control and an auditable chain of custody for all criminal justice information.
| File Encryption in Google Drive: An Administrator’s Guide 3
virtru.com
That means all data needs to be locked down with client-side encryption and
centrally managed.
• PCI (Payment Card Industry)
Any business that deals with credit card data, including most online merchants,
needs to meet the requirements set out by the PCI Security Standards Council. One
of the most important aspects of PCI compliance is protecting cardholder data. That
means avoiding storing a customer’s credit card data anywhere on your servers if
possible — but if you must store this data, it needs to be encrypted.
• ITAR (International Traffic in Arms Regulations)
ITAR requires that manufacturers, exporters, and brokers of defense products and
services take extra national security precautions when doing business. Companies
that fail to secure defense data can find themselves on the hook for millions of
dollars in fines, and might be allowing dangerous information to fall into the hands
of our country’s enemies. Cloud encryption, firewalls and other data security best
practices need to be used to protect ITAR data.
• FERPA (The Family Educational Rights and Privacy Act)
FERPA gives students and their parents the right to review, challenge, and consent to
any disclosure of educational records, provided they go to an educational institution
that receives federal funding. As students and teachers make increasing use of cloud
storage and email to communicate and turn in work, and as teachers email parents
to check in on students, the vulnerability of unencrypted cloud storage becomes a
threat to FERPA compliance.
| File Encryption in Google Drive: An Administrator’s Guide 4
virtru.com
Your Data Is Your Business. Keep It Protected.
According to the NetIQ 2015 Cyberthreat Defense Report, over 70% of organizations
surveyed reported being successfully compromised by a cyberattack in 2014. What are all
these cybercriminals going after? As it turns out, your servers contain plenty of data that
hackers (and even unwitting users) can expose to unintended eyes:
• Legal Data. There’s a reason why the American Bar Association has an entire page
on its website dedicated to encryption. A breach of sensitive legal data, whether
a simple case of user error or a malicious attack, can rack up costly fines and fees, as
well as damage your company’s reputation and your clients’ sense of trust.
• Financial Data. This can include your own internal
accounting information, customer credit card data,
company credit cards and other sensitive financial
documents. If you process credit card transactions for
customers, those credit card numbers can be batch
sold on the black market — and hackers are wise to the
possibility that banks are proactive about detecting fishy
transactions, so they need massive quantities of those
credit card numbers to make it worth their time.
• Human Resources (HR) Data. Any business that houses
sensitive personal data, like social security numbers, is
a major draw to criminals seeking to steal someone’s
identity. All those tax documents your new hires have to fill out? Those are potential
cash grabs for someone with bad intentions and some hacking know-how.
• Intellectual Property. Though harder to put a number on than physical goods, your
IP is one of your business’s most valuable assets — and one that your competitors
might love to get their hands on. Your patents, your published documents and your
trade secrets make your business tick. Don’t let them fall into the hands of corporate
spies.
Integrated Email and File Sharing
One of the biggest draws of Google Apps is the way it seamlessly combines file sharing
and collaboration functionality with scalable, cost-effective cloud storage. A single
document can be shared easily while retaining a clear audit stream left behind.
“If you process credit
card transactions
for customers,
those credit card
numbers can be
batch sold on the
black market.”
| File Encryption in Google Drive: An Administrator’s Guide 5
virtru.com
With that many people handling data, and with data moving from app to app (from
Google Docs to Drive to Gmail, where it may be sent to another team or client), an
enterprise-ready cloud security solution has plenty of contingencies to cover, especially
once your employees become attached to the convenience of integrated email and file
sharing.
Requirements for the Cloud Era
Data encryption is particularly important in the cloud era, now that organizations don’t
have as much ownership of — or visibility into — the infrastructure and applications that
make their businesses tick. Any viable email encryption solution for cloud-hosted email
requires three basic things: key management and control, ease of use, and client-side
protection.
1. Key Management and Control
The main benefit of encryption, beyond protecting against data theft and leaks,
is to control access to your data. Many encryption solutions put the decryption
keys necessary for unlocking your data in the hands of the company providing
the solution. Only a true client-side encryption solution provides you complete,
granular control over encryption keys, and therefore the people who can unlock
and access your content.
2. Ease of Use
For enterprise cloud encryption to be a viable solution, it doesn’t just require the best
in security and control — it also requires convenience. Any security solution is only
effective if it’s being used consistently. Organizations moving to Google Drive expect
ease of use and simplicity, and legacy approaches to client-side encryption just don’t
meet this need.
3. Persistent, Data-Centric Protection
Truly secure enterprise cloud encryption solutions must
include data-centric protection. Your business can’t afford
a major loss of data because your encryption solution
isn’t compatible with one of your cloud applications, or
a file was compromised on the recipient end. For truly
enterprise-ready security and privacy, data needs to be
individually wrapped, not service-dependent — that means
that when your important document moves from Google
Drive to Dropbox to your recipient’s desktop, its protection
is never compromised.
“The main benefit of encryption, beyond protecting against data theft and leaks, is to control access to your data.”
| File Encryption in Google Drive: An Administrator’s Guide 6
virtru.com
Built-In Security in Google Drive
If you use Google Drive, there are several measures you can take to lock down your
cloud storage and email, but knowing is half the battle. While Google has done a good
job at providing a secure email client for both individual users and businesses, you
have to look under the hood — and, in some cases, outside of Google — to keep your
data safe.
What’s Included in Google Drive?
One of the biggest advantages Google offers is its size and resources. Hosting your files
on Google’s servers means your data is protected by 24/7 surveillance, redundancy
in case of an outage and compliance with a number of important security regimes,
including ISO 27001 certification, SOC 2 and SOC 3 Type II audits. That takes the burden
of powering, securing and supporting a datacenter off of your enterprise’s shoulders,
so you can focus on business at hand.
Beyond its huge scale and resources, Google offers a number of important security
features, including multi-factor authentication, single sign-on (SSO) and even native
encryption, via SSL. However, this encryption isn’t client-side, and an email or file sent by
Google to another application or email service can still be compromised.
| File Encryption in Google Drive: An Administrator’s Guide 7
virtru.com
Google’s Recommended Security Best Practices
Google has recommended a number of security best practices for those using Google
Apps for Work. These include setting up two-step verification (providing an extra layer
of protection to your account during authentication), monitoring user behavior reports
from the Google Admin Console and using Google’s four built-in defenses against email
spoofing. While following these best practices will certainly help bolster your enterprise’s
security posture, additional protections like data-centric encryption may be beneficial or
required.
When to Add Additional Security to Google Drive
Out of the box, Google Apps offers excellent security
features and functionality, but depending on your business’
privacy needs, you may need to take a layered approach
to your security. Some examples include:
• HIPAA Compliance. If your business is subject to HIPAA
compliance, you’ll want to sign a Business Associate
Agreement (BAA) with Google and also add client-side
encryption if you ever share with third parties who are
not using Google. More detail on Google Apps and
HIPAA compliance can be found here.
• CJIS or ITAR Compliance. For these compliance regimes and other regulations that
require client-side encryption, standard Google Drive won’t meet the need.
• Requirement or Desire to Manage Encryption Keys. If your business needs to
protect sensitive information and ensure that no third party, including Google, can
access your content, you’ll want to add an client-side encryption solution that
allows you to manage the encryption keys. This means that you, and only you, can
authorize who has access to which content and for how long.
“ Depending on your business’ privacy needs, you may need to take a layered approach to your security.”
| File Encryption in Google Drive: An Administrator’s Guide 8
virtru.com
Introducing Virtru
Virtru makes it easy to provide data-centric protection for the files you store in Google
Drive. By combining military grade encryption, cloud-based access and controls and
seamless integration with applications like Google Apps for Work, Virtru makes your
cloud solution more secure without getting in the way.
Central to Virtru’s encryption philosophy is the idea that data needs to be locked down
independent of where it is. From an Excel spreadsheet stored in Google Drive to a PDF
email attachment, your files should be accessible only to the recipients you allow and
protected on every server or device they end up on. Only you should own the keys to
that data. By locking down your files at the source, you can enjoy added peace of mind
knowing that data-centric encryption is keeping your most sensitive data safe wherever
it goes.
Whether for regulatory compliance, security or corporate privacy, Virtru is the easiest
way to protect sensitive information. Try Virtru for Google Apps here.
| File Encryption in Google Drive: An Administrator’s Guide 9
virtru.com
Checklist for Cloud Security
The following checklist will help you to evaluate your organization’s need for email
encryption and determine appropriate solutions to meet your requirements.
RequirementNeeded in My Organization
(Y/N)
Google Apps Alone
Vendor A Vendor B Vendor C
Privacy Requirements
Do you need to protect HR information?
Do you need to protect legal information? Do you need to protect financial information?
Do you need to protect intellectual property information?
Regulatory Requirements
Do you store personal health information (PHI)?
Do you share personal health information (PHI) with third parties outside your organization?
Is your organization subject to CJIS regulation for criminal justice information?
| File Encryption in Google Drive: An Administrator’s Guide 10
virtru.com
RequirementNeeded in My Organization
(Y/N)
Google Apps Alone
Vendor A Vendor B Vendor C
Is your organization subject to FERPA regulation for student information?
Is your organization subject to ITAR regulation for defense information?
Does your organization have data residency requirements?
Functional Requirements
Does your organization require client-side encryption?
Do you need to manage your own encryption keys?
Does your organization need to be able to revoke or expire files stored in the cloud?
About Virtru By combining military grade encryption, cloud-based access and controls and seamless
integration with applications like Google Apps for Work and Microsoft Exchange,
Virtru enables security without getting in your way. Whether for regulatory compliance
like CJIS, data security, or corporate privacy, Virtru is the easiest way to protect sensitive
information.
www.virtru.com