How many files do you share every day? And if you’re honest, do you always remember to unshare them when the project’s done? We’ve all been there, juggling multiple tasks, and sometimes we forget to tidy up access to those files we’re not using anymore.
Table of Contents
The role of automated security policies in compliance and data protection
-
Security by design
Data protection regulations like GDPR emphasize the concept of "privacy by design" and "security by design." Implementing automated data protection policies from the outset ensures that data security and privacy are built into processes and systems, promoting compliance with these design principles. -
Data minimization
Many data protection regulations emphasize the principle of data minimization, which means collecting and retaining only the data necessary for a specific purpose. Automated unsharing ensures that data is shared only for the duration it's required, automatically revoking access when it's no longer needed. For example, an HR services firm may share job applicants’ information with companies looking to hire, but once the recruitment process concludes, this data should no longer be accessible. -
Documentation and auditing
Compliance often requires organizations to keep records of data processing activities. Automated data protection policies provide an audit trail, documenting when and how data was shared and when access was revoked. This documentation can be essential for compliance reporting and demonstrating accountability. -
Least privilege
The principle of least privilege is a fundamental concept in data security. In essence, it means that individuals should only have access to the data and resources essential for their specific roles and responsibilities. Automated security policies ensure that data remains accessible only to those who genuinely require it, while eliminating the risks associated with excessive access privileges.
Risks of lingering shared files in Google Drive
-
Data breaches
In the initial stages of a project, we may grant broad access, because it is convenient for collaboration. However, as the project evolves, it often becomes evident that not everyone requires continuous access to these files. If excessive access is not revoked, this can lead to an unnecessary exposure of sensitive information and increase the chances of breaches. -
Unauthorized data alterations
When access is not promptly revoked, there's the possibility of files being edited without the knowledge of the owners. This can lead to misinformation and errors. For instance, in sensitive financial documents, uncontrolled access could result in financial inaccuracies or fraud. Imagine if profit figures were tampered with in a financial report at a later time without being detected. In the context of legal contracts, unnoticed changes may lead to contract disputes or legal liabilities. -
Data misuse
When access permissions are not promptly revoked, individuals who have left the organization can potentially exploit their continued access. This could include taking confidential data with them to a new job, for example. -
Legacy data exposure
Legacy data exposure can be a ticking time bomb for businesses with a long history. Over the years, these companies have accumulated millions of files, many of which were not properly unshared and still remain accessible. This includes files shared with external parties, a common example being files left over from past collaborations. The danger lies not only in the sheer volume of data but also in the lack of knowledge about the content and sensitivity of these files. To address this challenge, implementing a policy that would automatically remove access from files if they have not been opened for a specified period of time can be a game-changer. Such a policy would not only instantly identify and revoke access to all stale files, but also prevent their accumulation in the future. -
Fines for noncompliance
Many data protection laws nandate strict data access controls, including timely removal of access when it’s no longer necessary. Companies that do not promptly revoke access to files may find themselves facing not only financial penalties but also damage to their reputation and loss of trust among customers and clients. Picture a scenario where a healthcare or health insurance provider needs to share a patient’s health records with an external specialist for a consultation. To ensure patient confidentiality, these records need to be unshared as soon as they are no longer required.
Automated security policies for access removal
-
Set expiration dates for access permissions
One way to control file sharing in your organization could be to set up expiration dates for access permissions for all files in your domain, or only files in a specific Shared Drive or folder. That way, all sharing permissions would expire after a specified time period and all access would be automatically removed from the file, unless the file owner, project lead, or Shared Drive manager decides to extend access for an additional period of time. -
Set expiration date for sharing with a domain, user or group
If you are collaborating with a third-party vendor, freelancer or contractor for a limited time, it could be especially helpful to set up a security policy to automatically remove all their access to files on a specified date. That way, you don’t need to remember to do this yourself. Not only that, automation saves you time and ensures that all files are secured without delay. -
Automated data protection policies based on Drive labels
Drive labels offer an efficient way to categorize your data, and categorized data facilitates creation of granular data protection policies. For example, files labeled as “GDPR” can be automatically subjected to strict data protection policies, ensuring compliance with data protection regulations. - Click to learn more about using Drive labels for data security and compliance.
-
Automated policies for inactive files
Consider creating an automated security policy to remove all access from files that have remained unopened or unmodified for a specific period of time. The data in the inactive file is no longer actively needed, but it may contain sensitive information or information that may become sensitive over time. Allowing the file to remain accessible creates an unnecessary security vulnerability.
This automated security policy could also be implemented on an individual level, unsharing the file only with individuals who have not opened the file in a specified period of time. This ensures that data remains accessible only to those who actively need it, aligning with the principle of least privilege.
Automated security policies for access management
Removing all access to files is not always immediately necessary. Sometimes, it’s about adjusting who can do what before complete access removal.
-
Change access permissions
During a collaborative project, granting editor access to everyone makes sense. But once the project wraps up, changing all editors to commenters or viewers can be a way to prevent any further unauthorized alterations in the files. Creating an automated security policy to modify access permissions for everyone, or for specific users, groups, or domains based on certain criteria (e.g. Drive label changed from “In progress” to “Completed”) will save you time and guarantee data security. -
Change link settings
Sharing files with “Anyone with the link” is very convenient for collaboration, but it’s not always the most secure option. But with a proactive approach and the help of automated policies to save you time and effort, you can make it a secure choice.
For instance, you could create a security policy that automatically revokes access with the link from anyone, or only from specific domains. Another option is to set up a policy that automatically adjusts link settings from 'Anyone with the link can edit' to 'Anyone with the link can comment' or 'Anyone with the link can view'.
You could choose to apply this security policy to all files or only files that meet certain criteria, such as files located in a particular Shared Drive or folder, files with a certain label, or files of a specific type. -
Change sharing settings
There are times when you need an extra level of protection for your files. Google Drive gives you the options to change sharing settings per file. For instance, you can prevent editors from changing permissions and sharing, or restrict viewers and commenters from having access to options like download, print, and copy. These options are essential because they ensure that your files exist in only one controlled version and prevent unauthorized exposure. You could create a security policy to apply these settings automatically to files that meet certain criteria, to further enhance the security of your shared data in Google Drive.
Automated security policies for data classification
Automated policies to apply Drive labels to files that meet certain criteria empowers you to efficiently organize and categorize files, as well as apply data protection policies.
-
Automated data classification based on criteria
For instance, you could create a security policy that automatically assigns the label “Sensitive” to all files located in the Shared Drive “Legal Documentation” containing keywords like “confidential”, “classified”, “contract” or “private” in the file title. Subsequently, you could create a data protection policy that automatically revokes all external access to files labeled as “Sensitive”.
How to create automated security policies in Google Drive
-
Google's native DLP
Some editions of Google Workspace include basic time-based file unsharing policies with limited settings. In the Admin Console, go to Security > Access and data control > Data protection > Manage rules > Add rule.
Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; Enterprise Essentials Plus. -
Utilizing third party tools like Florbs
If you require more granular controls and additional features beyond what Google's native DLP tool provides, you can opt for third-party solutions like Florbs. These tools often offer more advanced options for creating automated data protection policies.
Conclusion
In today’s digital era, data sharing and collaboration are common, but often, we forget to unshare files that are no longer needed. This oversight can result in security risks, including data breaches, misuse of data, and potential fines for noncompliance with data protection regulations.
Automated data protection policies in Google Drive offer a practical solution to these challenges. By implementing policies that automatically revoke access, manage access permissions, adjust link settings, and apply Drive labels, organizations can enhance data security, organization and compliance. Automated policies ensure that data is accessible only when necessary and eliminate the risk of human errors.
Google’s native DLP (data loss prevention) rules offer some basic functionality, that is worth exploring if your Google Workspace edition supports DLP features. If you’re looking for more advanced and granular controls, such as those discussed in this article, you may want to consider a third-party tool like Florbs Security & Auditing solution. Florbs offers a comprehensive set of tools for data security in Google Workspace that you can use to tailor security measures to meet specific requirements of your organization.
About the author
Niek Waarbroek
Niek is a certified Google Developer Expert with over 12 years of experience in Google Workspace. Witnessing numerous businesses struggle with similar challenges in Google Workspace, he took it upon himself to develop Florbs to help businesses protect their data in Google Drive.
