Advanced Guide to Google Apps Security: Beyond the Basics

Today’s post is the first in our four-part blog series on the advanced security settings and tools for Google Apps administrators. The complete guide to enhancing the security of your data can be downloaded here.

We create, store and share data bits every day. Email? Bits. Documents, spreadsheets, and slides? All bits. Social media posts? More bits. Google protects your Google Apps “bits” with secure data centers and encryption systems. But Google Apps security extends far beyond these basic settings and tools.

Google’s Approach to Security

As customers, we want Google to secure their applications and protect our data. To some extent, we rely on Google’s public statements.

Google articulates an overall corporate security philosophy on their website. The company publishes a detailed privacy policy and they offer a white paper that addresses “Google’s Approach to IT Security”. More specifically, Google addresses common concerns on their support pages: Who owns data stored in Google Apps? Who at Google can access my data? (The quick answers: you own your data, and only people at Google authorized by the privacy policy terms may access your data.)

External verification of security standards and procedures helps. As Google’s website asserts, “our data centers are… SSAE 16 / ISAE 3402 Type II SOC 2-audited and have achieved ISO 27001 certification.” The former means a third-party auditor has reviewed Google’s physical and logical security setup. The latter certification—by Ernst & Young CertifyPoint—indicates that Google has implemented ISO 27001 practices.

Google Apps and HIPAA compliance

If your organization handles Protected Health Information (PHI) in the United States, you’re likely required to protect that information under the Health Insurance Portability and Accountability Act (HIPAA).

The good news is Google will sign a Business Associate Agreement for Google Apps with your organization. (Actually, Google requires your organization to do so. As Google’s support page says: organizations “who are subject to HIPAA and wish to use Google Apps with PHI must sign a Business Associate Agreement (BAA) with Google.”)

However, the agreement covers just four Google Apps services: Gmail, Calendar, Drive, as well as Google’s add-on Vault service. (Google Vault provides archiving and discovery services for compliance purposes.)

Learn more from Google about HIPAA compliance and Google Apps here.

Google Apps: Security Settings

Calendar

As the Google Apps Administrator, you choose both the maximum level of calendar sharing with people outside the organization, and the default visibility of calendars internally. In all cases, Google Calendars are private by default, and only visible to others when shared.

External calendar sharing

Once shared, you may allow outsiders to see only free/busy information: all event details remain hidden. Or, you may permit outsiders to view all calendar information, then choose whether outsiders can—or cannot—change calendar items, or fully manage a calendar.

You may set the highest level of sharing allowed differently for primary and secondary calendars. Each person’s primary calendar is their default Google Apps calendar. Any additional calendar a person creates is a secondary calendar.

For example, you might restrict primary calendar sharing to free/busy information, but allow secondary calendar sharing to allow outsiders to change calendar items. This setting protects people’s primary calendar data, and permits calendar collaboration on secondary calendars.

Internal calendar visibility

You also choose the default amount of calendar information visible to people internally. You may choose a default setting of “no sharing”, “only free/busy information”, or “all information”. Each person can change the internal visibility of calendars.

Note that even if a calendar is visible to others, people may still set a specific calendar event to be private. Events detail set to private are visible only to people that have the ability to make changes to events on that calendar.

Learn more from Google about primary, secondary and internal calendar sharing options here.

Help your colleagues learn how to change calendar sharing options here.

For the complete story on how to enhance the security of your Google Apps domain data, please download the complete guide to advanced security configuration and compliance below and be on the look out for additional eBooks in our Google Apps training guide series.