User Access and Authentication Controls in G Suite

Perhaps the biggest reason more IT managers don’t migrate their organizations to G Suite is a fear that they don’t have the tools at their disposal to make G Suite secure.

One of the key aspects of your G Suite domain’s security is user access and authentication controls. These controls dictate who can log into your domain and by what means. Let’s discuss some of the essentials to understand regarding these controls.

Set up domain administrator recovery options

No single security protocol is more important than your domain’s administrator recovery options. A G Suite domain administrator has the keys to the kingdom, in that they can alter any setting, delete any user, and purge any data residing in your domain. Thus, if a domain administrator’s G Suite account is compromised, there is no more important task than regaining control.

Google offers three methods of verifying an administrator’s true identity outside of G Suite, but using them requires that the administrator has a contact mobile phone number, non-domain email address, and administrative access to your domain’s URL DNS provider account on file with Google – before the admin account is lost. Failure to set up these recovery options and a hacked G Suite admin account could take down your entire domain, perhaps permanently.

Require SSL & TSL

You can require users employ a Secure Sockets Layer connection to access their G Suite accounts. While the Internet connection inside your offices may be sufficiently secure that an HTTPS connection isn’t necessary and, to be honest, SSL connections are slightly slower than unsecured HTTP connections – requiring SSL ensures it is used when your employees link to other networks.

Another option is Transport Layer Security (TLS) which encrypts mail for secure delivery. If this setting isn’t turned on, Gmail will send an email through both secure and nonsecure connections depending on what is available. However, an admin can require all mail be transmitted via a secure connection by turning on the TLS setting. Together, SSL and TLS enforcement is the ounce of prevention that is worth a pound of cure.

Configure Two-Factor Authentication

Two-factor authentication under G Suite requires users to pair a mobile phone or smartphone with their G Suite accounts and use that phone as part of their G Suite login process. When logging into a two-factor-protected G Suite account, Google requires the user provide both a password and a numeric code sent by SMS message or security app to their mobile phone.

With two-factor authentication enabled, even if a hacker steals a user’s password, that password alone can’t grant the attacker access to G Suite; the hacker would need the mobile phone, too. (Stealing the phone has the same drawback for attackers; they would need the user password, too.) More simply, two-step verification makes it all but impossible for a hacker to gain access to a G Suite account by a software-based attack; access to G Suite requires physical access to a particular mobile phone, and most hackers can’t or won’t go that far to access your domain.

Monitor the strength of user passwords

G Suite allows administrators to set minimum and maximum character lengths for user passwords. The longer the password, the harder it is to crack. You can regularly require users to change their passwords if you alter these minimums or maximums.

You can also preemptively evaluate the security of any given user’s password to determine whether a password change is warranted. Google uses an undisclosed criteria to determine whether a user’s password is weak or strong. This rating adapts over time as password-cracking schemes become more sophisticated, which is to say a password that was considered strong when the user chose it may now be considered weak, and auditing users passwords can alert you to passwords that need to change.

For more information on securing your G Suite domain, check out our eBook. It features tips on how to setup domain administrator recovery options, how to prevent unauthorized domain access, and basic methods for recovering lost or corrupted G Suite data .