Three things you really should know about Google Drive

By and large Google Drive is a great product, and it is compatible with good information security practice. However, there are a few Google behaviours, buried in "good UX", which are awful for your information security.

Photo of Greg Harvey
Tue, 2015-03-10 09:57By greg

So if you use Google Drive for your business, or even personally, here are a few things you really ought to know:

 

1. Google Mail integration

You know that thing where Google Mail's web UI pops up and says "This Drive file isn't shared with the recipient" and offers you a bunch of options? Pure evil! If you click the visually highlighted "Share & send" button, Google Drive simply makes your document public to anyone who knows the link. Security by obscurity, perhaps, but... Your. Document. Is. Public. At Code Enigma we teach users that button does not exist. I wish I could turn it off, but I can't.

ALWAYS use the "Send without sharing" link, discreetly tucked away to the right of the dialogue. It is the only safe option, aside from "Cancel".

Awful Google Mail UX.

 

2. Mobile access

If, like us, you store documents in Google Drive for which you have a certain legal duty of care, you probably want to be fairly sure it's hard for anyone not legimately part of your business to get to those documents. You probably want Two Factor Authentication (2FA) as an additional level of security. We certainly do. Happily, Google does allow you to enforce 2FA from central admin. Unhappily, it also allows users to disable 2FA on mobile devices for their convenience.

Do not want!

If users want to read their work email on their personal account, they can forward it. If they want to access their work calendar on their personal phone, they can share it with their personal account. I have no problem with any of this. But users must not activate their work account on their mobile device, because doing so immediately negates any 2FA we might have in place to protect documents in Google Drive. Which is really bad.

There's no way I can see to tell Google Apps to not permit this, similarly there seems to be no report available for mobile use either. It seems to be a totally user-driven decision over which administrators have no control, so it is our policy our users may not do this. Period.

 

3. Get shareable link in Drive

This is more evilness like the first one. If you have a document set to "Specific people can access" (which, by the way, is the only sane "private" option in Google Drive), you open the Share dialogue and you click the "Get shareable link" option in the top right, Google automatically shares the document company-wide to anyone with the link. Again, security by obscurity, but poor nontheless. If this were a sensitive document, you just shared it with the whole company and Drive didn't even warn you.

So don't do that. Click "Advanced" and copy the share link the old-fashioned way on the next screen.

Awful Google Drive UX.

 

So there you go, Drive, really nice system, good value for money, but some of the user-driven decisions are really horrible from an infosec point of view and I wish Google would introduce some options for Business account administrators so we can disable some of these horrid behaviours! At the moment all we can do is spread awareness.