One of the most amazing and transformative elements of Google for Education is the ease of collaboration the end users experience. Similarly, the scary part for IT Admins can be how easy it is to collaborate (read: overshare), particularly when it comes to sensitive data leaving your school’s domain. Whenever possible, mitigating data loss should be considered (and a high priority) when implementing Google for Education in your schools.
In this post, you will find a thorough explanation of basic Drive settings and best practice recommendations for those settings. Outlined are some key areas to re-examine in your Admin console to ensure the first line of defense for your domain’s Drive security. Additionally, there is information about how to obtain a free threat scan from our partner, Syscloud. SysCloud’s threat scan will check for inappropriate external sharing via Drive. Finally, as it’s relatively new for Google for Education, you’ll get a quick peek at how Google Workspace for Education Plus addresses Drive security and compliance.
Drive settings and best practices
Drive security settings are incredibly important as Drive is a core Google Workspace service that is used quite heavily in K-12 environments.
To start, are you allowing your faculty and/or students to share externally?
Keep in mind that you will need to apply the settings by the appropriate OU rather than the ROOT if you want students and staff to have different Drive permissions, which is common in school settings.
Amplified IT’s consultancy services recommend only allowing students to share internally, especially for younger students in grades K-8, which is commonly known as the “walled garden” approach.
According to Melissa Benson, one of our uber knowledgeable Google for Education Consultants, “we typically see schools putting elementary and middle school grades into a walled garden. However, it’s always best to defer to the curriculum department to make sure that decision is wanted/supported throughout your schools.” She also notes that “keeping consistency” with the “walled garden” approach within Drive, Hangouts, and Gmail is essential.
To access your Drive settings, go to admin.google.com>Apps>Google Workspace>Setting for Drive and Docs.
The recommended settings for the student OU is OFF and uncheck allow users to receive files from outside/external domains to obtain a “walled garden.” This must be unchecked in order to obtain a “walled garden.” If the setting remains checked, anyone outside of the domain is able to share with students. During the Audit process, Amplified IT’s consultants find that although the sharing options are OFF, the box is often left checked for students, leaving them vulnerable to files being shared with them from outside the domain. NOTE: it is important to have the box UNCHECKED to maintain a “walled garden,” as seen in the image below.
The Middle option for WHITELISTED DOMAINS is the same as having the setting turned OFF (below) but allowing exceptions with a whitelist. This option is beneficial when students need to share outside of the domain for academic programs/purposes. Again, you will want to make sure the box is unchecked for allowing students to receive files from outside of the domain.
When using the ON option, make sure to check the option to warn users when they share files with users outside of the domain. A gentle “heads up” to let teachers/students in your domain know they are sharing files externally requires them to pause and think whether it is an item that truly should be shared. Giving a warning to end users can save from inappropriate sharing and prevent overall data loss.
This particular setting is going to be more relevant to your staff. It’s a relatively new setting within the admin console, which allows recipients to view a preview of a file without having to have a Google account. For example, this can be helpful when working with outside vendors who may not even have Google accounts.
The access checker
Also within Drive and Docs settings, the Access Checker will notify the sender of an email if the recipient does NOT have access/share permissions to the Drive document linked in the email. For example, let’s say you write an email and link a Google Drive file within. Upon clicking send, Gmail checks if the recipients have access to the file. If not, the sender receives a pop up asking if they would like to share the doc. Helpful, right? It is helpful, but you want to make sure the default setting is changed to deter users from simply sharing with anyone. The default setting in the Admin console is Recipients Only, Your Domain, or Public (no Google account required) as seen in the image below. However, this can lead to a lot of needless oversharing by allowing end users to use one click to (over)share to recipients, your domain, along with the public.
In the K-12 setting, we recommend setting your Access Checker, to Recipients only (below image) as Google will check the sharing permissions, then explicitly add only the people in the email to the sharing permissions in comparison to allowing the user to choose the entire domain and/or publicly accessible).
Reminding your users when they share using the Access Checker is a step in the right direction but adding an extra layer of security by halting oversharing and alerting administrators of inappropriate sharing can save schools from FERPA violations and accidentally sharing of student/faculty Personal Identifiable Information (PII).
SysCloud’s free threat scan
Syscloud, a cloud app, that scans for sharing violations within Drive, Chat, Gmail, and Sites provides a free threat scan as a trial for two weeks. Amplified IT is the only partner to offer dedicated K12 support, onboarding, and implementation for the service so don’t be shy about contacting us for more details and get your trial set up correctly.
Google Workspace for Education Plus
Recently launched, Google Workspace for Education Plus, offers a security center that includes dashboards, actionable security insights, and proactive measures to protect your domain from data loss prevention.
Here is a video overview of the entire Google Workspace for Education Plus offering. Once again, Amplified IT is the only dedicated K12 partner who can offer training and we can get you started with a trial for 30 days for up to 10 of your users.
Contact us if you are interested in a trial or learning more about the enhanced security features available with Education Plus.
The Google Admin console changes quite frequently so it’s always a good idea to make sure that you revisit settings often. If you found this post useful, this is just a few of the settings in the Admin console to consider. We offer a full Audit of your Google for Education settings, which outlines best practices, each setting, what your domain settings are, and what the recommended setting is for a K-12 environment.
Having a hard time keeping up with every update to the admin console and want to be part of a Google for Education community of techs? Join our North American Google Technical Collaborative! Here is the link to learn more. Promise, you’ll never have to “go at it alone.”
Next time, we will dive into Google Workspace for Education Plus features and how it can further ensure domain safety and security. Wishing everyone a wonderful (and security safe) school year!
Find this article useful? Share it!
About the Author:
Catherine Weers joined the Amplified IT team in 2017 after 13 years working in Public Schools as an educator and Technology Coordinator. She has a rich history in Educational Technology. Today, she is the Partnership Manager where she is in charge of ensuring schools get the right tools to fit their individual needs in security, Chromebook management, web filtering, backup solutions and much more.