0 Replies Latest reply on Aug 28, 2016 9:29 PM by Anonymous

    What's the Best Practice for Google Apps Security ? #1


      Hi Everyone,


      I am Yan from Professional Service, Google for Work. Professional service is a newly established organization and we are targeting to help both our customers and partners to improve their work efficiency by providing best practice, solution or service.  Here I would like to kickoff a serie of articles about how Google’s best practices working on security. Besides, more security topics and discussion will come soon,  please stay tuned.


      The baseline of Google’s security are of the 3 points

      1. Keep up to date and adopt the latest security features and technology
      2. Train the users to raise security awareness
      3. Get prepared with a Response Plan

      In the first blog, I will give a brief introduction on adopt the latest security feature and technology.


      Keep up to date and adopt the latest security features and technology

      In Cloud, the customers don’t have to innovate or create a new solution in order to adopt the new technology. Google will always update the products with the latest technology. One of the most important task for IT Admin is to understand the new technology/ functionality and educate the users to apply it. Same applies to security. Here I would like to explain by giving examples on how the technology helps users from phishing and spoofing. 



      According to Google’s investigation, 45% of users are tricked by the most believable phishing pages and 20% of accounts are accessed within 30 mins after being phished. 

      Even trained users are possible to be tricked by phishing and once being phished the account could be compromised right away. This is the risks our users are facing today.


      Here, we recommend 2 Step Authentication.

      Before explaining the solution, have you ever recalled any of the following activities conducted by yourself lately ?

      • Apply the same password to both private and professional account
      • Download a certain file from internet
      • Click a link or attachment of an email, which you are not sure who’s the sende



      All the activities could trigger phishing and eventually threating to your company’s security.
      The reason behind it is that the improvement of consumer technology makes it even easier for hackers to be equipped and organized to steal individual user’s data. Because of re-using of the same password, when user's personal data was hacked and sold in black market, enterprise’s security are also under the risk. 

      2 Step verification will prevent your company from phishing, hence data from being compromised. Even though your password was stolen, you still have the 2nd factor authentication to protect the account, which is either through your mobile or a security key. Lately, more and more people start to use security key,  because it’s encrypted and easy to setup. It is a not phishable 2 step authentication factor. For detailed setup and explanation please refer here


      Spoofing is another type of cyber crime that could occur to a company. Email spoofing means the forgery of email header so that the message appeared to be originally sending from someone else. So, why is email spoofing harmful ? From recipient perspective, “Oh, this is from someone I know or I do business with, could be important information, let’s see what’s inside the link”. After one click,  the account would be infected by malware.  The negative impact is obvious to the company who are being spoofed. As for the company who are forged as sender might also lose trust to their business partners, and the negative impact might  be even bigger.


      To prevent from spoofing, here I would like to introduce the following setup in order to protect users and your company.

      1. Publishing a domain sending server’s IP record, the recipients will be able to verify if it’s from the right sender’s server (SPF )
      2. By adding encrypted digital signature to the header of outgoing message, recipient will be able to identify that the email is from the sender’s domain and hasn’t been changed along the way (DKIM)
      3. Set up a series of policy for IT Admin’s further action (DMARC)


       SPF refers to Sending Policy Framework, you can identify spam by publishing the sending server’s IP record to DNS. Recipient can identify whether a message to be claimed from your domain is from an authorized mail server. For detailed setup please refers here


       DKIM refers to Domain Key Identified Mail, which is  a mail validation system designed to detect mail spoofing. It works by adding a digital signature to email message header sent from your domain.  Then issue a public version of encryption key to DNS, recipient server can retrieve the key and decrypt the header. For detailed setup please find here


        DMARC refers to Domain Based Message Authentication, Reporting and Conformance. Spammers can sometimes forge the “From” address on mail message so that the spam messages appears come from a user in your domain. Domain owners can publish a policy telling Gmail and other participating email providers how to handle unauthenticated message sent from their domain. For example, Publish a policy to send alert to IT admin when user encounters suspicious spam will raise user’s security awareness and have IT admin prepared for the next actions. Please find here for details.


      In conclusion, to protect your users and your company, it is essential to keep to update and adopt the latest security features. 2 Step Authentication, and DMARC, SPF, DKIM setup will help you to protect your users. Apart from it,  it is also essential for users to be aware of security and protect themselves for both professional and private data. I will focus on user training in the next blog.