Ask Floh: How Secure is G Suite?: Peerio
November 8, 2018

Ask Floh: How Secure is G Suite?

In this episode of Ask Floh, we dive into the pros and cons of using G Suite, what to watch out for, and when you may need to use a more secure product.

5 key takeaways are:

  • Google has a world-class security team and handles a lot of different kinds of compliance.
  • Google has a huge ecosystem that wasn’t built for privacy. They let the developers of the third party extensions access your data so there are lots of security holes and attack surface.
  • Google is essentially an advertising company that mines your data so they can show you ads.
  • Admins of G Suite accounts could have access to your private information.
  • If you have sensitive information, you may want to move it off Google and into an end-to-end encrypted product.

Transcript

Hello, welcome back to Ask Floh, your favourite show on cybersecurity and how to stay safe online. I’ve got a follow up this time. So this is from Stef from Quebec, who asks:

“Just wondering, after I saw your video on Slack and email, how secure is G Suite? We have moved away from a traditional client-server model to a cloud one based on Google G Suite. We like their collaboration tools like Team Drives, it makes our work workforce very mobile and productive. But is our data safe? We deal with banks, government agencies, law firms, etc. I wonder if we would pass a security audit.”

Alright, we’ve got a lot of different things in here. And the answer is, in fact, quite similar to the answer that I gave about Slack, in the sense that, well, let’s backpedal a little bit. I want to say before I dig into some of the reasons when maybe G Suite should worry you that Google does have a world class security team. Some of the smartest people in security work at Google. And they are constantly, you know, smacking down all kinds of attackers, finding all kinds of vulnerabilities both in their own products, as well as in other people’s products. So Google, they do care about security. They’re constantly trying to protect you from malware. They’re constantly making tons of security education and security related materials available for free. So that’s just to be fair here.

But now, Google and G Suite are obviously a huge ecosystem. And that means that there’s a lot of what we call attack surface. There’s a lot of different things going on. There’s a lot of third parties that interface with Google. And of course, Google isn’t really a maker of tools that are designed for privacy. Google is in essence, an advertising company. They love your data they want as much of it as they can get. And that’s how they make their money at least significantly. So given that their businesses is ads, and that they are sort of incentivized to give a lot of different people access to different stuff so that they can get more information and rake it all in.

This means that there are a lot of holes, a lot of places where there can potentially be holes, better said, so, for example, until recently, until last year, I believe Google was still mining your private emails for advertising information. They’ve since stopped.

However, they also allow a whole lot of different extensions into, for example, Gmail and not to mention a bunch of other apps in their ecosystem. And some of those, let the developers of the third party extensions, access your private emails, and might also depending on the terms of use, and privacy policy, and all this kind of stuff, share that data further to additional, you know, fourth, fifth parties, or whatever.

And so that’s the kind of thing that if you’re an IT director or security director at a company, that’s just using G Suite, that’s the kind of thing that should concern you. You know, what extensions are people using? What are you allowing? Where all of the different places in the G Suite ecosystem where there could potentially be leaks?

Now, another thing if you’re maybe protecting some, you know, really niche stuff, some intellectual property, some legal documents, or whatever, one of the things that you need to know is that G Suite, much like Slack, is in the hands of an administrator. So whoever controls the G Suite account could be accessing your private information. And there’s a bunch of different ways that they could do that. And not all of them are super intuitive and easy to avoid.

So with that being said, if you are using G Suite, it’s great for lots of things. But there are a bunch of things you do have to worry about as well. And so if there are some things that you heard me talk about that worried you, this might be a good use case for end-to-end encryption. You might want to move some of the data that you have that’s particularly sensitive off of G suite. Use an end-to-end encrypted product to protect that data and therefore not have all of these different points to worry about, such as, you know, third-party applications that interface with your data as well as administrators of team accounts.

Lastly, one thing that you mentioned was whether you would pass an audit and then there I would say, it depends on the kind of audit. I mean, Google provides a lot of information about the kinds of compliance that they handle, and there’s a lot of it, so it might actually be just fine, depending on what jurisdiction you’re in and what sector you’re in. So do check that out, and maybe we can have another conversation about really specific compliance stuff later.

All right. I really hope that was helpful. Take care and do send me more questions. Bye.

Related stories

Ask Floh: Why oversharing on team messaging could be a problem


You know what’s better than secure team communication? Nothing. Peerio gives you a super secure way to chat with your team, store and share files, all in one place. Every message and file stored and sent with Peerio is encrypted end-to-end by default. Learn more.