Google Drive Security

Best practices, tips and tricks

Introduction

Recently, the district has been in the news due to the illicit and unethical access to some of our files stored in Google Drive. Specifically, a former district employee shared files to a personal account while still employed by the district. The sharing links remained unidentified even after official access was terminated until a later date. Upon identifying this unauthorized access, information was relayed to law enforcement and allowed to go through the legal process.


Our staff take the protection of student, staff, and district data very seriously. Such situations have occurred in corporations, non-profit, government agencies the world over due to the relatively new and complex nature of cloud data storage and the ability to share information dynamically with a single click. Our processes for handling such situations mirror industry standards, but are not absolutely perfect, and links can be missed.

As a result of these recent developments, it is important for all staff to reacquaint themselves with district data policies and procedures, as well as take a moment to conduct some self-audits.

Objectives

  • Provide background on data privacy and related policies.
  • Encourage all staff to review their use of Google Drive and the content of their files.
  • Offer suggestions and tools for reviewing file shares so that appropriate changes can be made, if necessary.

Policies

If you're curious about any policies that cover data privacy or proper use of technology, here are a few to check out:


515: Protection and Privacy of Student Records

524: Internet Acceptable Use and Safety

406: Public and Private Personnel Data

409: Employee Publications, Instructional Materials, Inventions and Creations

306: Administrator Code of Ethics

211: Criminal or Civil Action Against School District, School Board Member, Employee or Student


The policies provide a framework for practices and procedures that we follow within the district. Recent events have highlighted the need to review some of our procedures and take steps to ensure that all staff have the information they need to follow best practices with data storage and sharing.

Google Storage: My Drive and Team Drive

First of all, let's acknowledge the clear benefits of using Google for file storage:


  • Easy access
  • Option to share files
  • Ability to edit files concurrently



Of course, any tool can be abused. Someone with bad intent will inevitably find a way to do so. Our goal here is to avoid a scenario where we have to limit the functionality of Google Drive. Let's look at the two types of Google Drive available.


My Drive

This is the version that has been around since Google Drive came into existence, and what pretty much everyone is familiar with. For most people, the terms "Google Drive" and "My Drive" are synonymous. Key aspects of My Drive:


  • Individuals own and control files and access to them (and access can be lost if staff leave the district).
  • Files can be shared to users outside of the organization (shakopeeschools.org).




Team Drive

Introduced within the last year or so, Team Drives are a more secure option that more closely resemble network file shares. Some key aspects of Team Drive:


  • The organization owns the drive, so files are not affected when staff leave the district.
  • Files cannot be shared to users outside of the organization.
  • You have to be a member of a specific Team Drive to see files in that location.
  • Team Drives are only available for organization accounts (such as an Education account), not for individuals with a standard gmail account.



As you can see, Team Drives represent a more secure option for storing data. There has been some discussion amongst various departments about moving data currently stored in My Drive locations to Team Drive, but progress on that has been slow simply because there is so much information floating around and it takes time to get it all organized. Also, each type of drive has advantages depending on what your objective is.

How do I see who has access to a file?

Here are Google's instructions on how to change the sharing settings on a file.


Link sharing options are also shown below. They are ordered from least restrictive to most restrictive. Which option you choose should be consistent with who actually needs access and the sensitivity of the data.

Big picture
It would be nice if Google offered an easy way to check your file sharing settings without having to go to each individual file and look at the settings. They don't, but after doing some research we have found another option that will at least provide a comprehensive list of who has access to your files; instructions for that option are provided below.

Who has access to your files?

Here is a tool you can use to scan your Google drive to see who has access to it.

https://www.whohasaccess.com/

After going to this link, scroll down a little and click the big blue button that reads “Scan My Google Drive Now”

Next steps will take you through confirming which account to use and allowing permission to access and scan the drive.

It could take anywhere from 2-15 minutes to run depending on how many files you have in your drive or are connected to via sharing settings.

Once it is done, it will give you a report screen.

It may be easier to limit the view to files you own (last item in left column) and access external to our domain (last item in right column).

Big picture
Let's use a concrete example here. Immediately remove access to this account for any files (if it shows up in your results).
Big picture
Choose Revoke access.
Big picture

For this particular situation, I would select the last item (“Everything I can manage”) and click Revoke.

Big picture
As you are going through your list you may want to review for other people who do not need access any longer; that’s your call. We trust that the staff here do have some discernment about what is appropriate. Where the technology department can and will do a better job is in making sure you are informed on how best to manage the tools available to you.

What else can we do?

We all need to be mindful of what data we have stored on Google Drive, how it is being used, and to whom it is shared. You can always refer to the policies listed at the start of this newsletter, but trust your gut as well.


Of course, we realize that we need to take steps to better manage files and sharing administratively as well. To that end, we are exploring some third party tools that we hope will allow us to do just that. Once we are able to evaluate our options, we will invest in such a tool.