Are all Google accounts under your organisation's IT management?
Based on our discussions with Nordic organisations, many think that all their Google services are managed centrally. Unfortunately, often some services and accounts fall outside the scope of centralised IT management. If your organisation uses services such as Google Analytics or Google Ads, are you certain that your account management is secure?
Are Google services managed by your IT?
All too often, we have had conversations like this one:
Does your organisation use Google Cloud Platform or other Google services?
We don’t use Google. We tend to use competing platforms.
This is a common situation in companies that have not deployed Google services systematically. It leads to a belief that the organisation does not use any Google services at all. However, the situation is often quite different: Google services are almost always being used outside the scope of centralised IT management.
Services such as Google Analytics, Google Ads, Google Maps API, and Google Datastudio are good examples. In these cases, the services are managed using Google accounts tied to an individual employee’s email address or even a personal @gmail.com account.
Information security and business risks
The situation described above gives rise to substantial information security and business risks:
- Accounts have an inadequate standard of information security, and accounts cannot be audited
- Accounts could be lost entirely if the employee leaves the company
- Services paid for by credit card could be unexpectedly suspended if the card expires or is lost
The increasing tendency for remote work poses distinct challenges for account security, as services are used in different locations and, potentially, on different devices. However, it is easy to take control of the security of Google accounts at a low cost.
How to manage Google services centrally?
- Centralise the management of Google Cloud Platform projects under the company’s domain.
- Implement centralised user account management, for example, using free-of-charge Google Cloud Identity accounts.
- Get the information security of accounts in order (e.g., by enforcing 2-Step verification and more secure password policies).
- Migrate certain services to centralised admin accounts instead of user-specific accounts.
- Stop using credit cards for billing.
Systematic development of information security
When the basics of Google accounts are under control, it is a good idea to systematically invest in the further development of security. If you use a lot of Google API services for developers, plan the management of user-managed keys in a secure way.
If necessary, user management can be integrated entirely into a different, centralised user management service (over LDAP and, if desired, with password synchronisation), and authentication could harness the company’s SAML single sign-on service (such as Azure AD or Okta). In addition, information security can be further developed using Google Cloud Identity Premium accounts.
We strongly urge you to transfer all Google accounts and services to the centralised management before it is too late.