One of Google for Education's most transformative elements is the ease of collaboration in the end-user experience. Similarly, the scary part for IT Admins can be how easy it is to overshare, mainly when sensitive data leaves your school's domain. Mitigating data loss should be considered a high priority when implementing Google Workspace for Education in your schools.
In this article, you will find a thorough explanation of Drive Admin console Sharing settings and best practice recommendations for those settings. Outlined are some key areas to re-examine in your Admin console to ensure the first line of defense for your domain’s Drive security. Finally, you’ll see how Google Workspace for Education Plus addresses Drive security and compliance.
You can use these settings, or if you have Education Standard or Plus you can use Trust Rules. Trust rules provide more granular control over sharing but require additional setup, visit this article for more information.
Drive settings and best practices
Drive security settings are critical as Drive is a core Google Workspace service used heavily in K-12 environments.
Are you allowing your faculty and students to share externally?
It's crucial to remember that applying the settings by the appropriate OU, rather than the ROOT, is a necessity if you want students and staff to have different Drive permissions. This is a common practice in school settings.
CDW Amplified for Education recommends only allowing students to share internally, especially for younger students in grades K-8, commonly known as the walled garden approach.
According to Melissa Benson, one of our Google for Education Consultants, "we typically see schools putting elementary and middle school grades into a walled garden. However, it's always best to defer to the curriculum department to ensure that decision is wanted/supported throughout your schools." She also notes that consistency with the walled garden approach within Drive, Chat, and Gmail is essential.
Drive Settings
To access your Drive settings, go to:
admin.google.com > Apps > Google Workspace > Drive and Docs > Sharing settings
There are three options for sharing, Off, Allowlisted Domains, and On. Here is an explanation of each option.
Off
The recommended Sharing outside of [name] Domain for the student OU is:
-
OFF
And - uncheck Allow users in [OU name] to receive files from users outside of [name] domain
This checkbox must be unchecked to obtain a walled garden. If the Allow users checkbox remains checked, anyone outside of the domain can share with students. During the Audit process, CDW Amplified for Education’s consultants often find that although the sharing options are OFF, the Allow users in OU checkbox is often checked for students, leaving them vulnerable to receiving files from outside the domain.
Allowlisted Domains
The option for ALLOWLISTED DOMAINS is the same as having the setting turned OFF but allowing exceptions with an allowlist. This option is beneficial when students need to share outside of the domain for academic programs/purposes. Again, you will want to make sure the box is unchecked for allowing students to receive files from outside of the domain.
If using this setting, be sure to configure it this way:
-
Allowlisted Domains selected
AND - Uncheck Allow users in [Student OU] to receive files from users outside allowlisted domains
On
If using this setting, be sure to configure it this way:
-
ON selected
AND - Check For files owned by users in [OU] warn when sharing outside of [name] Domain
With this configuration, users see a warning when sharing files with users outside of the domain. A gentle heads up to let teachers/students in your domain know they are sharing files externally requires them to pause and think whether it is an item that truly should be shared. Giving a warning to end users can save from inappropriate sharing and prevent overall data loss.
The access checker
Also, within Drive and Docs settings, the Access Checker will notify the sender of an email if the recipient does NOT have access/share permissions to the Drive document linked in the email. For example, let’s say you write an email and link a Google Drive file within. Upon clicking send, Gmail checks if the recipients have access to the file. If not, the sender will receive a pop-up asking if they want to share the doc. Helpful, right? It is helpful, but you want to change the default setting to deter users from simply sharing with anyone. The default setting in the Admin console is Recipients Only, suggested target audience, or public (no Google account required). However, this can lead to a lot of needless oversharing by allowing end users to use one click to (over)share to recipients, your domain, and the public.
In the K-12 setting, we recommend setting your Access Checker, to Recipients only as Google will check the sharing permissions, then explicitly add only the people in the email to the sharing permissions in comparison to allowing the user to choose the entire domain and publicly accessible).
Google Workspace for Education Standard and Plus
Google Workspace for Education Plus, offers a security center with dashboards, actionable security insights, and proactive measures to help protect your domain from data loss.
Contact your GCS if you are interested in a trial or learning more about the enhanced security features available with Education Plus. If you don't have your GCS's direct email, contact cdwg@amplifiedit.com and your GCS will receive your message.
What’s next?
The Google Admin console changes quite frequently, so it’s always a good idea to make sure that you revisit settings often. We offer a full Audit of your Google for Education settings, which outlines best practices, each setting, what your domain settings are, and what the recommended setting is for a K-12 environment.
Also, if you need help keeping up with every update to the admin console, join our CDW Education Collaborative! Here is the link to learn more. In the Collaborative, you’ll never have to go at it alone.
Document Version | Date | Description of Change |
1.0 | 3/18/2024 | Updated link to Audit to CDW site |
1.1 | 5/28/2024 | Removed author block |
1.2 | 6/27/2024 | Rewrite with Donald, verified. |