Google recently announced some new features to help prevent G Suite account compromise and provide extra protection for sensitive accounts. These features are available via the Google Advanced Protection Program, or GAPP, which adds additional safeguards for high-risk users.
One could easily argue that the most important aspect of GAPP is the requirement to use physical security keys. This prevents the exploitation of credentials that have been harvested by phishing or other means. The Titan Security key can be used as well as other physical keys supporting FIDO2. The built-in security keys of Android 7+ phones are also supported.
Coming in as a close second to the physical security key requirement is the automatic blocking of access by most third-party apps to Google Drive and Gmail data. If an app is not explicitly trusted by the G Suite admin it will be blocked. Other features include:
- Extra steps for account recovery to prevent impersonation
- Deep scans of email for threats, including sandboxing
- Google Safe Browsing download protection from for certain file types when signed into Google Chrome with the same identity
Utilizing most of the G Suite Advanced Protection Program is simple, for the most part, but the most important piece – the physical security key – will cost you dollars and convenience. Limiting the scope of its use to only those accounts that represent the highest risk makes it more affordable, though.
The inconvenience is well worth it given the level of risk mitigation. It might be reasonable to even expect to see physical security keys added as a requirement for cyber insurance. It really comes down to a single question: can you afford not to?
Why You Need to Protect Power Users
Power users and employees with access to sensitive information are prime targets for cyber criminals and nation-state actors. These targets include executives, IT admins, human resources. If you’re in the healthcare, finance or government sector, you’re also a prime target.
An example of a highly advanced attack was seen in a 2019 phishing campaign that targeted the login credentials of multiple US and international government procurement services. This campaign effectively spoofed procurement sites and harvested credentials with phishing emails and sophisticated lure documents. Given the human element, fighting these types of advanced attacks is very difficult, but there are ways to effectively combat the threat.
Continuous monitoring by a security operations center (SOC) provides the quickest recognition and resolution of possible compromise. Delta Risk’s SOC-as-a-Service solution also has enhanced capabilities via our ActiveEye platform. ActiveEye detects and surfaces the compromise of sensitive accounts in several ways including alerts for:
- Logins from unusual locations or country whitelist violations (with MFA verification)
- Impossible logins regarding time and geography, and logins outside normal user behavior or patterns
- Accessing cloud APIs from a malicious IP
- User roles that are created and deleted in a short period of time
- Downloading of user lists from cloud infrastructure
- Granting super admin privileges for G Suite, Azure or AWS
Combining the G Suite Advanced Protection Program with ActiveEye SOC-as-a-service provides a hardened security posture that is continuously monitored. Users that pose the most risk, if compromised, have a very strong protection provided by the physical security key. Applying the Google Advanced Protection Program not only provides the actions of the policies but also an enhanced set of Indicators of Compromise (IOCs) to enable the identification of threats by the security team and the protection of your sensitive data.