Briefing
The 12-point Google Workspace security baseline.
Defaults are for getting started, not for running a business. This is the baseline I configure on every tenant.
In this guide— Identity & access— Data protection— Visibility & response— Where to start
Google Workspace is secure by design — but not by default. Out of the box it optimises for ease of adoption, which means several controls that a business needs are simply switched off. Here is the baseline I bring every tenant up to.
Identity & access
- Enforce 2-step verification for everyone, with security keys for admins
- Reduce super-admins to the minimum and use least-privilege roles
- Apply context-aware access so sensitive apps require trusted devices or locations
- Review third-party OAuth apps and block over-scoped access
Data protection
- Set external sharing guardrails per org unit — not one blanket rule
- Configure DLP to catch sensitive data leaving the org
- Define retention and use Vault for legal hold and recovery
- Structure shared drives so ownership survives people leaving
Visibility & response
- Turn on alerting for suspicious logins and admin changes
- Route security alerts somewhere a human actually reads
- Keep an auditable record of configuration and who changed what
- Have a tested recovery path for a compromised or departed account
Security isn’t a product you buy — it’s a set of decisions you make on purpose, and write down.
Where to start
If you only do three things this quarter: enforce 2SV, cut your admin count, and turn on external-sharing guardrails. Those alone close the majority of the real-world risk I see. From there, the rest of the baseline is a steady, documented rollout — not a fire drill.