Briefing

The 12-point Google Workspace security baseline.

Defaults are for getting started, not for running a business. This is the baseline I configure on every tenant.

Briefing · 6 min read · Security

In this guide— Identity & access— Data protection— Visibility & response— Where to start

Google Workspace is secure by design — but not by default. Out of the box it optimises for ease of adoption, which means several controls that a business needs are simply switched off. Here is the baseline I bring every tenant up to.

Identity & access

  • Enforce 2-step verification for everyone, with security keys for admins
  • Reduce super-admins to the minimum and use least-privilege roles
  • Apply context-aware access so sensitive apps require trusted devices or locations
  • Review third-party OAuth apps and block over-scoped access

Data protection

  • Set external sharing guardrails per org unit — not one blanket rule
  • Configure DLP to catch sensitive data leaving the org
  • Define retention and use Vault for legal hold and recovery
  • Structure shared drives so ownership survives people leaving

Visibility & response

  • Turn on alerting for suspicious logins and admin changes
  • Route security alerts somewhere a human actually reads
  • Keep an auditable record of configuration and who changed what
  • Have a tested recovery path for a compromised or departed account
Security isn’t a product you buy — it’s a set of decisions you make on purpose, and write down.

Where to start

If you only do three things this quarter: enforce 2SV, cut your admin count, and turn on external-sharing guardrails. Those alone close the majority of the real-world risk I see. From there, the rest of the baseline is a steady, documented rollout — not a fire drill.

Want a defensible baseline on your tenant? Let’s talk.

Request a quote