Security & Privacy Information for Google Apps
With UCSC’s increasing use of Google’s services, it is important to remember that sensitive information often requires special protection. It is also important to remember that although Google provides enhanced security features and UC’s contract with Google provides assurances regarding the security and privacy of customer information stored on Google’s systems, most security cautions that apply to UC systems apply to Google.
Following are several proactive steps you can take to help maximize security and privacy when using Google.
In this section:
- Share Safely Quick Reference Card (PDF)
- Enable two-step verification
- Protect your CruzID Blue password
- Keep restricted data out of Google, or encrypt it first
- Mobile Devices
- Limit sharing of Google Docs & Sites to only those who need access, including who can edit vs. view
- Review your sharing settings in Google calendar
- Report spam and phishing to Google
- Use Google’s “Account Activity” features to help make sure no one else is using your account
- Sign out of your Google account when you’re not using it
- Additional Google security tips
|ENABLE TWO-STEP VERIFICATION|
Google's two-step verification uses a code in addition to your username and password. Each time you log in, Google sends a new code via text or voice message that you will need to enter. This means that to access your account, a hacker would not only need your username and password, but also your phone in order to get in.
|PROTECT YOUR CRUZID BLUE PASSWORD
|KEEP RESTRICTED DATA OUT OF GOOGLE, OR ENCRYPT IT FIRST|
With UCSC using Google for email, calendar, docs and sites, among other things, it is increasingly likely that people will use non-UC devices, especially mobile devices, for work. All devices used for work must meet UC and UCSC security requirements. Tips for protecting mobile devices are available on ITS' "Mobile Devices and Wireless" page.
|LIMIT SHARING OF GOOGLE DOCS & SITES TO ONLY THOSE WHO NEED ACCESS|
It is important to know Google's default settings and sharing options in order to avoid accidents related to over- or under-sharing.
When creating a new document or collection in Google, it will either default to be private to you or inherit the permissions of the collection under which you created it. Click on the “Share” button to review who it is shared with.
A note about Google Sites:
|REVIEW YOUR SHARING SETTINGS IN GOOGLE CALENDAR|
Be sure you know who you are sharing your calendar and meeting information with. The default sharing setting at UCSC is that your Google Calendar and meetings on it are visible to everyone in the university.
To share your calendar with specific people:
|REPORT SPAM AND PHISHING TO GOOGLE|
Report email spam and phishing directly to Google. This helps put these emails on their radar. You must do this from your email on the web. If you don't normally access your email via the web, go to mail.google.com and log in with your full, @ucsc.edu email address and CruzID Blue password. When your mailbox loads, select the message you'd like to report.
Report Calendar spam to Google: If you receive an unsolicited calendar invitation that you believe to be spam, report it to Google by clicking "Report Spam" on the detail page for the event - click the event title to get to the event detail page. The "Report Spam" link is at the top of the screen to the right of the reply options ("Yes" "Maybe" or "No). Clicking the "Report Spam" link will remove the event, along with any other events on your calendar created by the same organizer.
|USE GOOGLE'S "ACCOUNT ACTIVITY" FEATURES TO HELP MAKE SURE NO ONE ELSE IS USING YOUR ACCOUNT|
Last Account Activity - gmail only
To see your recent email account activity, click on any of your gmail folders, or your inbox, then click the Details link next to the Last account activity line at the bottom of the page. Additional information
Your Recent Activity - entire Google account
If you notice anything suspicious, e.g. a sign-in from a browser you've never used, or a location you've never been to, you are prompted to change your password to secure your account. If you notice a recovery option change you did not make, be sure to update the recovery option in addition to changing your password.
Account Activity - entire Google account
|SIGN OUT OF YOUR GOOGLE ACCOUNT WHEN YOU'RE NOT USING IT|
Be sure to sign out of your Google account when you're finished, especially when using a public computer. Just click on your username/icon at the top right corner of the screen and select "Sign out." If you're using a public or shared computer, to be extra thorough you can also clear the browser's cache, cookies and history. Then, completely close the browser.
|ADDITIONAL GOOGLE SECURITY TIPS|
Google privacy and security tips: https://www.google.com/safetycenter/everyone/start/
Privacy settings for Google+: Like all other Google Consumer Apps, Google+ (G+) is not covered by UC's agreement with Google. The default G+ settings makes your G+ information public, so information you put into G+ is visible to others outside of UCSC. See Google's instructions on how to change your settings. See UCSC's main Google page for additional information about Google Consumer Apps.
UCSC's Google domain is configured use encrypted transmissions by default. This means that when you access your gmail or Google Apps via Google's web applications with your @ucsc.edu Google account, your email and docs are transmitted securely. This is true for the mobile email client, too. Google also requires encryption for third party email clients (e.g. Thunderbird, Apple Mail, etc.) to access your email data.
Even though Google encrypts your data during transmission, it will still be unencrypted at rest. Do not send or store restricted data in Google unless you have encrypted it first.
The University of California has a contract with Google that provides assurances regarding the security and privacy of customer information stored on Google’s systems. UC's contract with Google takes precedence if there is a conflict with Google's posted terms or policies. For more information about how to protect your own privacy using Google Apps., please visit: Privacy Tools
- What's in the UC Google Contract?
- Google Letter about Privacy - Jan. 2012 (PDF)
- Google Terms of Service
MYTH: My email is less secure with Google than with the old UCSC-managed email.
- While it is true that UCSC-run email lived on UCSC-managed servers, Google undergoes significant independent audits and certifications of their security practices
- Google has better spam and virus filtering than UCSC could provide
- Google is constantly developing new security-related features for its services
- Google gives you the ability to check for suspicious activity on your account, such as cities from which your account has been accessed
- Google supports optional two-factor authentication for added account security (recommended)
- Google's data is replicated in multiple data centers for redundancy and consistent availability
- UC’s contract with Google also provides assurances regarding the security and privacy of customer information stored on Google’s systems.
MYTH: Google accesses people’s email for marketing purposes.
FACT: Google Apps for Education is ad-free for students, faculty, and staff. This means that your email is not processed by Google's advertising systems.
MYTH: Everything I create in Google Docs is available online to the whole world.
FACT: Google Apps for Education’s default is to set everything you create in Google Docs to “private”. This means that unless you actively grant someone access to something you created in Google Docs with your UCSC Google account, only you can access it.
Google Sites, on the other hand, defaults to allowing access to everyone at UCSC.
See above for information on changing sharing settings in Google Docs and Sites.
MYTH: Anything I create or put up on Google Docs becomes the property of Google.
FACT: UC’s contract with Google ensures that UC (its students, faculty, and staff) are the sole owners of their data.
MYTH: If Google receives a subpoena or search warrant for my email or files, I will never know about it.
FACT: UC’s contract with Google includes a requirement that Google notify UC if it receives a court order for UC-owned data. The one exception is if the court order includes a “gag request” that prohibits them from notifying the University. Even in this case, Google has agreed to ask the agency issuing a gag order subpoena or warrant if they can notify UC.
- Google's Security and Privacy Main Page
- Google Apps for Education: Security & Privacy
- Stay Safe Online by Google - Tips and advice for staying more secure on the web.
- Reset cookie functionality on Google Apps
- Administrators can invalidate a user’s active connection to Google Apps services from the Google Apps control panel. More specifically, administrators can reset a user’s sign-in cookies to help prevent unauthorized access to their account. This will log out that user from all current web browser sessions and require new authentication the next time that user tries to access Google Apps. Combined with the existing ability for administrators to reset user passwords, this new feature to reset users’ sign-in cookies improves security in the cloud in case of device theft or loss.
- Security First: Google Apps and Google App Engine complete SSAE-16 audit
- “This year the SAS70 Type II audit has evolved into the SSAE 16 Type II attestation and its international counterpart, ISAE 3402 Type II. We’re happy to announce that Google is one of the first major cloud providers to be certified for compliance to these new audit standards....Together with the SAS 70 Type II (covering dates prior to June 15th, 2011), these third party audits provide additional assurance to customers that their data is well protected.”
- 2012 Security audit
- Google Apps for Education Security Whitepaper
Rev. Sept 2015