Google Drive Security
Best practices, tips and tricks
Introduction
Our staff take the protection of student, staff, and district data very seriously. Such situations have occurred in corporations, non-profit, government agencies the world over due to the relatively new and complex nature of cloud data storage and the ability to share information dynamically with a single click. Our processes for handling such situations mirror industry standards, but are not absolutely perfect, and links can be missed. As a result of these recent developments, it is important for all staff to reacquaint themselves with district data policies and procedures, as well as take a moment to conduct some self-audits.
Objectives
- Provide background on data privacy and related policies.
- Encourage all staff to review their use of Google Drive and the content of their files.
- Offer suggestions and tools for reviewing file shares so that appropriate changes can be made, if necessary.
Policies
515: Protection and Privacy of Student Records
524: Internet Acceptable Use and Safety
406: Public and Private Personnel Data
409: Employee Publications, Instructional Materials, Inventions and Creations
306: Administrator Code of Ethics
211: Criminal or Civil Action Against School District, School Board Member, Employee or Student
The policies provide a framework for practices and procedures that we follow within the district. Recent events have highlighted the need to review some of our procedures and take steps to ensure that all staff have the information they need to follow best practices with data storage and sharing.
Google Storage: My Drive and Team Drive
- Easy access
- Option to share files
- Ability to edit files concurrently
Of course, any tool can be abused. Someone with bad intent will inevitably find a way to do so. Our goal here is to avoid a scenario where we have to limit the functionality of Google Drive. Let's look at the two types of Google Drive available.
My Drive
This is the version that has been around since Google Drive came into existence, and what pretty much everyone is familiar with. For most people, the terms "Google Drive" and "My Drive" are synonymous. Key aspects of My Drive:
- Individuals own and control files and access to them (and access can be lost if staff leave the district).
- Files can be shared to users outside of the organization (shakopeeschools.org).
Team Drive
Introduced within the last year or so, Team Drives are a more secure option that more closely resemble network file shares. Some key aspects of Team Drive:
- The organization owns the drive, so files are not affected when staff leave the district.
- Files cannot be shared to users outside of the organization.
- You have to be a member of a specific Team Drive to see files in that location.
- Team Drives are only available for organization accounts (such as an Education account), not for individuals with a standard gmail account.
As you can see, Team Drives represent a more secure option for storing data. There has been some discussion amongst various departments about moving data currently stored in My Drive locations to Team Drive, but progress on that has been slow simply because there is so much information floating around and it takes time to get it all organized. Also, each type of drive has advantages depending on what your objective is.
How do I see who has access to a file?
Link sharing options are also shown below. They are ordered from least restrictive to most restrictive. Which option you choose should be consistent with who actually needs access and the sensitivity of the data.
Who has access to your files?
Here is a tool you can use to scan your Google drive to see who has access to it.
After going to this link, scroll down a little and click the big blue button that reads “Scan My Google Drive Now”
Next steps will take you through confirming which account to use and allowing permission to access and scan the drive.
It could take anywhere from 2-15 minutes to run depending on how many files you have in your drive or are connected to via sharing settings.
Once it is done, it will give you a report screen.
It may be easier to limit the view to files you own (last item in left column) and access external to our domain (last item in right column).
For this particular situation, I would select the last item (“Everything I can manage”) and click Revoke.
What else can we do?
Of course, we realize that we need to take steps to better manage files and sharing administratively as well. To that end, we are exploring some third party tools that we hope will allow us to do just that. Once we are able to evaluate our options, we will invest in such a tool.
Tech Department Contacts
Email: helpdesk@shakopee.k12.mn.us
Website: https://whd.shakopee.k12.mn.us/
Location: 1200 Shakopee Town Sq. Shakopee MN 55379
Phone: 5100
Facebook: https://www.facebook.com/groups/shakopeedlc/
Twitter: @ShakoTechDrozd