G Suite security review

Does the SaaS provider protect external data in transit using TLS?

Yes

According to Google’s encryption white paper G Suite uses TLS 1.2 with Perfect Forward Secrecy by default.

Does the SaaS provider protect external data in transit using correctly configured certificates?

Yes

G Suite meets the Recommended cryptographic profiles for TLS as published by the NCSC. In addition, the G Suite domain currently gets an ‘A’ rating from Qualys SSL Labs.  Note that this was performed on their top level domain, and not all subdomains that may be used for API calls.

Does the SaaS provider protect internal data in transit between services using encryption?

Yes

According to their security FAQ Google encrypts all traffic in transit within their network.

Does the SaaS provider protect internal data in transit between services using correctly configured certificates? 

Yes

Section 1 of Google’s published response to the NCSC’s Cloud Security Principles confirms that data is protected with TLS 1.2 with Perfect Forward Secrecy between internal services and APIs.

If APIs are available, does the SaaS provider protect both internal and external APIs through an authentication method?

Yes 

All API requests must be authorised by the user and use OAuth.

If there is a concept of privilege levels in the service, does the SaaS provider have the ability for low privilege users to be created?

Yes 

Users can have one of several roles with varying levels of permissions. Google provides a set of prebuilt admin roles, or you can create your own. This is described in the G Suite documentation. If there is a concept of privilege levels, does the SaaS provider provide 2FA/multi-factor authentication on at least the high privileged accounts?

Yes

G Suite currently provides multi-factor authentication via SMS or any app that supports TOTP (Such as Google Authenticator). This can be enforced by Administrators for users within their domain. G Suite also integrates with Single Sign On (SSO) options each of which may provide 2FA options. Google’s website describes how to enable their 2FA options.

Does the SaaS provider collect logs of events?

Types of log may include security logs and resource logs

Yes

Google stores a variety of logs – these are made available to a domain administrator. Google’s support pages provide an overview of the logging services. Does the provider make logs available to the client?

Yes

G Suite makes a variety of logs available to administrators, including areas such as login and administrator actions.

Does the SaaS provider have a clear incident response and patching system in place to remedy any publicly reported issues in their service, or libraries that the service makes use of?

The provider’s previous track record on this is a good metric to see how they’ll cope with a new issue occurring.

Yes

Google has a dedicated security research team (Project Zero) according to their white paper, who attempt to find vulnerabilities in their service. They also have a public bug bounty program. Google have also published their Application Security Policy which details how they handle vulnerability reporting and management. Does the SaaS provider give clear and transparent details on their product and the implemented security features (i.e. how easy has it been to answer the above questions) ? Yes Google publishes details of their security architecture in their white paper and within the FAQs on their site. Google’s SOC3 audit report provides details around the implemented security features in their products.

Source: NCSC