Guidance on use of Google Docs for Sharing Protected Information

Restricted Data:  PHI other than HIPAA, PII, IP

1. There are four conditions that must be assured when storing and sharing Restricted Data, also called P3 and P4 data under the new data classification scheme. https://security.ucop.edu/policies/institutional-information-and-it-reso...

  • Data Security - data must be encrypted during transport and at rest
  • Least Access - Authorization to access data must be granted to individuals and must be restricted to only the data for which the individual has a need
  • Access Logs - data access must be logged to allow identification of unauthorized access
  • Secure Infrastructure - Servers and storage must be set up and operated in accordance with best practices to protect information. This includes attention to personnel, physical security, and logical security.

2. Google Drive and Google Team Drive meet restricted data storage security requirements because all four conditions are met.

  • Google Drive data are encrypted at rest and in transit.
  • Google Drive permits the setup and maintenance of sharing that requires authentication and restricts access.
  • Google Drive maintains detailed log records accessible by Google Account Administrators that can be used for investigatory purposes.
  • Google is transparent about the operational controls of their environment and publishes both industry-recognized certifications and independent audit reports demonstrating the capacity of their infrastructure to protect data.

3. Considerations for enforcing Least Access

There are two different file sharing capabilities provided by Google: Team Drive and My Drive. They both permit restricted file sharing but differ in the controls they provide. My Drive permits the sharing of folders under a root folder. The root folder and all subordinate folders and files can have different sharing restrictions. Team Drive does not permit sharing restrictions on folders under the root. Until Google adds the functionality to Team Drive, My Drive is the preferred way to provide separation of duties for sharing. In order to provide continuity of the function, shared drives should be established under functional accounts. Here are guidelines for constructing sharing arrangements suitable for restricted data.

  • A Connect functional account should be created to manage the storage. Your department IT staff or Connect administrator can help with this.
  • At least two responsible administrators should have access to the functional account. Ideally, these administrators should not need routine access to the data in the account. Their role is administrative only. Multi-factor authentication backed by a physical token that can be safely stored but available to both administrators should be used.
  • The functional account creates the root folder that will hold only folders to be shared. The root folder must not be shared. Access must be restricted to the administrator account only.
  • The functional account creates subfolders that will be used for document staring.
  • If the users of the storage structure will be restricted to access only specific subfolders, then the structure must utilize the Google Drive folder structures.
  • All users should enable Google multi-factor authentication via one of the supported mechanisms.
  • Sharing permissions may be set up for subfolders in support of business requirements. Google provides multiple privileges for shared folders.
    • Shared users can be allowed to “Organize, add, & edit” or “Can view only.” The later setting is preferred unless the user needs to upload or edit data.
    • When users are added as editors to shared folders the administrator must check the box that “Prevents editors from changing access or adding new people.” The security of this sharing scheme is dependent on this control being set.
  • The administrator(s) add authorized individuals to the storage structure to meet business requirements.
    • Authorized individuals must be told not to set up offline (synchronized) access so that Restricted data is not transparently copied to their computers. Failure to do this may expose data without proper controls.
  • The administrator(s) deprovision authorization to the storage structure when access is no longer required.
  • Business units must establish a process for notifying administrator(s) to add or remove users from shared folders.
  • Google groups may be used to facilitate sharing. Unit staff can add and remove people from the group without administrator involvement. This can facilitate the access change process.
  • Shared Google Drives must be removed and the functional account terminated once the business need for sharing Restricted data goes away.