Google Workspace management: security, administration, and backup for IT teams

Google Workspace has become the primary productivity platform for a significant portion of SMBs, particularly in sectors that adopted it early and built their workflows around Gmail, Drive, Docs, and Meet. For IT teams and MSPs, managing it effectively means more than keeping licenses assigned. It means owning the security configuration, closing the gaps Google’s native tools leave open, and ensuring that client data is protected in ways the platform itself does not guarantee.

This guide covers the three areas where proper management makes the biggest difference: administration, security, and backup. Kaseya’s platform supports more than 50,000 MSPs and IT teams worldwide managing exactly these environments, and the patterns below reflect where things go wrong in practice.

Google Workspace administration: the basics and what defaults get wrong

Google Workspace administration runs through the Admin console, a web-based interface that covers user and group management, organizational unit structure, device management, security settings, and reporting. The model is cloud-native: changes take effect immediately and there is no on-premises server to maintain. That simplicity has a downside. Because there is no baseline configuration pushed to new tenants, the defaults are often less restrictive than a business environment requires.

The three areas where default settings create the most consistent problems are authentication, Drive sharing, and mobile device access.

Authentication. Two-step verification (2SV) is the most important security control in any Google Workspace environment. It is not enforced by default for standard users. An admin must go to Security > Authentication > 2-step verification and enforce it, either for the whole organization or by organizational unit. Google now enforces 2SV on administrator accounts as part of a rolling policy, but end-user enforcement remains a deliberate admin action. According to Kaseya’s 2025 SaaS Application Security Insights Report, MFA is disabled or inactive in more than 60% of end-user SaaS accounts. Leaving 2SV optional is not a neutral choice. It is accepting a known risk.

Drive sharing. The default sharing setting in many tenants allows “Anyone with the link” access to files. This means a user sharing a document can expose it to anyone on the internet with the URL, with no sign-in required. IT admins should set the organization-wide default to “Off (restricted)” and require explicit approval for external sharing. Finance departments, HR teams, and anyone handling customer data should be in organizational units with tighter sharing controls applied specifically.

Mobile device access. Google Workspace includes basic endpoint management for mobile devices, but it does not provide granular control over what data applications can access or how devices are handled when lost or offboarded. For organizations with BYOD policies or where mobile devices access sensitive data in Drive or Gmail, endpoint management through a dedicated MDM sits outside what Google natively provides.

User lifecycle management. Prompt deprovisioning when employees leave is both a security requirement and a licensing cost control. The right sequence is to suspend the account first, transfer ownership of any Drive files and Gmail data to a manager or service account, then delete the account after the standard hold period. Automated offboarding workflows that integrate with IT Glue documentation and Autotask ticketing eliminate the gaps that manual processes leave.

Security configuration: what to enforce from day one

Beyond 2SV and sharing defaults, several settings in the Admin console require deliberate configuration for a business-grade security baseline.

Less secure app access. Google deprecated support for basic authentication on consumer Gmail accounts in 2022, but some legacy applications and connectors still request it in Workspace tenants. The admin console exposes a setting to block less secure app access entirely. Any application that cannot authenticate via OAuth should be evaluated for replacement.

Admin activity monitoring. The Admin console’s Reports section captures login events, admin activity, Drive sharing changes, and security alerts. These logs should be reviewed regularly. Unusual admin activity, such as a new super admin being created or bulk user deletions, warrants immediate investigation. Setting up alerts for high-risk events, like super admin role assignments or login anomalies, takes minutes in the Admin console and provides significant detection coverage.

Password policy enforcement. Google Workspace’s “Enforce strong password” setting is off by default. Admins should enable it and set a minimum length of at least 12 characters. The policy can be applied at the organizational unit level, which allows stricter requirements for high-privilege accounts without disrupting lower-risk users with different workflows.

Third-party app access. Google’s API controls section lets admins review and restrict which third-party applications have been granted OAuth access to Workspace data. Unreviewed OAuth grants from shadow IT, such as productivity tools employees connect without IT review, can access Drive, Gmail, and Calendar data with no ongoing visibility. Quarterly reviews of the authorized app list are a practical baseline. Setting the policy to require admin approval for new third-party app connections prevents new grants from accumulating silently.

A practical test of your Google Workspace security posture: ask whether you could produce a list today of every third-party app with access to user data, every account without 2SV enforced, and every file shared publicly. If the answer to any of those is no, the admin console audit is the starting point.

The backup gap: why Google Vault is not enough

Google Vault is the feature most often confused with backup. It is not a backup solution. Vault provides data retention for eDiscovery and compliance purposes. It retains data within Google’s own infrastructure, which means a ransomware attack or account compromise that affects the primary Workspace environment can affect Vault-retained data simultaneously. It does not offer point-in-time recovery, and it does not protect against the most common causes of data loss in practice: accidental deletion, departing employee actions, and sync errors from third-party integrations.

Google’s shared responsibility model is explicit on this. Google is responsible for the availability and security of the platform infrastructure. Customers are responsible for their data. That responsibility does not transfer to Google because data lives in the cloud.

The practical risks are well-documented. A user permanently deletes files from Gmail or Drive, and after the 30-day trash window closes, the data is gone. A malicious file syncs to Drive and overwrites clean versions across shared folders. A departing employee deletes project files before their account is suspended. None of these scenarios triggers a Google-side recovery, because none of them involve a failure of Google’s infrastructure.

Spanning SaaS Backup, part of Kaseya 365 User, addresses this by providing automated daily backup of Gmail, Drive, Shared Drives, Calendar, and Contacts, with independent encrypted storage outside Google’s infrastructure and point-in-time recovery. For MSPs, the conversation with Google Workspace clients follows the same structure as the Microsoft 365 backup conversation: Google protects the platform. A third-party backup product protects the data.

Kaseya’s dark web monitoring feature adds a further layer, alerting administrators when employee email addresses and credentials associated with the domain appear in breach data. A credential from a client’s employee appearing in a credential dump may indicate reuse against their Workspace account before any login alert fires.

Email security: what Google’s filters miss

Gmail’s native spam and phishing filters are broadly effective against known threats and high-volume campaigns. They are significantly less effective against targeted attacks. Spear-phishing emails crafted specifically for a recipient, business email compromise (BEC) attempts that impersonate an executive or vendor, and zero-day phishing using newly registered domains often pass Google’s filters and land in the inbox.

This is not a failure of Google’s platform. It is an accurate description of the threat model. Targeted attacks are designed to evade volume-based detection. An MSP managing 50 Google Workspace clients cannot rely on Gmail’s built-in filters to catch the messages most likely to cause significant damage.

INKY, part of Kaseya 365 User, adds an AI-based layer to Google Workspace email security that operates above the native filters. It uses computer vision technology to identify brand forgeries and logo abuse in real time, catching phishing attempts that visually impersonate trusted senders. It deploys via API with no MX record changes required and adds color-coded warning banners to emails it identifies as suspicious, coaching users on the risk without removing the message from their control. INKY also provides data loss prevention (DLP), encryption, and DMARC enforcement, which extends protection beyond inbound phishing to outbound data handling and sender authentication.

For MSPs specifically, INKY reduces admin overhead significantly. An internal test across MSP deployments found admins cut time spent on email security management from around 40 hours to approximately 1 hour per month.

Cloud detection and response for Google Workspace

Google’s Admin console surfaces login events and admin activity, but it does not correlate behavioral signals across the Workspace environment in real time. An account logged in from an unusual location, downloading large volumes of Drive files, and creating OAuth connections to new third-party apps inside a 30-minute window is not automatically flagged as a compromise. Each event is visible in isolation. The correlation that identifies it as an incident is not.

SaaS Alerts, part of Kaseya 365 User, provides cloud detection and response for Google Workspace by monitoring user activity continuously and applying machine learning-based behavioral analysis to identify anomalies. When it detects a potential compromise, it can respond automatically: terminating active sessions, disabling the account, and routing an alert to the MSP or IT team without waiting for human intervention.

The Respond module for Google Workspace, launched in 2024, allows MSPs to configure rules built on if/then logic. A typical example: if a successful login comes from outside an approved geographic range, then Respond retires all active sessions and blocks new logins until the account holder is verified. These rules run continuously, including outside business hours, which matters because account compromises discovered on a Friday evening have the entire weekend to develop into larger incidents without automated response in place.

SaaS Alerts also monitors for OAuth grant abuse, one of the most common and least visible attack vectors in cloud environments. When a user connects a new SaaS application to their Workspace account via OAuth, SaaS Alerts logs the connection and can alert the admin or trigger a response rule. In 2024, SaaS Alerts analyzed more than 7.3 billion events across SaaS environments for its annual SaaS Application Security Insights Report. Of those events, over one billion were medium or critical severity, a number that makes continuous automated monitoring, not periodic manual review, the only realistic management model.

Managing Google Workspace at scale with Kaseya 365 User

An MSP managing 30 Google Workspace clients faces a compounding version of every problem described above. Security configurations drift between tenants. Backup coverage is inconsistent. Email security gaps in one client environment create exposure for others. Without a unified platform, keeping pace requires either significant manual review cycles or accepting inconsistent coverage.

Kaseya 365 User brings the three primary Google Workspace security and protection layers together under one subscription. INKY handles advanced email threat detection and user coaching. SaaS Alerts provides continuous behavioral monitoring and automated response across the Workspace environment. Spanning provides daily automated backup with independent storage and point-in-time recovery. All three connect to Google Workspace via API, with no agent installation and no infrastructure to manage.

The commercial case for MSPs is straightforward. Each of these layers addresses a risk that Google’s native tools do not fully cover. Clients running Google Workspace without SaaS backup are exposed to data loss their business continuity plans cannot address. Clients without cloud detection and response have no visibility into account compromise until the damage is done. Presenting these gaps clearly, with evidence from the shared responsibility model and from enforcement actions where relevant, is the conversation that moves Kaseya 365 User from an add-on discussion to a baseline expectation.

Explore Kaseya 365 User for Google Workspace protection.

For a deeper look at how SaaS application security fits into broader MSP cyber resilience strategy, see the Cyber Resilience Checklist for MSPs and the 2026 Kaseya State of the MSP Report.