G Suite is built with a security-first mindset. It's designed to meet the highest security standards and is subject to regular independent third-party audits by several national and international agencies and organizations.

One key difference between the free and business versions is the security features. Free accounts are not designed to be handled individually, so there is no easy way to monitor or enforce security.

Business accounts, on the other hand, allow administrators to enforce advanced security like two-step verification and login challenges to prevent attacks, even when some user credentials are compromised.

The Security center allows administrators to easily adjust all settings related to domain security and user account protection. The& Security center is divided into different sections, each showing its name and a short description....

The Basic settings section provides administrators with quick access to the Password Recovery flow, as well as links for setting up Two-step verification and user's access to Less secure apps.

Enabling the Two-step verification (2SV) login flow will require the user to provide a key coming from a registered device in addition to their username and password. Each generated key is only usable once, so without the device, the credentials are not enough to access the account.

You can choose any of the following options for two-step authentication:

• Security Keys that are provided by special devices, usually USB drives that one physically inserts in the machine, or sometimes it's a card that you tap to a Near Field Communication (NFC) or Bluetooth Low Energy (BLE) device. This is the safest option, but also more expensive to implement.
• A Google Prompt that...

Having a strong password is essential to keep an account safe; even the strongest encryption can't offer much protection if the key is easy to figure out.

As a G Suite administrator, you can enforce requirements for all passwords within the organization. This helps set a minimum security strength that's required for all accounts.

To set up password requirements, follow these steps:

1. Having a strong security protocol is not effective if the password strength is weak and therefore easy to guess. You can be sure all user's passwords are inline with current best practices by enabling the Enforce strong password checkbox:

2. By defining a Password length, you can be sure that user's passwords are not too short, but keep in mind that passwords below eight characters are not recommended:

3. To avoid existing users from keeping a low security password...

It's important to keep an eye on the safety of the passwords that are used by the members of the organization, but it has to be done without us seeing the passwords themselves.

In Password monitoring, you can quickly overlook the current strength and length of, all of your member's passwords as shown in the following screenshot:

If you believe that a user should set a new password, follow these steps:

1. Click on the user's name. This will take you to that user's account details, as shown here:

2. Select if you wish the system to automatically generate a temporary password. If you disable it, you need to provide one yourself:

3. Select if you wish the user to be required to change the password at their next sign in.
4. Click RESET to apply any changes.

In this section, you learned how to monitor a user's password characteristics, and...

G Suite can detect unusual login attempts to user accounts; you can enable additional Login challenges that the system will use on these cases to reduce the risk of unauthorized access using compromised login credentials. The Login challenges settings are as follows:

There are three types of login challenges in G Suite:

• Mobile device challenges: These use a physical mobile device that the user has registered as their own as a source of truth for confirming the login attempt. If the user has a registered device verification, it can be done in one of three possible ways:
  • A prompt that will show up on the mobile device for the user to confirm the login attempt. I find this to be the most practical option.
  • A text message with a verification code that the user must type as proof.
  • A phone call with a verification code on a voice message that the user must...

An organization can extend G Suite by enabling API access so that developers can create software that integrates with the services and optimize the way things work to best suit the organization's needs.

API access is required for external applications to integrate with G Suite. Keeping it disabled will prevent all users from installing third-party applications, so it's a good idea to turn it off unless it's necessary to keep things safer. You can use the Enable API access checkbox to enable or disable API access:

The administrator's console also has an API that allows developers to extend and customize it for the organization's needs so that it can facilitate the administrator's tasks.

The Admin SDK settings can also be found on the same page:

The Admin SDK allows organizations to build tools tailored to their very unique need...

Business grade sign-in flows are highly reliable, and in many cases, users will need to use other web applications. Managing several high security credentials at the same time can be too cumbersome for users.

With SSO, members of the organization can use their G Suite credentials to safely identify themselves on third-party applications.

To configure SSO, follow the appropriate steps, depending on whether you will be using Google identity provider or a third-party service:

• Setup SSO with Google identity provider. To use Google credentials for SSO, follow these steps:
  
  1. Copy the SSO URL or the Entity ID. This will be used by the applications to get the login information:

• 2. Click DOWNLOAD CERTIFICATE.
  3. Click DOWNLOAD IDP METADATA:

• 4. Register the information that was gathered in steps 1, 2, and 3 into the third-party service providers.
• To use...

At this point, you already know how to apply the different configurations that will allow users to safely log in to the platform. Users will only be active for a few hours, and then will not return until the next day.

Leaving a Google session active for too long without being used is an unnecessary risk, and to minimize this, G Suite allows administrators to define how long a session is considered valid. After this period, the user will be required to log in again.

To define the session length, click on the Session control drop-down menu and select the amount of hours it will last. It can be as short as one hour, or as long as 30 days. You can even make sessions never expire:

Ideally, a session should last an entire day. In most cases, 12 hours should be enough for a user to only be required to log in at the beginning a working day.

Being able...

As an administrator, you can whitelist the address of specific web applications that are authorized to access specific G Suite APIs for this domain. This way, you can make sure that only authorized applications can use APIs. To make things even safer, administrators can define the approved scope for each application.

To authorize an application to have API access, follow these steps in the Advanced settings section:

1. Click on Manage API client access and go to the authorized API clients list:

2. Type the URL of the application in the Client Name field.
3. Type the API scopes (separated by a comma) that this application is authorized to access in the One or More API Scopes field. To see a full list of all currently available APIs and scopes, go to https://developers.google.com/identity/protocols/googlescopes.
4. Click Authorize.

By defining the API client...

When external apps try to access your team's data, they must first have explicit authorization to access this information.

Each G Suite product and service has a separate API, and as an administrator, you can choose which APIs can be made accessible to external apps. The settings for each G Suite product look as follows:

At the bottom of the API lists, you can see the links to Installed Apps and the Trusted Apps reports. Continue to the next section to see what we can learn about the Installed Apps report.

The Installed Apps report shows you all the applications that are currently allowed and being used by members of the organization. You can also review which kind of information...

Congratulations on finishing this chapter! You have just learned how to set up the security settings for a G Suite domain to fit the particular needs of your organization.

In this chapter, you learned how to set up two-step authentication to protect user accounts with advanced login security. This was followed by password requirements across the entire organization, as well as how to monitor a user's password strength, which is key to bolstering organizational security.

You also learned how to enable the Admin SDK to allow third-party software to integrate with G Suite. Furthermore, we also covered how to set up SSO so that users can use the same user session across all their applications.

We closed this chapter by discussing how to set up API permissions to define which third-party applications can integrate with G Suite for this domain, as well as what information...

• Protect your business with 2-Step Verification (https://support.google.com/a/answer/175197?hl=en)
• Create a strong password & a more secure account (https://support.google.com/accounts/answer/32040)
• Verify a user’s identity with extra security (https://support.google.com/a/answer/6002699?hl=en)
• Set up single sign-on for managed Google Accounts using third-party Identity providers (https://support.google.com/a/answer/60224)
• If you have multiple G Suite subscriptions (https://support.google.com/a/answer/6274252?hl=en)
• Whitelist connected apps (https://support.google.com/a/answer/7281227)