Google and Online Security

It’s amazing to me, how many times we still get asked about how secure Google for Education is. The idea that your data is unsafe when stored anywhere on Google’s servers with a secure password is completely wrong. There have been lots of excellent blog posts written by some very talented people that explain in various ways that Google is a very secure platform - I have linked some of these at the bottom of this post, but I wanted to put my own spin on this topic and take a deeper look at what security online actually looks like and the various ways you can protect yourself and your data.

 

Google around the world

To begin with let’s put some perspective on how Google is used around the world. Over 70 million pupils and teachers around the world use Google to store their work and resources with Google for Education and more than 3 million companies trust Google G Suite to store their data (we’re one of them). When people ask questions like “Is Google Secure?” or “Are pupils safe using Google for Education?” let’s remember that one of the largest companies in the world with one of the most sophisticated cloud platforms available is providing storage and solutions for Governments, Companies and Schools all over the world. The Welsh Government have also brought Google in to their Hwb platform and later this year will be making Google services available to everyone. My hope is that this information along with the following exploration into online safety will help educate people on how data security works in an online space.

 

What’s the difference between Google for Business and Google for Education?

While nearly all of the tools available on both platforms are identical there are a few key privacy differences. Google does not use adverts in any of its core services like Drive, Docs or Classroom when you login as a Google for Education user and the contents of emails or cloud storage are not analysed in any way for adverts. Pupils names and personal data are also not used in any way for tracking across Google’s platform. When you use Google as a personal user you do get adverts and these are targeted based on your interests but - again - this is not the case with Educational accounts.

As a side note all of the tools pupils are learning to use from a young age can serve them long into adulthood as the same tools are used by businesses and organizations around the world.

 

What makes a good password and how are they compromised?

This section is all about passwords. It’s the simplest area to understand on the surface but there’s a lot more that goes into password security than you might think.

So how safe is a password? A lot of this depends on how the password is going to get “hacked/cracked” or found out. There are essentially 2 ways that a password can be obtained by an unauthorised user.

 

1.  The automated method or brute force method

This is when a computer tries every conceivable combination of numbers and letters to get the correct password. There are much more elegant and complex ways of doing this but imagine you are trying to open a bike lock that’s been in your shed for 3 years and you’ve forgotten the combination. You have 4 dials with numbers 0-9 on them so you have a total of 10,000 combinations of 0000 - 9999 and one of them will be correct. This would take a while for human hands but if a computer/robot could do it it would probably be done in minutes.

Let’s look at a couple of examples. We used some sample passwords following the patterns below and used an online to estimate how long it would take for a computer to crack them. This is by no means a scientific test but gives you a basic representation of password strength.

password table

As you can see, longer passwords are stronger but also those with combinations of letters, numbers and symbols. Pick something that’s easy to remember like your favourite album for example (we chose Wonderwall by Oasis) and then just mix in some numbers and symbols.

It’s recommended that ALL passwords online be at least 8 characters but most websites also suggest including symbols and caps as well for the reasons seen above. They should also all be different.

For those of you thinking I could never have different passwords for every site I visit then you possibly haven’t heard of password managers. These services are there to make sure your passwords are safe and secure while also remembering them for you. There are a lot of choices out there but the ones that we use as a company are LastPass and 1Password. These both have relatively low cost annual plans but could save you a lot of time and hassle. Have a look for yourself, links are at the bottom of the blog.

Be aware that there are also vast lists of known and commonly used passwords that hackers use before they brute force attack with the above combination method. If you want to check if your password is on the list or has been involved in a data breach check out this website: https://haveibeenpwned.com/Passwords

 

2. The Social Engineering method

This is where it comes down to lax security on the users side. If your password is ‘password1’ then someone can just guess the password by sitting on the login screen and giving some passwords a go. (You may be surprised by some of the lax passwords people used and there is a link at the bottom of the blog to a list of the most common passwords.) Alternatively you may have a really secure password but if your security question is along the lines of ‘What is your dog’s name?’ then that would be the weak link. With social media being so popular, people are constantly giving away information like their pets names which, if used as security questions leave you vulnerable. There is also the true ‘social engineering’ method where people contact you via phone or email etc and convince you to give them the data they require. Most common of these are email phishing scams where people contact you claiming to be from your bank or a company like Apple or PayPal.

Finally, if you write your password down in a book or on a post-it note on your desk then you’re handing that data to anyone who can read, so please avoid doing this.

 

Two factor authentication

This is something you can use as a Teacher when logging in to Google for Education and lots of websites also support 2 Factor logins. It works by asking you for your username and password as usual but adds a second layer that sends a 1 time, 6 digit code to your phone that you have to type in to verify your identity. This means that even if someone has your password they also need your phone to login. The code also expires after you use it and a new notification is sent each time. It seems like a time consuming and frustrating extra step at first but if used properly can make your account almost impenetrable and becomes second nature.

 

Encryption

Whenever you access a service like Google Drive or Gmail the data is encrypted. This means that between it leaving Google’s data centre and being shown on your screen it’s scrambled and unreadable by anyone or anything else. Google uses 256 bit AES encryption which is the same standard used by Governments and corporations around the world.

While data is being stored in Google’s servers it is also encrypted meaning it’s completely unreadable to anyone other than you. I’m not going to spend a lot of time explaining how encryption works but just bear in mind that if the confidential information stored by world governments and massive corporations is safe behind 256 bit AES encryption that your year 6 project on Welsh Castles is just as secure.

 

Data in transfer and data leaving the EU

As Google is a worldwide company the data that gets saved to its servers could reside in any of its Data Centres around the world. In 2015 the EU ruled that the Safe Harbour agreement that was in place to protect data as it left the EU and travelled on to other countries was not sufficient to protect it. The EU later announced the new EU-US Privacy Shield to replace Safe Harbour and provide more robust safety for data. Google complies with this, the EU Data Protection Directive as well as the 2018 GDPR through its Model Contract Clauses and Data Processing Amendment 2.0. More information on all of this information can be found in the links at the bottom of the blog.

If you managed to read and understand everything in that previous paragraph then I commend you, if you didn’t, you can just take away the knowledge that Google complies with all the European Union’s directives to ensure data travelling outside of the EU is always secure.

 

In conclusion

I hope that this post has gone some way to explaining in relatively broad and hopefully easy to understand ways how we can keep our data safe online. Fort Knox is secure until someone leaves the key under the front door mat so let’s do our best to keep our passwords safe and secure (remember at least 8 digits and a mix of characters) and empower pupils and staff to make use of these amazing tools in a responsible way. I also hope that this information has met my initial goal of explaining that the idea of your data being unsafe when stored anywhere on Google’s servers with a secure password is completely wrong.

 

Useful links:

Password Managers:

LastPass

1Password

Password testers and vulnerability checkers:

Random-ize password strength tester

Has my password been compromised

Google Compliance links:

Compliance amendments for GSuite

EU Data protection Directive

Google User numbers:

Tech Crunch article on google for Business

Google for Education blog

Guto Aaron's Blog:

Guto's post on Google for Education data safety