How secure is Google Drive?
Google Drive is without a doubt one of the best-known cloud services on the market. Although the cloud storage provider makes backups and storing data particularly easy, you may be asking yourself if Google Drive is secure enough to host your data.
- What is Google Drive?
- How is Google Drive encrypted?
- What access rights does Google Drive offer?
- How does the Cloud Act affect Google Drive?
- How secure is Google Drive against cyberattacks?
- Where are Google Drive servers located?
- What are the Google Drive’s data privacy standards?
- Is Google Drive secure for companies?
- Using Google Drive in a transparent way
- What are some alternatives to Google Drive?
Data you upload to Google Drive is secured by the AES 256-bit encryption standard during uploads, downloads and when stored on the server. Google also uses two-factor authentication, georedundant data centers, and perfect forward secrecy for secure SSL encryption. Despite all of these measures, Google is an American company and under the Cloud Act, they are obliged to send data to the U.S. government if required by a court order.
What is Google Drive?
Drive is Google’s cloud service and an integral part of every Google account. Google Drive offers 15 GB of free cloud storage and additional storage space can be upgraded to over 2 TB for an additional fee. In addition, users have access to multiple Google Workspace applications such as Docs, Meet, Sheets or Calendar. The business version of Google Drive as well as the Google One subscription offer even more practical teamwork extensions.
How is Google Drive encrypted?
Modern AES 256-bit encryption is used for data uploaded and downloaded to Google Drive and for storing data on Google’s servers. AES encryption (Advanced Encryption Standard) is one of the most common, secure and widely used encryption standards. The U.S. government also encrypts their files by using AES. The number 256 stands for the encryption length, which can generate up to 115 duodecillion different keys. For this reason, AES keys are extremely difficult to crack, even with brute force attacks.
Furthermore, Google Drive uses the reliable encryption standard SSL/TLS to protect communication between browsers and servers. This standard confirms the identities of the client and server, and makes sure that the connection between both parties is secure. By using this standard, Google ensures optimal Google Drive data privacy during data transfer.
What access rights does Google Drive offer?
The basic Google Drive rule is that only you can access your data. However, to enable collaboration with other people, Google Drive allows you to share files with other users by granting them access to selected documents and files.
You have a number of different sharing settings and options to choose from. For example, you can specify whether access should be confidential, meaning that a person can only access the files when logged into their Google account. Or, alternatively, you can grant access via a shareable link or choose to grant public access without restriction. Publicly accessible files can be used by up to 100 devices at the same time.
To share files, select a file and enter the email address of the person you want to share the file with via the Share and Invite people commands. In order to access the files, the person must have an account. A Google account can be created in a few steps.
As stated previously, Google Drive is an American company, which means the U.S. government technically also has access to data stored in Google Drive via the Cloud Act.
How does the Cloud Act affect Google Drive?
Enacted in 2018, the Cloud Act defines the access rights of U.S. authorities to stored data. The act requires all U.S. companies to grant U.S. authorities access to users’ data, even if it’s not stored in the United States. If ordered by a court, Google must allow the U.S. authorities to access the requested data. Under certain conditions, access is even possible without a court order.
It’s also important for companies doing business in the EU to note, that under the EU’s strict GDPR, or data security laws, data transferred from the EU to the U.S. is currently (as of January 2023) not seen as secure. The EU-U.S. Privacy Shield, which had previously been used to regulate the secure transfer of data from the EU to the U.S., was declared invalid by the European Court of Justice in 2020. The increased data surveillance measures by the U.S. government, namely the Cloud Act and the Foreign Intelligence Surveillance Act (FISA), were behind the reason for the EU’s decision.
How secure is Google Drive against cyberattacks?
Although Google Drive isn’t safe enough to be used for storing most business-critical data, it still offers its users solid cloud access security and protection against cyberattacks.
Below are the most notable data protection methods Google Drive offers:
- Password protection, in combination with a secure password
- Two-factor authentication
- AES 256-bit encryption
- TLS encryption
- Georedundancy for secure data centers
- Account recovery through a security question, email confirmation or via phone
- Warnings about suspicious logins
- Reliable spam filter
- Backup & sync to protect against data loss
- Automatic malware scans of emails and files
- Encryption of uploads and downloads
- Perfect forward secrecy to prevent subsequent decryption of data
If you have a paid subscription to Google Workspace, you can access even more security measures. These include a cloud-first and zero-trust approach, as well as special data protection measures for teams, such as defined security groups and administrator rights.
Where are Google Drive servers located?
Google’s servers are primarily located in the USA. However, the Cloud Act also applies to data stored on Google servers in other countries. The U.S. government has the right to request data located outside of the U.S. if granted by the court.
Prefer to host your data outside of the US? IONOS HiDrive cloud storage is a great option. Securely store your data on certified servers in a data center of your choice.
What are the Google Drive’s data privacy standards?
In addition to the aforementioned encryption standards, Google Drive has obtained data security certification ISA 27001 (SOC1, SOC2, SOC3) as well as certifications from the American Institute of Certified Public Accountants (AICPA). This means that Google’s servers are regularly audited by independent bodies. Access to data is also restricted to a select group of people that carry out data maintenance and security.
Is Google Drive secure for companies?
Google Drive offers fairly secure data protection methods and tools. However, since Google doesn’t offer zero-knowledge encryption, the company can access your data and give it to the U.S. government if they are obligated to. There are Google Drive alternatives on the market that encrypt stored data so that the service providers can’t access the data even if they are asked to. So, if that is what you are looking for, Google Drive is not a secure enough option.
However, it’s completely okay to use Google Drive for storing non-critical data. You just need to put adequate data security measures in place yourself and make sure your company adheres to them.
Creating secure passwords that are changed at regular intervals and setting up two-factor authentication are important practices with all cloud storage providers. These measures allow providers to double check who the data is shared with both inside and outside the company. This is even more important when using Google Drive, because the access rights system is not very granular. For example, it’s hard to structure data so that only certain departments or groups have access to certain files or folders. There is also a high risk of human error when typing email addresses to provide access to data. Additional precautions should also be taken when linking other applications to you Google Drive. It’s best not to give any other applications access to Google Drive as these can offer hackers more ways to access your Google Drive data.
Although it might be a tedious task, read carefully through Google’s data privacy and contractual clauses. This way you will be aware of document risks associated with data storage and transfer and will be prepared if something happens.
Using Google Drive in a transparent way
If your company is using Google Drive to store any customer data, you should communicate this to your customers in a transparent way. If your company is offering its services in the EU, they also need to be aware of the GDPR regulations, which have an impact on how your company should use Google Drive.
Below we’ve listed the most important points to follow when collecting or storing any data from EU citizens. However, in order to operate in a transparent manner, we recommend you follow them for your U.S. customers as well:
- Allow the user to opt in or refuse essential and non-essential cookies.
- Create an order processing contract with Google to clarify the following questions:
- What personal data is passed on to Google?
- Why is the data being passed on?
- How long will data be stored by Google?
- What rights and obligations are Google and the company subject to?
- Why is Google Drive used to store data?
- What is the legal basis for data storage and data sharing?
- How can users object to the collection and storage of data?
What are some alternatives to Google Drive?
If you still have doubts about how secure Google Drive is and are wondering which cloud is the most secure, you should conduct a cloud storage comparison to find the best provider. A comparison will give you the opportunity to evaluate different cloud service providers based on the range of services and security measures offered. If you are looking for a cloud service provider with a robust data protection policy, European cloud providers such as the Swiss pCloud or the German cloud provider IONOS, with its secure HiDrive cloud storage, are good options.