Google Workspace Control Walkthroughs

Step-by-step hardening guides for Google Workspace.

Progress is saved locally in your browser — no information is ever sent to our server.

compliance ↗

Tier 0 — do it today

Control Status Est. time
1 Enforce 2-Step Verification 30 min
2 Alert recipient hygiene + suspicious-login alerts 1 h
3 Government-backed attack alert routing 15 min
4 Email authentication (SPF/DKIM/DMARC) 1–2 h
5 Account inventory (incl. shared/service accounts) 1–2 h
6 Super-admin separation & minimal count 1 h

Tier 1 — the working baseline

Control Status Est. time
7 Phishing-resistant 2SV (FIDO2/passkeys only) 30 min
8 OAuth app access control / allowlisting 2–4 h
9 Marketplace install allowlist 1–2 h
10 Chrome managed-profile policy baseline 2–4 h
11 Legacy public-share inventory & cleanup 2–4 h
12 Web session-length control 15 min
13 Drive external-sharing restriction / trust rules 1–2 h
14 Basic Context-Aware Access (IP/geo) 2–4 h
15 SSO/SAML to hardened IdP 1–2 days
16 Calendar external-sharing lockdown 15 min
17 Google Chat external containment 15 min
18 Disable user auto-forwarding & mailbox delegation 30 min
19 Residual mail & service hygiene 1 h
20 Break-glass admin + offline backup codes draft 1 h

Tier 2 — hardening

Control Status Est. time
21 Advanced Protection Program (high-risk users) 1 h
22 Native multi-party approval 30 min
23 Gmail Security Sandbox + safety-toggle verification 30 min
24 Data regions (storage) 15 min
25 Handling untrusted files at rendering distance 4–8 h
26 DLP rules (Drive/Gmail/Chat) 1–2 days
27 Device-trust CAA via MDM 3+ days
28 MTA-STS + TLS reporting 1–2 h
29 Shared-drive architecture 4–8 h
30 Vault retention & legal hold 2–4 h
31 Audit-log export to SIEM/BigQuery 4–8 h
32 Groups for Business exposure lockdown 30 min
33 Disable POP/IMAP / app-specific passwords draft 30 min

Tier 3 — high-assurance

Everything in this tier is in draft status — shown only as a preliminary direction we're considering.

Control Status Est. time
34 Disable Google Takeout
35 Witnessed ceremonies + tamper-evident custody
36 Split-custody break-glass
37 Continuous OAuth re-authorization sweeps
38 Cloud session control + admin re-auth
39 Directory minimization for targeted staff
40 Scripted JIT admin elevation
41 Periodic access recertification
42 Color-coded data domains (labels + IRM)
43 Hardware-key break-glass super-admin
44 Vault-account custody of crown jewels
45 Mandatory-absence review
46 Reading-room enclave (SCIF port, incl. data-copy minimization)
47 Deny-by-default IP/geo gating
48 CSE self-hosted / HYOK KACLS
49 Email gateway interception
50 Offline & desktop-sync data minimization 2–4 h
51 Privileged Access Workstation for admins 1–2 days

Tier 4 — the deep end

Everything in this tier is in draft status — shown only as a preliminary direction we're considering.

Control Status Est. time
52 Alert-pipeline heartbeat
53 Honeytoken credential file
54 Cloud Identity Free decoy accounts
55 Air-gapped recovery identity
56 Self-hosted canary corpus
57 Canary tokens via commercial console
58 WORM off-tenant log archive
59 Config-drift & persistence sentinel (incl. mail-routing watch)
60 Zero-standing-access delivery pattern
61 Audit-the-auditors alerting
62 Config-as-code with reconciliation
63 Travel-mode accounts
64 AI-agent / prompt-injection canary
65 Apps Script / add-on / AI-agent governance
66 Detection engineering on exported logs
67 Purple-team / adversary emulation
68 Multi-tenant compartmentalization
69 CSE with Google-partner KACLS 3+ days