Link Sharing Security Update in Google DriveJuly 1, 2021
As we all know, Google is committed to making our data as secure as possible. With this constant strive for security, come ongoing updates to its Google Workspace products and features.
Recently, it was announced that there will be an upcoming link sharing security update for Google Drive. This will cause the URLs of some files and folders, which did not previously include a resource key, to change.
Coming into effect on 23rd July 2021, in this blog we will cover everything you need to know about the update and how you can get ahead.
What to Expect From the Link Sharing Security Update
The new update to Google Drive link sharing will aim to make viewing and collaborating on files more secure. Usually, when you choose to share a link, you are presented with a range of permissions, including:
- ‘Restricted’, where only people added can open the file/folder with the link
- *Enter your organisation name*, where anyone in the group with the link can either view, comment or edit the file/folder
- ‘Anyone with the link’, where anyone on the Internet with the link can view the file/folder
When this update comes into effect, there will be an extra layer of security in the form of a resource key.
Some of the Drive files will be affected. As a result, users can expect new file access requests which they will have to either reject or accept. You may have already received a notification stating how many of your files are impacted by this change. If you are unsure - you can use the Alert Center for details about impacted users, folders, shared drives, and files in your organisation.
Please note, even if none of your files are currently affected, this might impact you in the future. Affected files can come to your organisation through shared drives or a change in file ownership.
Users who haven’t viewed a file before will be the main ones impacted by the update. How will it work? Once the update has been rolled out, users who haven't accessed a file before and wish to open it will have to use the new URL containing a resource key. Access to impacted files won’t change for people who have already viewed them or who have direct access.
However, while it is always recommended to apply updates - especially when it concerns security - Google is giving Admins the option to decide how this new update is applied in their organisations. This option is available for all users, excluding those within a Google Workspace of Education organisation, whereby the update will be automatically applied, with no option to exclude files from the update. For those that fall within the Google Workspace, G Suite Basic, Business and Personal groups, they have the option to remove the update from certain files they own or manage - or opt out completely - something that we will delve into now.
Getting Ready for the Update
This security update affects: Admins, end users, users with personal accounts and developers.
If you have Admin access, you can use the Alert Centre to get a broader view of updates. You can do this from the Admin console homepage by going to ‘Menu’, ‘Security’, then ‘Alert center’.
The Alert Center includes a list of alerts applicable to your domain, as well as further details about each of these. Here, you will see how many shared drives, files, folders and users are affected in your organisation by the update. The alert will be highlighted as ‘Security update for Drive’.
If you access this before 23rd July, you can then choose how you want to apply the update to your organisation. If you apply the security update, impacted users will receive a notification of which items will be changed. While you can still opt to change your selection after this date, Drive will not inform users of the next changes you make.
How to Apply the Security Update
If you want to select your preferences for the new update, follow the below steps:
- Navigate from the Admin console homepage to ‘Apps’, then ‘Google Workspace’ to ‘Drive and Docs’
- Select ‘Sharing settings’ and then ‘Security update for links’
- From here, you can choose from the following options:
- ‘Apply the security update with no option for users to remove it’ - this will be the default option for Education users, and triggers the update to apply to all impacted files within your organisation
- ‘Apply the security update, but users can remove it for specific files’ - this option is for all organisations (except those within the Education plan), it applies the update to all impacted files in your organisation
- ‘Remove security update’ - while this is not recommended, your file links will remain the same. However, it is compulsory for folders to receive the security update, meaning there is no option to remove it
Once you have outlined your preferences, you can ‘Save’ this and your impacted users will be notified. It is recommended to reach out to your end users, and set policies on which files you prefer them to allow the update for.
If you apply a security update, or do nothing, you will need to update the links to all the impacted files and folders that you use in internal sites or documentation to the new links that include resource keys.
End Users and Personal Account Users
If you are an end user and your Admin opts in to the update, look out for an email notification from 26th July 2021.
In this email, it will inform you which files you own or manage that will be impacted by the update. You will then have until 25th August to decide how to apply the update to these files, if your Admin has given you permission to do so. You can do this by going into your Drive to view files more closely and manage the security settings for these.
With personal account users, their experience will be similar to end users. Except users with personal accounts who are not linked to Google Workspace domain will be able to choose freely whether to apply or remove the security update.
If you are a developer working with Google Workspace, items that have a Drive API permission with the below codes will be affected:
- ‘where withLink=true (v2)’
- ‘allowFileDiscovery=false (v3)’
As well as the item ID, your application may also need a resource key to access items.
Update Rollout Timeline
To recap, here’s a brief overview of the new security update’s rollout timeline:
- Prior to 23rd July 2021: Admins can decide how the update is applied
- From 26th July to 25th August 2021: impacted end users will be notified about affected files and what their options are, depending on chosen Admin settings
- Starting from 13th September 2021: the options selected by the Admin and users will be enforced to certain files if settings have not been stipulated in advance
Here at Damson Cloud, we believe that Google Drive’s new security update is a significant and positive step forward for data safety. While Google’s security is already of a high standard, this adds an extra layer that provides greater protection to our data, and is much less hassle than the likes of a security key.
If you want to discuss Google Drive’s link sharing security update with us, leave a comment below or contact us today.
As a longstanding member of the Google Cloud Partner Program, Damson Cloud specialises in bringing people and ideas together through new ways of working. We champion the very best practices in remote working and change management, helping companies and their teams collaborate productively from anywhere in the world. To find out more about our services, check out our library of tutorial videos or our blog.