How to back up Google Workspace?

Google Workspace, formerly G Suite, is an office productivity suite used by businesses worldwide to facilitate organization, collaboration and storage of company information. Google Workspace offers impactful tools to help businesses unify workflows, improve communication and increase productivity. However, the platform is susceptible to cyberattacks. In April 2023, the zero-day vulnerability dubbed GhostToken  allowed hackers to attack Google accounts and potentially target Google Workspace accounts.

Google’s data usage policies include a detailed Cloud Data Processing Addendum which outlines processes, security measures and handling of customer data. The addendum also frames ownership of responsibilities for protecting certain assets and implementing specific security measures. For most small and midsize businesses, the lengthy addendum provided by Google is a time-consuming, tedious and complex resource that’s difficult to use. To determine who is responsible for protecting individual assets, implementing particular security measures, and identifying the controller, and untangling stipulations according to regional data compliance, the addendum isn’t a feasible or effective way to ensure complete protection. Moreover, Google built-in backup does not protect all states of data. With cyberthreats looming, backing up Google Workspace for Business  has become increasingly important for gaining holistic control and visibility over your data and to protect your business from disaster.

This blog provides guidance to organizations concerned with protecting Google Workspace data, gaining a better understanding of backup options, and creating fundamental security measures to better protect valuable business information.

Google Workspace’s most popular features are designed to help businesses streamline office operations. From emails, spreadsheets, video calls, cloud storage and all of the above, Google Workspace provides innovative productivity capabilities to seamlessly manage business workflows. Although Google includes its own measures to secure cloud infrastructure and keep identities, apps and devices safe, these default measures alone are not enough to prevent and protect Google Workspace-housed data against modern cyberattacks — like malware.

Ransomware spiked 62% in March over monthly average in Q1 of 2023, according to the Acronis Mid-year Cyberthreats Report. With widespread infections growing, Google Cloud environments, like Google Workspace have become a high-stakes target for cyber intrusions. You need to consider implementing Google Workspace data backup to reduce your risk.

Here are a few important reasons to back up your Google Workspace data:

• Safeguard business continuity

• Recover lost data quickly

• Prevent data loss or corruption

• Mitigate reputational and financial damage in the face of an attack

• Avoid regulatory compliance fines

To understand what services and data are covered by Google’s data region policy, let’s quickly define the three main states of data

Data at rest:

Data that is not currently in use, being accessed or transferred in storage.

Data in motion:

Data that is being transferred or moved from one location to another, either between computer systems or within a computer.

Data in use:

Data that is being used, updated, processed, accessed or read.

According to Google’s data region policies, only primary Google Workspace data is backed up for disaster recoveries and business continuity. Only protecting the data at rest, Google Workspace primary data includes:

Primary Data

Data region policies cover the primary data at rest (including backups) for these Google Workspace core services:

This means your company is responsible for the backups of all other Google Workspace data in other states such as in motion and in use.

Google Workspace includes built-in redundancy and recovery features, but it does not provide comprehensive backup against today’s disasters. The out-of-box Google features are nowhere near a full-fledged backup solution and their primary function to only ensure service availability remains uninterrupted. The default protection is designed to only prevent Google customer data loss due to a Google infrastructure failure or similar issue.

Google’s native backup options, include Google Vault, Google Takeout and Google Workspace Migrate.

Let’s take a look at the built-in Google data protection features can do:

• Native recovery
• Google Vault for archiving eDiscovery

1. Google Vault Expained
2. eDiscovery
   
3. Legal Holds
   
4. Retention Policies
   
5. Audit Traits
   

Limitation data is archived solely from specific Google Workspace apps and other apps, like Microsoft teams and slack, will need additional tools to help safeguard and archive data

o   Limited data sources

o   Limited data retention

o   Can’t be modified and is not customizable

o   Limited search capabilities

o   No real-time monitoring

o   User management is limited and reporting

The data stored in Google Workspace provides moderate protection that’s primarily effective against hardware failures or system crashes, but not adept to protect against malicious activity, data loss caused by third-party apps or user error.

Today’s industry-leading backup solutions are designed to protect your critical assets across all three states of data and reduce the risk of ransomware, phishing, unauthorized access and malicious hackers. Third-party backup solutions, like Acronis Cyber Protect, fill the security gaps within Google Workspace environments and provide enhanced data protection and backup where Google’s built-in backup capabilities lack.

Well-rounded backup solutions give businesses the ability to customize, configure and adjust backup and restore policies to suit the needs of the business. During a cyber incident, it’s integral to prevent infected data from being restored and safeguard unaffected data. Backup solutions with a built-in malware scanner help find and remove lurking threats and malicious artifacts from your backups to ensure clean, full recovery. Other features to consider, include anti-ransomware technology, rapid restore capabilities and flexible reporting and monitoring of backups that proactively secure backed up data and customize alerts for security admins.

As your organization expands and grows, your teams start to accumulate, use and share high volumes of data in Google Workspaces. The management of data, gatekeeping who should have access to certain assets and safeguarding backups can be a tremendous challenge. Not only does your organization need to bolster data protection, but your business needs right solution that won’t disrupt your system’s performance. With so many backups, you’ll want to make sure your solution provides comprehensive protection and is capable of maintaining backups without sacrificing performance.

You want to avoid clunky, legacy backups that often aren’t equipped to handle the needs of modern-day businesses. These outdated solutions contribute to slow backup speeds, network inefficiencies and slow restoration — factors which disrupt your business’ operations and significantly increase downtime.

One of the greatest pitfalls of Google’s built-in backup tool is its inability to protect in-motion and in-use data. Finding a solution that protects all three states of data will help protect your business as your team’s data workflows will shift between these states. In particular, when data is transferred, altered and used throughout your organization internally and shared with external parties, a backup solution with proactive, active and reactive protection is the most reliable and secure way to safeguard valuable information in case of disaster.

Securing organizational data with encryption is one of the most common ways to protect at-rest, in-motion and in-use data. Companies can adopt automated protocols to keep track of and monitor data as it switches between states. When your business achieves greater visibility into data and backup environments, you will become more aware of the assets most susceptible to exploitation and the states at which critical data will be most vulnerable. Identifying the scope of high-value assets that shift between data states empowers your IT security professionals and leadership to gain a deeper understanding of the organization’s risk profile.

Google Workspace (G Suite) users have three primary ways to back up their emails - Google Takeout, Data Export, and third-party backup solutions.

1. Go to the "Google Takeout" page -> log in with your Google Workspace.
2. All Google services will be selected by default. Click "Deselect all" to clear the list -> scroll down the service list to locate "Mail" and check its corresponding box; click the "All Mail data included" link to configure or customize backup settings.
3. Set the delivery method - send the file to your mailbox or add it to Box, Dropbox, or OneDrive.
4. Choose the backup file type and size; larger backups may be divided into several parts.
5. Click the button labeled "Link accounts and create export" to initiate the backup service. After that, you can track the backup status on the progress bar. Once done, you can save the backup to your preferred location on your computer, mobile device, or external storage media.

• Exports are available to perform at most every 30 days.
• There isn't a "Restore" function, only offline export and backup.
• Exports must be performed manually by an admin or via a DIY script.
• You may encounter a "Google Takeout not working" error.

1. Sign in to your Google Workspace admin profile -> go to the "Admin Console" -> click the "<" button.
2. Select "Tools" -> "Data Export"
3. Click the "START EXPORT" button to start the Google Workspace backup process.
4. Google will take up to 9 days to process the request and provide you with a confirmation email. Once you open the email, click the "Access archive" button.
5. You can now download the Google Workspace backup file for all users individually.

• Once you've initiated the backup process, it can't be stopped.
• The process can take up to 9 days to make the data available to you.
• You can only use the feature once every 30 days.
• You can't specify the number of users or select specific G Suite mail to add to the backup.
• You can't export data selectively. (e.g., emails, contacts, calendars, etc.)

Google Workspace backup is critical for companies that handle different types of essential data. Regardless of your employee count, Google Workspace accounts hold immense volumes of Google Apps data, communication messages, project details, and more. Organizations must safeguard said information against data loss, accidental user deletion, cyberattacks, hardware failure, etc.

Unlike native tools, dedicated backup and recovery solutions, such as Acronis Cyber Protect, are built to do just that - create reliable, highly customizable backups and offer flexible restore features to ensure anywhere data protection, minimal downtime, compliance, and business continuity.

Below, we will explore how to back up all Google Workspace data via Acronis Cyber Protect. Let's dive in.

Backing up all Google Workspace data ensures you can restore corrupted, lost, or permanently deleted messages, files, documents, and other important data. To do so via Acronis Cyber Protect, you must first set up a personal Google Cloud project for your account.

Acronis Cyber Protect

The best backup & recovery software for Google Workspace environments built for business and managed service providers

Learn More

To add a Google Workspace organization to the Cyber Protection solution via a dedicated Google Cloud project, follow the steps below:

1. Create a new Google Project and enable the required APIs for said project.
2. Configure the credentials for the project - the OAuth consent screen and the service account for the Cyber Protection solution.
3. Allow access to the new project to your Google Workspace account.

Below are detailed steps on how to create a new Google Cloud project:

1. Sign in to the Google Cloud Platform (GCP) as a Super Administrator.
2. From the GCP admin console, select the picker (in the upper left corner).
3. On the following screen, select the specific organization and click "New project".
4. Specify a name for the project and click "Create"; your new Google Cloud project is now created.

1. In the GCP console, select the new project.
2. Select "APIs and services" -> "Enabled APIs and services" from the navigation menu.
3. Disable all APIs enabled by default in the project, one by one. To do so, scroll down the "Enabled APIs and services" page -> click the name of an enabled API to open the API/Service details page for the selected API; then, click "Disable API" -> click "Disable" to confirm your choice; if prompted, confirm your choice again by clicking "Confirm"; when done, go back to "APIs and services" -> "Enabled APIs and services" and repeat the above steps for the other APIs.
4. Select "APIs and services" -> "Library" from the navigation menu.
5. Once you're in the API library, enable the below APIs one by one:

• Admin SDK API
• Gmail API
• Google Calendar API
• Google Drive API
• Google People API

You can use the search bar to locate all required APIs. To enable a specific API, click on its name and then click "Enable". To search for the next API, go back to the "APIs and services" -> "Library" page from the navigation menu.

1. Select "APIs and services" -> "OAuth consent screen" from the GCP navigation menu.
2. In the following window, select "Internal" for user type -> click "Create".
3. Specify a name for your application in the "App name" field.
4. Enter the Super Administrator email in the "User support email" field.
5. Enter the Super Administrator email in the "Developer contact information" field.
6. Leave all other fields blank -> click "Save and continue".
7. Then, go to the "Scopes" page and select "Save and continue" without changing anything.
8. Verify your chosen settings on the "Summary" page -> click "Back to dashboard".

1. Select "IAM & Admin" -> "Service accounts" from the GCP navigation menu.
2. Click "Create service account" and specify a name for the service account. (you can also set the service account description if you wish)
3. Click "Create and continue".
4. Don't change anything in the "Grant this service account access to the project" and "Grant users access to this service account" steps -> click "Done" to open the "Service accounts" page.
5. On the "Service account" page, select your new service account - click "Manage keys" under "Acronis".
6. Under "Keys", select "Add key" -> "Create new key" -> select the "JSON" key type -> click "Create". This action will create an automatically downloadable JSON file containing the private key for the service account. Once downloaded onto your machine, you must store the file securely to add your Google Workspace organization to the Cyber Protection service.

1. Select "IAM & Admin" -> "Service Accounts" from the GCP navigation menu.
2. In the following list, find the newly created service account -> copy the client ID shown in the OAuth 2.0 Client ID column.
3. Sign in as a Super Administrator to the Google Admin console.
4. Select "Security" -> "Access and data control" -> "API controls" from the navigation menu.
5. Scroll down the "API controls" page -> under the "Domain-wide delegation" line, select "Manage domain-wide delegation" to open the "Domain-wide delegation" page. On said page, select "Add new" to open the "Add a new client ID" window page.
6. Enter the client ID of your service account client in the "Client ID" field.
7. Copy and paste the following comma-delimited list of scopes in the "OAuth scopes" field:

• Click "Authorise". Following successful authorization, your newly created project can access your Google Workspace account data. To create a complete Google Workspace backup, you must link the new project to the Cyber Protection service. We will discuss how to do so below.

Now that you've created a personal Google Cloud project, you can add a Google Workspace organization to the Cyber Protection solution. To do so, follow the steps below:

1. Log in to your Cyber Protect console as a company administrator.
2. Select "Devices" -> "Add" -> "Google Workspace"
3. Enter a valid email address of a Super Administrator of the Google Workspace account.
4. Browse the JSON file containing the private key for the service account created in your Google Cloud project. You can also paste the file's contents as text -> click "Confirm". Once done, your Google Workspace organization will appear under the "Devices" tab in the Cyber Protect console.

• After successfully adding your Google Workspace organization, you can back up data from multiple domains. User data and "Shared" drives in the primary domain and all secondary domains (if available) will be backed up. Backup data will be displayed in a single list and not grouped by its domain.
• The cloud backup agent will systematically sync with Google Workspace (every 24 hours), starting from the moment you've added the organization to your Cyber Protection service. If you add or remove users or Shared drives, the changes won't be reflected in the Cyber Protection console instantly. To sync them immediately, select the organization on the "Google Workspace" page and click "Refresh".
• If you employed a protection plan for "All users" or "All Shared drives", all newly-added items will be included to backup only after syncing.
• Following Google policy, when a user (or Shared drive) is removed from the Google Workspace GUI, it remains available (via an API) for several days. During this period, the item will be grayed out (inactive) in the Cyber Protect console and not backed up. When the removed user or Shared drive becomes unavailable via the API, it will disappear from the Cyber Protect console. If you need to restore it from a backup (if available), you can find existing backups at "Backup storage" -> "Cloud applications backups".

If you’re concerned about the vulnerabilities and limitations provided in Google Workspace’s built-in backup tools, Acronis has outlined critical steps to enhance your business’s protection over data within Google Workspace environments.

Gaining a deep understanding of your business’s needs will ensure the most critical information within Google Workspace is easily accessible and secure. Factors to consider when assessing your company’s data protection needs will depend on your company’s size, industry regulatory compliance, the number of team members using Google Workspace and current content management strategy of Google Workspace assets.

Your organization should adhere to company-wide policies that summarize and outline the people, processes and technologies relevant to protecting Google Workspace data. “Google policies” are not a one-size-fits-all approach since the needs of every company will differ depending on firmographics.

Third-party backup solutions are crucial to defending your business continuity and mitigating downtime in a cyberevent. Implementing third-party backup solutions, like Acronis Cyber Protect, has several key benefits to comprehensively secure data within Gmail, GDrive, Google Contacts and Google Calendar. Cloud backup tools will allow your business to scale backup without disrupting system performance. Moreover, third-party backup solutions are designed with features to accelerate the recovery process, including point-in-time recovery, long-term data retention and a user-friendly console that simplifies recovering lost data for MSP technicians and IT security teams. Other essential features to consider include incremental backups, compression and deduplication , and cloud-to-cloud backup. Should your organization experience a data breach, Acronis Cyber Protect lets your business search for specific Google Workspace items before recovering and easily download critical files or attachments from backup.

When choosing a backup solution to improve Google Workspace data protection, you’ll want to select a solution that uses end-to-end encryption of data during transit and at rest, provides detailed audit trails and creates logs of backups. Regulatory compliance like GDPR and HIPAA require strict documentation and records of data subject requests and audit logs that record all activities within backup environments containing personal data. Through a demonstrated track record of your company’s policies, procedures and operations on backups, you can prove you’ve acted in good faith to protect critical data across Google Workspace.

As businesses grow, your organization’s data protection needs, challenges and requirements will change. You will have to revisit backup policies and adjust according to how often backups should be performed, where the backups will be located, who can access backed-up information and other ground rules. Third-party backup solutions, like Acronis Cyber Protect, make it easy to seamlessly configure and customize policies.

The top three mistakes most companies make when storing, using and transferring Google Workspace data and backing up, include:

1. Relying too much on Google’s built-in backup tools that provide insufficient protection in today’s threat landscape
2. Not having automated capabilities like automatic backup protection to detect new Google Workspace users and automatically protect newly added data.
   
3. Lacking blockchain-based verification which verifies the authenticity of files and Drive backups to ensure the integrity of your data.
   

Learn more about Acronis Cyber Protect Google Workspace Cloud Backup with ready-to-use backup options that address the top three common mistakes most businesses make when backing up Google Workspace repositories.

In business landscapes, the importance of backing up Google Workspace data can’t be emphasized enough. In a digital world where protecting company crowned jewels could make or break the success of your business, developing a well-structured and robust backup strategy is key to preventing data loss — fortifying strong trust with your customer, complying with industry standards and strengthening your business operations. Not only is it important to protect Google Workspace data, but also to reinforce spadework toward your business’ data-rich digital future.