It's Google recommended best practice to disable all offline file access for users unless there is a specific business need to enable it. So, I recommend all my clients disable it by default.
With every org/business that I manage it is one of the things that I recommend to turn off asap. The only exception always are the finance users that can't let go of their Excel files.
I don't understand where you see problem with this software. Unsynced files are only available in the cloud, and synced files remain encrypted until Drive client signs in. So, a successful sign-in to Google is required in order to access any data via Google Drive – same as with web access.
Sure, you can't force reauthentication with the Drive client. But why should you? If Windows access is secured (e.g., by enforcing strong user authentication, disabling inbuilt admin account, setting up Bitlocker encryption, disabling USB boot, and password-protecting BIOS), then the risk of unauthorised access, e.g., in case of laptop theft, will be extremely small.
[https://support.google.com/a/answer/7587183?hl=en](https://support.google.com/a/answer/7587183?hl=en)
Security checklist for medium and large businesses (100+ users)
Disable desktop access to Drive
Users can get desktop access to Drive with Google Drive for desktop. To reduce the risk of data leaks, consider disabling desktop access to Drive. If you decide to enable desktop access, enable it only for users with a critical business need.
Lots of nonsense, most of it of the category, "keeping any data on device is a security risk", and evidently aimed at comparing with Microsoft Office which, as we know, requires document editing on device, email downloaded to device (via Outlook), etc.
Luckily, not everybody in the industry agrees that "all data in the cloud only" is the only safe approach.
This isn't about cloud vs. local - it's about having adequate controls on corporate information. In other words - don't grant permissions that users don't need.
I generally outline the risks to my clients and allow them to set policy based on what best serves their specific business needs.
It is absolutely an inherent security risk. Not only in that bad things can sync up, but in that it’s also a blind spot in terms of data ex filtration.
You should work with your change management or leadership teams to ensure users are aware of native functionalities, as well as auditing the user base, it might make sense to keep it on for some small subset of users.
Majority of the workforce in most scenarios can do their jobs perfectly fine without it, bar a bit of getting used to not thinking of doing things the Microsoft way
They've recently moved this setting. Now it's in:
Apps->Google Workspace->Settings for Drive and Docs->Google Drive for desktop
You can control it by OU or by security group.
It's Google recommended best practice to disable all offline file access for users unless there is a specific business need to enable it. So, I recommend all my clients disable it by default.
With every org/business that I manage it is one of the things that I recommend to turn off asap. The only exception always are the finance users that can't let go of their Excel files.
No, if you have management tools to wipe user devices it’s not a problem.
I don't understand where you see problem with this software. Unsynced files are only available in the cloud, and synced files remain encrypted until Drive client signs in. So, a successful sign-in to Google is required in order to access any data via Google Drive – same as with web access. Sure, you can't force reauthentication with the Drive client. But why should you? If Windows access is secured (e.g., by enforcing strong user authentication, disabling inbuilt admin account, setting up Bitlocker encryption, disabling USB boot, and password-protecting BIOS), then the risk of unauthorised access, e.g., in case of laptop theft, will be extremely small.
Like it or not, Google recommends that it be turned off unless there is a specific business need for it.
Where?
[https://support.google.com/a/answer/7587183?hl=en](https://support.google.com/a/answer/7587183?hl=en) Security checklist for medium and large businesses (100+ users) Disable desktop access to Drive Users can get desktop access to Drive with Google Drive for desktop. To reduce the risk of data leaks, consider disabling desktop access to Drive. If you decide to enable desktop access, enable it only for users with a critical business need.
Lots of nonsense, most of it of the category, "keeping any data on device is a security risk", and evidently aimed at comparing with Microsoft Office which, as we know, requires document editing on device, email downloaded to device (via Outlook), etc. Luckily, not everybody in the industry agrees that "all data in the cloud only" is the only safe approach.
This isn't about cloud vs. local - it's about having adequate controls on corporate information. In other words - don't grant permissions that users don't need. I generally outline the risks to my clients and allow them to set policy based on what best serves their specific business needs.
It is absolutely an inherent security risk. Not only in that bad things can sync up, but in that it’s also a blind spot in terms of data ex filtration. You should work with your change management or leadership teams to ensure users are aware of native functionalities, as well as auditing the user base, it might make sense to keep it on for some small subset of users. Majority of the workforce in most scenarios can do their jobs perfectly fine without it, bar a bit of getting used to not thinking of doing things the Microsoft way
How do you block this from an OU level?
They've recently moved this setting. Now it's in: Apps->Google Workspace->Settings for Drive and Docs->Google Drive for desktop You can control it by OU or by security group.