Google recently released a whitepaper, Google Infrastructure Design Overview, which describes the Google infrastructure and operational model used to deliver services like G Suite in a secure fashion. The whitepaper describes everything from security of the physical infrastructure, to hardware and software, and the processes in place to ensure secure software development across thousands of engineers and services. Google goes on to state that they have "many hundreds of engineers dedicated to security and privacy." It's clear that Google takes data security seriously, and they are investing more in this goal than 99.9% of enterprises could ever hope to invest.
If you're a Google customer, it's a great way to learn more about how they protect your data in G Suite. If you're not a Google customer, it's still a good read as there are many best practices and ideas you can pick up and implement into your own security procedures. Whether you're a Google customer or not, it's a great example of the enterprise security areas that public cloud app vendors are motivated to solve and what you're on the hook for - the shared responsibility model.
Here's an image from the whitepaper outlining the layers of security in the Google infrastructure:
A detailed read of the whitepaper shows that they are following both industry best practices, as well as the internal best practices they have developed over time, and they don't seem to be missing much. That said, there is no discussion of controlling your users, user data, and suspicious activities revolving around either of them - the domain of cloud access security brokers (CASBs).
G Suite does provide some basic features like two factor authentication and DLP for Gmail, but there is a whole host of additional required functionality, including unmanaged device access control, external sharing control and DLP, suspicious activity detection, mobile data protection, and more.
Google is a tremendous example of a public cloud vendor doing as much as possible to secure your data in their services, but the whitepaper is also a reminder that while cloud vendors can help accomplish part of your security and compliance goals, they aren't going to take on all of it.
A CASB like Bitglass can ensure that you're holding up your end of the bargain, and you can get an initial assessment of your exposure done in minutes (for G Suite or pretty much any other cloud app). Why not try it out?