πŸ‡¨πŸ‡¦VancouverπŸ‡¨πŸ‡¦TorontoπŸ‡ΊπŸ‡ΈLos AngelesπŸ‡ΊπŸ‡ΈOrlandoπŸ‡ΊπŸ‡ΈMiami
1-855-KOO-TECH
KootechnikelKootechnikel
Search⌘KFree Health Check
Insights Β· Field notes from the SOC
Plain-language briefings from the people watching the alerts.
Weekly Β· No spam
Read4
Field GuideNewEngineer-written playbooks.β†’Blog & Field NotesWeekly threat briefings.β†’WhitepapersDeep dives on Secure AI, Zero Trust.β†’Case StudiesReal clients, real numbers.β†’
Watch & listen3
WebinarsMonthly Β· live Q&A with the team.β†’PodcastNew"Stronger.Smarter" Β· biweekly.β†’Quick Clips90-second how-tos on YouTube.β†’
Use3
Free Vulnerability Scan30-sec domain + email check.β†’Compliance ChecklistsSOC 2, HIPAA, PCI printable.β†’ROI CalculatorEstimate cost-of-incident savings.β†’
New series
Field Guide
Engineer-written playbooks for the problems 30-100 person companies actually hit.
MFA rollouts, SOC 2 timelines, M365 backup, HIPAA/PHIPA, CIS Controls, AI governance β€” specific, narrow, practical.
Open the Field Guide
Subscribe to weekly β†’All resources β†’
NO SPAM Β· UNSUBSCRIBE IN ONE CLICK
Workspace security Β· 6-layer architecture

Workspace as a security platform.
Six layers, one accountable team.

Workspace was built cloud-native. The security primitives are simpler to operate than the equivalent M365 stack β€” but only if you actually configure them. Below is the six-layer architecture we deploy on every Workspace engagement, in order. Each layer assumes the one below it is solved.

Layer 1 of 6

Identity + access

  • Cloud Identity as primary IdP (or federated with Entra / Okta)
  • 2-Step Verification enforced for all users
  • Advanced Protection Program for high-risk users (executives, IT admins, anyone handling sensitive data)
  • Context-Aware Access policies (location / device posture / app)
  • Session length policies appropriate to role sensitivity
Identity is the foundation. Every other security layer assumes identity is solved.
Layer 2 of 6

Data Loss Prevention (DLP)

  • Workspace DLP rules for PII / PHI / PCI patterns
  • Block "Anyone with the link" for sensitive sensitivity-labeled content
  • Drive label-based DLP with sensitivity classifications
  • Outbound mail content scanning
  • Custom regex patterns for client-specific data types (account numbers, employee IDs, etc.)
The control that catches the "I just emailed it to my personal account" pattern.
Layer 3 of 6

Vault retention + eDiscovery

  • Vault retention policies on Drive, Mail, Chat, Meet, and Sites
  • Custodian groups defined per organizational structure
  • eDiscovery search + export workflows tested annually
  • Litigation hold runbook documented + handed to legal
  • Retention review cadence (semi-annual) to keep policies current
Vault matters enormously when legal sends a hold. Configure before you need it.
Layer 4 of 6

BeyondCorp Enterprise (Zero Trust)

  • Context-aware access for all SaaS apps via the Workspace IdP
  • Device-trust signals (Endpoint Verification or MDM)
  • Geographic + IP-based access controls
  • Continuous evaluation rather than at-login-only
  • Threat protection for browser-based threats
For mid-market clients with sensitive data, BeyondCorp Enterprise often replaces a separate ZTNA product.
Layer 5 of 6

Security Center + Alert Center

  • Security Center dashboards monitored 24/7 by our SOC
  • Alert Center routing to our incident response queue
  • Investigation tool playbooks for the top 5 alert types
  • Audit logs streaming to your SIEM (Splunk / Sentinel / Datadog / generic)
  • Threat hunting cadence quarterly
Workspace generates a lot of security signal. Most clients never look at it.
Layer 6 of 6

Marketplace + add-on governance

  • Marketplace allowlist enforced via admin policy (not default-allow)
  • App access control restricts data scopes per add-on
  • Quarterly review of installed add-ons against approved list
  • Vendor risk assessment for any new add-on requested
  • BAA / DPA verified for any add-on touching regulated data
The Marketplace is a Shadow IT vector if it is not governed.

The Workspace security stack works when you actually deploy it.

Most Workspace shops have never configured Vault retention, never enforced a Marketplace allowlist, and never run the Security Center reports. The components are built into the platform β€” unused. Our job is to deploy them in a coherent order with named ownership.

Migration playbook β†’Case studies β†’Book a Workspace security audit β†’