Best Practices

Decide how to organize your Workspaces based on your company structure:

Company Structure

Suggested Workspace Setup

Single department using CSE

1 Workspace (e.g., Company-Prod)

Multiple departments

1 Workspace per department (e.g., Finance-Prod, Legal-Prod)

Separate dev/prod environments

2 Workspaces per dept (e.g., Finance-Dev, Finance-Prod)

Go to Organization Admin → Routing Rules in Oten KMS.
Create rules using conditions — match on Application (Drive, Meet, Calendar), User email, and optionally Request time — to route requests to the correct Workspace.
Set a Workspace Default Rule as fallback for unmatched requests.

In each Workspace, go to Google CSE → CSE Key Rules.
Create rules to assign specific keys to specific users or applications — using conditions like User email and Application.
Ensure a Default Key is set in the Workspace's Google CSE Configuration as fallback.

Test with different user accounts to verify that authorized users can encrypt/decrypt and unauthorized users are blocked.
Test across all Google CSE apps: Drive, Meet, and Calendar.
Review Audit Logs in Oten KMS to confirm that requests are being routed and authorized correctly.

Use both layers: Combine Organization Routing Rules + CSE Key Selection Rules for precise control over both workspace routing and key assignment.
Set Default Rules and Keys: Always configure a Workspace Default Rule and a Default Key so that no request goes unhandled.
Enable key rotation: Set up automatic key rotation policies to reduce risk if a key is compromised.
Separate environments: Never use production keys in development or testing. Use separate Workspaces.
Review rules regularly: Periodically audit your Routing Rules and Key Selection Rules — update them when employees change roles, departments, or leave the organization.
Monitor Audit Logs: Regularly check Oten KMS's Audit Logs for unexpected access patterns, which could indicate misconfiguration or unauthorized access attempts.

Last updated 10 days ago