Tag Archives: Safety & Security

Working together to improve user security

Posted by Adam Dawes

We're always looking for ways to improve user security both on Google and on your applications. That's why we've long invested in Google Sign In, so that users can extend all the security protections of their Google Account to your app.

Historically, there has been a critical shortcoming of all single sign in solutions. In the rare case that a user's Google Account falls prey to an attacker, the attacker can also gain and maintain access to your app via Google Sign In. That's why we're super excited to open a new feature of Google Sign In, Cross Account Protection (CAP), to developers.

CAP is a simple protocol that enables two apps to send and receive security notifications about a common user. It supports a standardized set of events including: account hijacked, account disabled, when Google terminates all the user's sessions, and when we lock an account to force the user to change their password. We also have a signal if we detect that an account could be causing abuse on your system.

CAP is built on several newly created Internet Standards, Risk and Incident Sharing and Coordination (RISC) and Security Events, that we developed with the community at the OpenID Foundation and IETF. This means that you should only have to build one implementation to be able to receive signals from multiple identity providers.

Google is now ready to send security events to your app for any user who has previously logged in using Google Sign In. If you've already integrated Google Sign In into your service, you can start receiving signals in just three easy steps:

  1. Enable the RISC API and create a Service Account on the project/s where you set up Google Sign In. If you have clients set up in different projects for your web, Android and iOS apps, you'll have to repeat this for each project.
  2. Build a RISC Receiver. This means opening a REST API on your service where Google will be able to POST security event tokens. When you receive these events, you'll need to validate they come from Google and then act on them. This may mean terminating your user's existing sessions, disabling the account, finding an alternate login mechanism or looking for other suspicious activity with the user's account.
  3. Use the Service Account to configure Google's pubsub with the location of your API. You should then start receiving signals, and you can start testing and then roll out this important new protection.

If you already use Google Sign In, please get started by checking out our developer docs. If you don't use Google Sign In, CAP is another great reason to do so to improve the security of your users. Developers using Firebase Authentication or Google Cloud Identity for Customers & Partners have CAP configured automatically - there's nothing you need to do. You can also post questions on Stack Overflow with the #SecEvents tag.

Optimistic dissatisfaction with the status quo of security

This article is a condensed version of a keynote speech Parisa gave at Black Hat Conferenceon July 8, 2018.

As I kid, I used to spend hours at the arcade playing whack-a-mole. With a toy mallet in hand, I’d smash as many plastic moles as possible. But the more moles I whacked, the faster they popped up out of their holes.

I haven’t played this arcade game in years, but there have been times when my career in computer security felt like a reality version of whack-a-mole. Computer security issues are emerging at a quickening pace, and everyone’s energy is spent knocking out the same problems over and over and over.

We have to stop taking a whack-a-mole approach to security. Instead, we need to focus our energy on tackling the root causes of bad security, strategically investing in long-arc defense projects, and building out our coalitions beyond security experts.

Tackle the root cause

As the world becomes more dependent on safe and reliable technology, we can no longer be satisfied with isolated security fixes. Instead, we need to identify and tackle the underlying causes of bad security—whether they’re structural, organizational or technical.

Project Zero, a team that formed at Google in 2014, aims to advance the understanding of offensive security and improve defensive strategies. Over the past four years, the team has reported more than 1,400 vulnerabilities in a variety of targets, including operating systems, browsers, antivirus software, password managers, hardware and other popular software. But what's more impressive than that number is the impact we’re seeing across industry in terms of tackling the root causes of bad security.

In the case of Project Zero, the team recognized that vendor response times for fixing critical security reports varied hugely, and it often didn’t tip in favor of the people using the technology. Unfortunately, software vendors don’t always have incentives aligned that prioritize security. To address that underlying problem, Project Zero introduced a consistent 90-day disclosure policy that removed the historical, time-consuming negotiation between security researchers and vendors.

Initially, this deadline-driven approach was controversial. It caused short-term pain for organizations that needed to make structural changes. But sticking to this approach resulted in  vendors investing more in solving root problems that, for whatever reason, weren’t previously addressed. Since the introduction of the deadline-driven disclosure policy, one large vendor doubled the number of security updates released each year, and another vendor improved response time by 40 percent. When it came to the controversial deadline, 98 percent of the security issues Project Zero reported have been fixed within 90 days, up from 25 percent.

Through all of this, Project Zero worked in the open to advance the public’s understanding of exploitation techniques. Ultimately, the team recognized that one individual security researcher isn’t likely to change the behavior of a large vendor, but a larger public response can. The team sought out opportunities for collaboration with other vendors, and people came together, both inside and outside the walls of Google, to analyze and build defenses against exploits discovered in the wild.

Solving the root problems—especially in today’s distraction-driven environments—isn’t always the fastest or easiest route to take, but it builds a foundation for a more secure future.

Celebrate milestones to make progress on strategic projects

To make real security change, we need to commit to long-arc defense efforts, no matter how complex they may be or how long they take to complete. Maintaining momentum for these projects requires strategically picking milestones, communicating them repeatedly and celebrating progress along the way.

In 2014, the Chrome team set out on a mission to drive the adoption of HTTPS on the open web. We wanted the web to be secure by default, instead of opt-in secure. We also wanted to address confusion in our existing network security indicators; users weren’t perceiving the risk of HTTP connections given our lack of a warning. We knew this project would take many years to complete because of the complexity of the web ecosystem and the associated risk of making big changes to browser security warnings.

It's important to remember that nobody owns the web. It’s an open ecosystem of multiple players, each with different incentives and constraints—so projects of this magnitude require wrangling a lot of moving parts. To avoid creating warning fatigue and confusion about the web, we set strategic milestones over a long period and share them publicly.

My job as a manager was to make sure my team believed change was possible and that they stayed optimistic over the entire course of the project. We shared a comprehensive step-by-step strategy and published the plan on our developer wiki for feedback. Our milestone-based plan started out simple and increasingly upped the pressure over time. Internally, we found fun and inexpensive ways to keep team morale high. We kicked off a brainstorming day with a poetry slam—finger snapping included! We made celebratory HTTPS cakes, pies and cookies. We also had a team chat to share updates, challenges and a lot of GIFs.

https cake

Building momentum externally was equally important. When sites made the switch to the more secure HTTPS, we celebrated with the broader community—usually via Twitter. And we published a transparency report that shed light on top sites and their HTTPS status. Hooray for openness!

Since our official announcement of these changes, HTTPS usage has made incredible progress. The web is ultimately more secure today because of a loose coalition of people who were able to stay committed to seeing a long, ambitious project all the way through. Which brings me to my third point...

Build a coalition

As we proactively invest in ambitious defense projects where the benefits aren’t immediately clear, we need to build a strong coalition of champions and supporters.

In 2012, the Chrome team started its Site Isolation effort, a project that mitigated the risk of cross-site data theft on the web. The project turned out to be the largest architecture change and code refactor in the history of Chrome! This was no small task considering Chrome is 10 years old, has more than 10 million lines of C++ code and has hundreds of engineers committing hundreds of changes each day from around the world. The core Site Isolation team was made up of only around 10 people, so building a strong coalition of support for the project outside of the team was critical for its success.

Originally, we thought this project would take a year to complete. Turns out we were off by more than a factor of five! Estimation mistakes like this tend to put a bullseye on a project’s back from upper management—and with good reason. Luckily, the team regularly articulated progress to me and the reasons why it was more work than first anticipated. They also demonstrated positive impact in terms of overall Chrome code health, which benefited other parts of Chrome. That gave me additional cover to defend the project and communicate its value to senior stakeholders over the years.

Aside from management, the team needed allies from partner teams. If other Chrome team members weren’t motivated to help or didn’t respond quickly to questions, emails and code reviews, then this 10-person project could have dragged on forever. The team kept a positive attitude and went out of their way to help others, even if it didn't relate directly to their own project. Ultimately, they conducted themselves as good citizens to build a community of support—a good lesson for all of us. We might be able to find the problems and technical solutions on our own, but we rely on everyone working on technology to help clear the path to a safer future.

We’ll keep finding complex problems to solve as technology evolves, but I’m optimistic that we can continue to keep people safe. It just requires a little bit of change. We need to take a different approach to computer security that doesn’t feel like playing whack-o-mole. So let’s band together—inside and outside of our organizations—and commit to ambitious projects that solve the root problems. And let’s not forget to celebrate our wins along the way! 🎉

Source: Google Chrome


Protect your online accounts with Titan Security Keys

Phishing—when an attacker tries to trick you into giving them your credentials—is a common threat to all online users. Google's automated defenses securely block the overwhelming majority of sign-in attempts even if an attacker has your username or password, but we always recommend you enable two-step verification (2SV) to further protect your online accounts.

There are many forms of 2SV—from text (SMS) message codes, to the Google Authenticator app, to hardware second factors like security keys. And while any second factor will greatly improve the security of your account, for those who want the strongest account protection, we’ve long advocated the use of security keys for 2SV.

Today, we’re making it easier to get a security key by making Google’s own Titan Security Keys available on the Google Store

Titan Security Key

Titan Security Key

Titan Security Keys have extra “special sauce” from Google—firmware that’s embedded in a hardware chip within the key that helps to verify that the key hasn’t been tampered with. We’ve gone into more detail about how this works on the Google Cloud blog.

Titan Security Keys work with popular browsers (including Chrome) and a growing ecosystem of services (including Gmail, Facebook, Twitter, Dropbox and more) that support FIDO standards

Getting started

It’s easy to get started with Titan Security Keys. Kits of two keys (one USB and one Bluetooth) are now available to U.S. customers on the Google Store and will be coming soon to additional regions.

To set them up with your Google Account, sign in and navigate to the 2-Step Verification page (see detailed instructions on our help center). Titan Security Keys are also compatible with the Advanced Protection Program, Google's strongest security for users at high risk. And Google Cloud admins can enable security key enforcement in G Suite, Cloud Identity, and Google Cloud Platform to ensure that users use security keys for their accounts.

For more information, visit our website or read our detailed post on Google Cloud.

An update on state-sponsored activity

We’ve invested in robust systems to detect phishing and hacking attempts, identify influence operations launched by foreign governments, and protect political campaigns from digital attacks through our Protect Your Election program.

Our Threat Analysis Group, working with our partners at Jigsaw and Google’s Trust & Safety team, identifies bad actors, disables their accounts, warns our users about them, and shares intelligence with other companies and law enforcement officials.

This week, there has been a lot of news about attempted state-sponsored hacking and influence campaigns. We wanted to provide an update on some of our ongoing work in this area:

  • State-sponsored phishing attacks 
  • Technical attribution of a recently-reported influence campaign from Iran 
  • Detection and termination of activity on Google properties

State-sponsored phishing attacks

Phishing—attempts to trick users into providing a password that an attacker can use to sign into an account—remains a threat to all email users. Our ​improving ​technology has enabled ​us to ​significantly ​decrease ​the ​volume of ​phishing ​emails that ​get ​through to our users. ​Automated ​protections, ​account ​security ​(like ​security ​keys), ​and specialized ​warnings give ​Gmail users industry-leading ​security. As part of our security efforts, for the past eight years, we’ve displayed prominent warnings to Gmail users who are at risk of phishing by potentially state-sponsored actors (even though in most cases the specific phishing attempt never reaches the user’s inbox).

In recent months, we’ve detected and blocked attempts by state-sponsored actors in various countries to target political campaigns, journalists, activists, and academics located around the world. When we’ve seen these types of attacks, we’ve notified users as well as law enforcement.

On Monday morning, we issued our most recent series of notifications to Gmail users who were subject to suspicious emails from a wide range of countries. We posted about these sorts of warnings here—if you received this type of warning, please read the blog post and take action immediately.

Iran and FireEye

To complement the work of our internal teams, we engage FireEye, a leading cybersecurity group, and other top security consultants, to provide us with intelligence. For the last two months, Google and Jigsaw have worked closely with FireEye on the influence operation linked to Iran that FireEye identified this week. We’re grateful to FireEye for identifying some suspicious Google accounts (three email accounts, three YouTube channels, and three Google+ accounts), which we swiftly disabled. FireEye’s full report has just been published today. It’s worth reading.

In addition to the intelligence we received from FireEye, our teams have investigated a broader range of suspicious actors linked to Iran who have engaged in this effort. We’ve updated U.S. lawmakers and law enforcement about the results of our investigation, including its relation to political content in the United States. We wanted to provide a summary of what we told them.

Connections to IRIB: forensic evidence

Our technical research has identified evidence that these actors are associated with the IRIB, the Islamic Republic of Iran Broadcasting.

We can’t go into all the technical details without giving away information that would be helpful to others seeking to abuse our platforms, but we have observed the following:

  • Technical data associated with these actors is strongly linked to the official IRIB IP address space.
  • Domain ownership information about these actors is strongly linked to IRIB account information.
  • Account metadata and subscriber information associated with these actors is strongly linked to the corresponding information associated with the IRIB, indicating common ownership and control.

These facts, taken together with other technical signals and analysis, indicate that this effort was carried out as part of the overall operations of the IRIB organization, since at least January 2017. This finding is consistent with internet activity we’ve warned about in recent years from Iran.

Detecting and terminating activity on Google properties

Actors engaged in this type of influence operation violate our policies, and we swiftly remove such content from our services and terminate these actors’ accounts. Additionally, we use a number of robust methods, including IP blocking, to prevent individuals or entities in Iran from opening advertising accounts.

We identified and terminated a number of accounts linked to the IRIB organization that disguised their connection to this effort, including while sharing English-language political content in the U.S.:

  • 39 YouTube channels that had 13,466 total US views on relevant videos; 
  • 6 blogs on Blogger
  • 13 Google+ accounts

Our investigations on these topics are ongoing and we will continue to share our findings with law enforcement and other relevant government entities in the U.S. and elsewhere, as well as with others in the industry.

The state-sponsored phishing attacks, and the actors associated with the IRIB that we’ve described above, are clearly not the only state-sponsored actors at work on the Internet. For example, last year we disclosed information about actors linked to the Internet Research Agency (IRA). Since then, we have continued to monitor our systems, and broadened the range of IRA-related actors against whom we’ve taken action. Specifically, we’ve detected and removed 42 YouTube channels, which had 58 English-language political videos (these videos had a total of fewer than 1,800 U.S. views). We’ve also identified and terminated the account associated with one blog on Blogger.

We continue to actively monitor our systems, take prompt action, share intelligence, and remain vigilant about these and other threats.

A milestone for Chrome security: marking HTTP as “not secure”

Security has been one of Chrome’s core principles since the beginning—we’re constantly working to keep you safe as you browse the web. Nearly two years ago, we announced that Chrome would eventually mark all sites that are not encrypted with HTTPS as “not secure”. This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets. Starting today, we’re rolling out these changes to all Chrome users.

http 1

Starting in the latest version of Chrome (68), you’ll see a new “not secure” notification when visiting HTTP pages.

More encrypted connections, more security

When you load a website over plain HTTP, your connection to the site is not encrypted. This means anyone on the network can look at any information going back and forth, or even modify the contents of the site before it gets to you. With HTTPS, your connection to the site is encrypted, so eavesdroppers are locked out, and information (like passwords or credit card info) will be private when sent to the site.

Chrome’s “not secure” warning helps you understand when the connection to the site you're on isn’t secure and, at the same time, motivates the site's owner to improve the security of their site. Since our announcement nearly two years ago, HTTPS usage has made incredible progress. We’ve found in our Transparency Reportthat:

  • 76 percent of Chrome traffic on Android is now protected, up from 42 percent
  • 85 percent of Chrome traffic on ChromeOS is now protected, up from 67 percent
  • 83 of the top 100 sites on the web use HTTPS by default, up from 37

We knew that rolling out the warning to all HTTP pages would take some time, so we started by only marking pages without encryption that collect passwords and credit card info. Then we began showing the “not secure” warning in two additional situations: when people enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.

Eventually, our goal is to make it so that the only markings you see in Chrome are when a site is not secure, and the default unmarked state is secure. We will roll this out over time, starting by removing the “Secure” wording in September 2018. And in October 2018, we’ll start showing a red “not secure” warning when users enter data on HTTP pages.

http 2

In October’s version of Chrome (70), you’ll see a red “not secure” notifications when you enter data on an HTTP page.

Making encryption easy

If you’re a site owner looking to migrate (or build!) your site on HTTPS, we’ve helped make the process as simple and inexpensive as possible. Improvements include managed HTTPS for Google App Engine, required and automatic HTTPS on all .app domains, and free and automated certificates through Let’s Encrypt (Chrome is a Platinum sponsor). And if you’re in the process of migrating to HTTPS, look out for messages coming from Search Console with further information and guidance.

So when you’re shopping for concert tickets or online banking, rest assured: you’ll be warned if a site is not protecting your data with HTTPS. And we’ll continue to improve Chrome’s security, to make sure you’re using the most secure browser out there.

Greater transparency and control over your Google ad experience

Over the years, you’ve told us that transparency and control over your data and ad experience are important. That's why we've built products and tools to help you manage that experience. Back in 2009, we launched Ad Settings, providing you with a single place for your ad controls, and in 2011 and 2012 we introduced Why this ad? and Mute this ad, giving you more transparency and control over the ads that you see. In 2015 all of these were brought together in your Google Account, the all-in-one destination for managing your personal information, privacy and security settings.

Today, we’re launching the new Ad Settings, which makes it easier for you to understand and control how your ads are tailored to you. We’re also providing more transparency around why you see certain ads by expanding Why this ad? to all of our services that show Google ads (like Search and YouTube) and almost all websites and apps that partner with us to show ads.

Understand and control how your ads are tailored to you

The new Ad Settings shows all the different factors that determine how ads are tailored to you in one view. This way, it’s easier for you to see them at a glance, learn more about why you see ads related to these topics, and decide if there are any you want to remove.

AdSettings_interest_control.gif

There are a few different factors that can determine how your ads are tailored to you, including: estimations of your interests based on your activity while you’re signed in, information you’ve added to your Google Account, and information from advertisers that partner with us to show ads—like if you’ve visited their site or signed up for their newsletter.

AdSettings_factors_consolidated.png

For example, if you watched highlights from a recent soccer match on YouTube or searched “soccer fields near me” you might see an ad for a slick pair of soccer shorts. If you’ve told us you’re 40 years old, we would be less likely to show you ads about student study abroad programs. And if you visit the website of one of your favorite brands, you might see an ad from them.


This information helps make ads more relevant and useful to you. However, in the new Ad Settings, if you no longer want us to tailor your ads based on one of these factors you can choose to turn it off. Turning off a factor means you’ll no longer receive tailored ads related to it across our services, and on websites and apps that partner with us to show ads, as long as you’re signed in to your Google Account. The ads you see can still be based on general factors, like the subject of what you’re looking at or the time of day, or any other factor that is still turned on.


Why this ad? makes it easier to understand why you see certain ads

Why this ad? is a feature that appears next to ads and both helps you learn why you are seeing a certain ad and gives you easy access to your Ad Settings. For example, if you want to know why you’re seeing an ad for a camera, Why this ad? might tell you it’s because you’ve searched for cameras, visited photography websites, or clicked on ads for cameras before. We’ve now significantly expanded coverage of this feature; starting today, you’ll see Why this ad? notices on all our services that show Google Ads, such as ads on YouTube (including the YouTube app on connected TVs), Google Play, Gmail, Maps and Search. We’ve also expanded it to include almost all of the websites and apps that partner with us to show ads.

yt-whythisad-r3.png

The new Ad Settings and updates to Why this ad? provide you with more transparency and control over your Google ad experience than ever before. With these improvements, you can browse the web confidently knowing that you have the information and control to make Google work better for you.

Spotting and squashing spam on Search

When you search with Google, our goal is to provide you with results from relevant and authoritative sources. We work hard to ensure that search spam doesn’t get in the way of you finding the information you’re looking for.

You can get a sense of how search could be ruined by search spam by visiting the spam folder in your Gmail account. Just as Gmail fights email spam and keeps it out of your inbox, our search spam fighting systems work to keep your search results clean.

Okay, so what is spam?

Search spam comes in a variety of different forms. We refer to a page or site as “spammy” if it is trying to fool or manipulate our ranking systems. Some spam comes from site owners who are intentionally trying to secure higher search rankings using techniques that go against our guidelines. While search spam is designed impact search ranking, some spammy pages may also be harmful to users, trying to trick you into providing your personal or financial information or subscribing to a service with unclear terms.

In more serious cases, spammy webpages are on websites that may unknowingly have been victims of hacking. Hacked websites can create serious threats to users: once controlled by hacker, a site can become a channel for distributing malware or causing further damage, while also taking advantage of the legitimate website owner.

That doesn’t sound good. What are you doing about it?

We have systems in place to detect and prevent search spam, but we also work actively with site owners to maintain a healthy web. We provide guidelines for webmasters, encouraging them to produce high-quality content and services. In 2017, we conducted 250+ webmaster meetups and office hours around the world reaching more than 220,000 website owners. Through our support forum we answered thousands of questions each month, and through Search Console we sent over 45 million notifications to registered website owners alerting them to possible problems with their websites which could affect their appearance in search. While most spam detection is done automatically, when spam slips through, we take manual action. Last year, we sent 6 million manual action messages to webmasters about practices we identified that were against our guidelines, along with information on how to resolve the issue.

Last year, we focused a great deal of effort on reducing the impact on users from hacked websites, and were able to detect and remove more than 80 percent of compromised sites from search results. We’re also working closely with many providers of popular content management systems like WordPress and Joomla to help them fight spammers that abuse forums and comment sections.

What can I do?

Our automated systems are constantly working to detect and block spam. Still, we always welcome hearing from you when something seems … phishy. Last year, we were able to take action on nearly 90,000 user reports of search spam.

Reporting spam, malware and other issues you find helps us protect the site owner and other searchers from this abuse. You can file a spam report, a phishing report or a malware report. You can also alert us to any issue with Google search by clicking on the “Send feedback” link at the bottom of the search results page, which will trigger this reporting tool:

search feedback form

You can highlight whatever issue you may have spotted in search, add comments and forward that to our search team for review.


Your feedback is appreciated to help us create a spam-free search experience for everyone.


Improving the Advanced Protection Program for iOS users

Last October, Google launched the Advanced Protection Program, our strongest level of account security, designed to protect the overlooked segment of our users who face an increased risk of sophisticated attacks. These users may be journalists, activists, business leaders, political campaign teams, and others who feel especially vulnerable.

Today we’re announcing that Advanced Protection now supports Apple’s native applications on iOS devices, including Apple Mail, Calendar, and Contacts. This allows iOS users to enroll in the program without having to adjust how they use Google services on their Apple devices.

To protect you from accidentally sharing your most sensitive data with fraudulent apps or web services, Advanced Protection places automatic limits on which apps can gain access to your Google data. Before today, this meant that only Google applications were able to access your data if you were enrolled in the program.

With today’s update, you can now choose to allow Apple’s native iOS applications to access your Gmail, Calendar, and Contacts data. When you sign into iOS native applications with your Google account, you will get instructions on how to complete the sign-in process if you’re enrolled in Advanced Protection. We’ll continue to expand the list of trusted applications that can access Google data in the future. 

Layers of security protections

In addition to these updates, you’ll continue to benefit from Advanced Protection’s other safeguards. To provide you with the strongest defense against phishing, Advanced Protection goes further than traditional 2-Step Verification, requiring you to use a physical Security Key to sign back into your account after you’ve logged out, or anytime you sign in on a new device. Advanced Protection also helps block fraudulent access to your account by adding extra steps to the account recovery process to prevent people from impersonating you and pretending they’ve been locked out of your account.

Our goal is to make sure that any user facing an increased risk of online attacks enrolls in the Advanced Protection Program. Today, we’ve made it easier for our iOS users to be in the program, and we’ll continue our work to make the program more easily accessible to users around the globe. Get started at google.com/advancedprotection.

Introducing .app, a more secure home for apps on the web

Today we’re announcing .app, the newest top-level domain (TLD) from Google Registry.

A TLD is the last part of a domain name, like .com in “www.google.com” or .google in “blog.google” (the site you’re on right now). We created the .app TLD specifically for apps and app developers, with added security to help you showcase your apps to the world.

Even if you spend your days working in the world of mobile apps, you can still benefit from a home on the web. With a memorable .app domain name, it’s easy for people to find and learn more about your app. You can use your new domain as a landing page to share trustworthy download links, keep users up to date, and deep link to in-app content.

A key benefit of the .app domain is that security is built in—for you and your users. The big difference is that HTTPS is required to connect to all .app websites, helping protect against ad malware and tracking injection by ISPs, in addition to safeguarding against spying on open WiFi networks. Because .app will be the first TLD with enforced security made available for general registration, it’s helping move the web to an HTTPS-everywhere future in a big way.

Starting today at 9:00am PDT and through May 7, .app domains are available to register as part of our Early Access Program, where, for an additional fee, you can secure your desired domains ahead of general availability. And then beginning on May 8, .app domains will be available to the general public through your registrar of choice.

Just visit get.app to see who’s already on .app and choose a registrar partner to begin registering your domain. We look forward to seeing where your new .app domain takes you!

Helping G Suite customers stay secure with new proactive phishing protections and management controls

Security tools are only effective at stopping threats if they are deployed and managed at scale, but getting everyone in your organization to adopt these tools ultimately hinges on how easy they are to use. It’s for this reason that G Suite has always aimed to give IT admins simpler ways to manage access, control devices, ensure compliance and keep data secure.

Today we announced more than 20 updates to deepen and expand Google Cloud customers’ control over their security. Many of these features will be turned on by default for G Suite so that you can be sure the right protections are in place for your organization. And, even better, in most cases your users won’t have to do a thing. Here’s the break down.

1. Helping to protect your users and organization with new advanced anti-phishing capabilities

We're applying machine learning (ML) to billions of threat indicators and evolving our models to quickly identify what could be a phishing attack in the making. Information from these self-learning ML models helps us flag suspicious content. At the same time, updated phishing security controls can be configured to automatically switch on the latest Google-recommended defenses.

These new default-on protections can:

  • Automatically flag emails from untrusted senders that have encrypted attachments or embedded scripts.
  • Warn against email that tries to spoof employee names or that comes from a domain that looks similar to your own domain.
  • Offer enhanced protections against spear phishing attacks by flagging unauthenticated email.
  • Scan images for phishing indicators and expand shortened URLs to uncover malicious links.

With the protections we have in place, more than 99.9% of Business Email Compromise (BEC) scenarios—or when someone impersonates an executive to get sensitive information—are either automatically moved to the spam folder or flagged with anomaly warnings to users.

GIF 1: Project POM G Suite

2. Giving you more control over mobile devices with default-on mobile management

Securing endpoints like mobile devices is one of the best ways for businesses to keep data safe. More than 7 million devices are already managed with G Suite’s enterprise-grade mobile management solution. With new proactive security settings, basic device management is automatically enabled for your mobile devices that access G Suite.

This means employees don’t have to install profiles on iOS and Android devices. It also means admins get added security management controls to help them:

  • See which devices access corporate data in a single dashboard.
  • Enforce pass codes and erase confidential data with selective account wipe for Android and iOS.
  • Automatically protect Android and iOS devices, with no user intervention or device profile required.

And you may have noticed we launched updates to Cloud Identity—a way for enterprises to manage users, apps and devices centrally. Cloud Identity includes user lifecycle management, account security, SSO, robust device and app management and unified reporting. Check it out.

Gif 2: Project POM G Suite

3. Offering you more visibility and insights to stay ahead of potential threats

IT admins who operate in the cloud seek tools, visibility and assistive insights to stop threats or gaps in operations before they become security incidents. This is why we introduced the security center for G Suite earlier this year. The security center is a tool that brings together security analytics, actionable insights and best practice recommendations from Google to help you protect your organization, data and users.

Today, we’re introducing additions to the security center for G Suite including:

  • New security charts to show OAuth activity and Business Email Compromise (BEC) scam threats that are specifically focused on phishing emails that may not have links.
  • New mobile management charts to help IT admins examine activity analytics and show when devices have been hijacked, rooted or jailbroken, as well as when other suspicious device activity has been detected.
  • Ways to reorganize the dashboard to focus on what is most important to your organization.
  • Ways to analyze your organization’s security health and get custom advice on security key deployment and protection against phishing scams.

Gif 3: Project POM G Suite

If you’re new to using the G Suite security center, check out these instructions to get started.

4. Providing built-in protections and controls for Team Drives

Enterprises share and store an enormous amount of content, which means admins need more controls to keep this data protected. That’s why we’re enhancing Team Drives with new security controls to give you more ways to safeguard highly-sensitive content. Now, your data can be protected by Information Rights Management (IRM) controls so you can feel confident that your company’s ideas stay “yours.”

Gif 4: Project POM G Suite

Specific updates include the ability to modify settings for Team Drives to:

  • Limit file access privilegesto Team Drives members, or only to users within your domain.
  • Add IRM controls to prevent users from printing, downloading and copying files within Team Drives.

These new security features for Team Drives will roll out over the next few weeks.

Get started

Phishing and mobile management controls are available now across all G Suite versions, and you’ll be able to use Team Drives controls in the coming weeks. If you’re a G Suite Enterprise customer, you can access the security center in the Admin console.

Source: Google Cloud