Tag Archives: Security and Compliance

Protect sensitive admin actions with multi-party approvals

This announcement was part of Google Cloud Next ‘24. Visit the Workspace Blog to learn more about the next wave of innovations in Workspace, including enhancements to Gemini for Google Workspace.

What’s changing

To protect our customers from malicious actors taking sensitive admin actions, we’re launching multi-party approvals where one admin must approve certain sensitive actions initiated by another. Multi-party approvals will be required for the following settings:
  • 2-Step verification
  • Account recovery
  • Advanced Protection 
  • Google session control
  • Login Challenges
  • Passwordless (beta)
This feature is available for eligible Workspace customers with multiple super admin accounts — see the “Getting started” section below for more information.


Who’s impacted

Admins


Why it’s important

Multi-party approvals adds an extra layer of security for sensitive actions taken in the Admin console by ensuring no sensitive action happens in a silo and, most importantly, helps prevent unauthorized or accidental changes from being made. This added layer of approval helps ensure actions are being taken appropriately and not too broadly or too often. Additionally, this is more convenient for admins because the action is executed automatically after approval and the requester doesn’t need to take additional action. Multi-party approvals makes super admins aware of what changes are being attempted and gives them the opportunity to accept or reject these sensitive actions.


Outlined below is an example of the feature in action, in this case there is an attempt to make a change to 2-step verification policies:

When 2-step verification changes are attempted, admins will be required to submit the change to a super admin for approval.

Super admins can review and take action on these requests in the Admin console by navigating to Security > Multi-party approval. Super admins will also receive email alerts when a 2-step verification change is requested or any other protected action is attempted.

Admins can open a specific approval request to view more information including who is impacted by the change, what the configuration was before the change and what it will be after the change.

Getting started

  • Admins: 
    • This feature is available for eligible Workspace customers with two or more super admin accounts. Multi-party approvals are OFF by default and can be turned on in the Admin console by going to Security > Multi-party approval settings. Visit the Help Center to learn more about multi-party approvals for sensitive actions.


Rollout pace


Availability

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Cloud Identity Premium customers


Introducing a new AI Security add-on for Google Workspace

This announcement was part of Google Cloud Next ‘24. Visit the Workspace Blog to learn more about the next wave of innovations in Workspace, including enhancements to Gemini for Google Workspace.


What’s changing

As we continue to expand our Gemini for Google Workspace offerings, we're excited to introduce the AI Security add-on for Google Workspace customers. 

At launch, the AI Security add-on will give customers access to the AI Classification capability in Google Drive. AI Classification allows IT teams to automatically and continuously identify, classify, and label sensitive files across the organization. This capability is powered with privacy-preserving AI models that can be uniquely trained for the specific needs of your organization. Classified files can then be protected with existing data loss prevention (DLP) controls. 

Who’s impacted

Admins

Why it matters

Drive Labels enable Workspace Administrators to up-level their security posture by closely monitoring activity on labeled files, and using labels as a vehicle for data loss prevention and lifecycle management policies. The challenge with label-based policies is that they are only effective on files that are correctly identified and labeled. Further, labeling files placed a considerable manual burden on Admins.

This is where AI Classification can help. By training models on customer-identified examples of content that match their data classification definitions, AI Classification can evaluate files where text can be extracted to see if it should be labeled.  This enables organizations to achieve label coverage at a scale and accuracy that is very difficult to accomplish through traditional means and manual Admin intervention. Once labeled, the organization's data can be protected by fine-grained security policies. 


Availability

The AI Security add-on is available for the following Google Workspace Editions:
  • Business Standard and Plus
  • Enterprise Standard and Plus
  • Enterprise Essentials and Essentials Plus
  • Frontline Starter and Standard
  • Google Workspace for Nonprofits 

Resources


Securely migrate existing encrypted messages to Gmail client-side encryption (CSE)

What’s changing 

Beginning today, admins can migrate encrypted emails from other services like Microsoft 365, Microsoft Exchange, or Virtu, to Gmail client-side encryption in the S/MIME format. This enables Google Workspace customers to simplify the migration process by bulk importing sensitive emails as S/MIME messages without compromising their privacy or compliance posture.


Specifically: 
  • S/MIME messages imported from other mail providers are now supported by Gmail CSE 
  • Virtru customers can use our migration utility to encrypt their plain-text archives from Vault or Takeout, and import them as S/MIME messages 
  • Customers can bulk-import any plain-text email archives into Gmail as S/MIME messages

Additional details

The Gmail CSE Migration Utility is available for Windows, Mac, and Linux and supports PST & Mbox file formats. 

Getting started 


Rollout pace 

Web & Android: 
  • This feature is available now.
iOS: 

Availability 

  • Available to Google Workspace Enterprise Plus, Education Standard, and Education Plus customers 

Resources 

Select App Access Controls can now be applied at the organizational unit

What’s changing 

Google Workspace Admins can now configure a number of App Access Control (AAC) policies at the Organizational Unit (OU) level. Previously, this was only possible at the domain level. Specifically, this applies to: 


Who’s impacted

Admins


Why it’s important

We know that users rely on a variety of tools to do their best work, including third-party apps. However, not every third-party app aligns exactly with every organization’s security policies. App access controls give customers and partners the ability to control access to third-party apps and how those apps access Google Workspace data. This update gives admins added flexibility, allowing them to set App Access Controls as they see fit at the OU level, rather than across their entire domain.


Additional details

For Google Workspace education editions, the “User requests to access unconfigured apps setting” can now be configured at the OU level. Visit the Help Center to learn more about managing access to unconfigured third-party apps for users designated under the age of 18.

Getting started


Rollout pace


Availability

  • Available to all Google Workspace customers

Resources


User enrollment for managed iOS devices is now generally available

What’s changing 

In late 2023, we introduced user enrollment in beta, an additional option for iOS mobile management. User enrollment separates work and personal data on iOS devices, giving admins control over Workspace data on the device while users retain privacy over their personal data. Beginning today, user enrollment is now generally available. For more information, use our Help Center or reference our original announcement.


Getting started



Rollout pace


Availability

  • Available to Google Workspace Enterprise Plus, Enterprise Standard, Enterprise Essentials, Enterprise Essentials Plus, Frontline Standard, Frontline Starter, Business Plus, Cloud Identity Premium, Education Standard, Education Plus and Nonprofits customers.


Set client-side encryption as the default mode for new emails, events, and files on mobile

What’s changing 

Admins can now set client-side encryption (CSE) to be on by default on Android and iOS for: 
  • Newly drafted Gmail messages and replies 
  • Newly created Google Calendar events 
  • Newly uploaded Google Drive files

Client-side encryption in Gmail


Admins can now set client-side encryption as the default mode for users on both web and mobile that regularly handle sensitive data. This allows organizations the flexibility to meet their compliance and regulatory requirements and reduce the burden on change management programs. Each new email, event and uploaded file on mobile is automatically client-side encrypted with customer managed keys meaning the user is compliant with their org’s policy from the outset. For organizations with strict regulatory or sovereignty requirements, this can help them close compliance gaps by defaulting users to the preferred mode for handling sensitive data while on the go. 

For more information, check out our original announcement.

Getting started


Rollout pace


Availability

  • Google Workspace Assured Controls is available as an add-on to Google Workspace Enterprise Plus customers only. For more information, contact your Google account representative.

Resources


Easily manage and secure your school’s accounts and mobile devices centrally in Google Admin console with the Endpoint Education Upgrade

What’s changing

This year, we announced Endpoint Education Upgrade, which adds enterprise endpoint management features to your Google Workspace for Education edition. Using endpoint management, admins can better manage and secure the phones and tablets used across their school directly from the Admin console.

Note that advanced endpoint management features are already included with Google Workspace for Education Standard and Plus.

Who’s impacted

Admins


Why you’d use it


Using the Endpoint Education Upgrade, admins can configure a wide range of account and device management features, helping to make your organization's data more secure across your users' mobile devices, desktops, laptops, and other endpoints. For example, you can:
  • Control what Android & iOS app can be installed on a device, who can log into it (for domain owned devices), and where it can access your data.
  • Protect devices from loss or theft with admin rules for alerts, location tracking, access restrictions, and remote data wipes.
  • Manage company-owned devices or set up Android work profiles, so users can safely access your school account on the go.
  • Require stronger device passwords and more.
Visit the Help Center for a complete list of endpoint management features.


Getting started


Rollout pace

  • The Endpoint Education Upgrade will be available for purchase through your current Google Workspace for Education reseller and select channel partners on February 29, 2024. If you do not currently have a Google Workspace for Education reseller, you can find one here.


Availability

  • Endpoint Education Upgrade is available by user based license or device based license (coming soon) — it is not a domain wide license. You can purchase Endpoint Education Upgrade licenses through your current Google Workspace for Education reseller and select channel partners. 

  • If you have Education Fundamentals and wish to upgrade instead of purchasing individual Endpoint Education Upgrade licenses, you can easily upgrade to Education Standard or Education Plus.

Resources

Now generally available: Import and convert sensitive Excel files into client-side encrypted Google Sheets

What’s changing

You can now import and convert sensitive Excel files into Google Sheets with client-side encryption. When collaborating with external and internal stakeholders, you may find yourself working across both Google Sheets and Microsoft Excel. This update keeps your work moving by layering interoperability on top of the privacy benefits of client-side encryption: users are in direct control of their encryption keys and the identity service that they choose to authenticate for those keys.


This feature was previously announced in August 2023 as part of an open beta.

Additional details 

With this release: 
  • You can only import .xslx Excel file types. 
  • Additional Excel and tabular file types are not supported. 
  • During import, unsupported Excel features in Sheets will be ignored. 
  • The maximum file size is 10MB. 
  • The maximum number of cells that can be imported is 10 million. 

Getting started

Local data storage exports your organization’s Workspace data into the geographic location of your choice, launching in beta

What’s changing 

Today, we’re introducing Google Workspace’s new feature, local data storage. This feature allows admins to export their organization’s Workspace data into the geographic location or locations of their choice. These are the available options for this feature: 
  • User data: Specify users, groups, organizational units or your entire organization 
  • Export frequency: Opt for continuous or one-time exports 
  • Storage settings: Specify the geographic location of the Google Cloud storage bucket that the data is exported to, who can access the data, and more settings within the Google Cloud storage bucket.

When creating a new export, you can choose to export your data continuously into your own storage bucket



Who’s impacted

Admins


Why you’d use it

This update allows admins to export their organization's Workspace data into their own Google Cloud Storage (GCS) bucket located in a geographic location of their choice to meet their data sovereignty, compliance, and data archival needs. 

Getting started


Rollout pace


Availability

  • Available to Google Workspace Enterprise Plus customers with Assured Controls add-on
    • If you don’t currently have the Assured Controls add-on, please contact us or reach out to your sales rep for more information.

Resources


Use comments & action items on your client-side encrypted Google Docs

What’s changing 

You can now collaborate with others on client-side encrypted Google Docs to add, edit, reply, filter, or delete comments. You can also assign action items to yourself or others. This added functionality helps bring parity to unencrypted docs while also ensuring your data is behind encryption keys you control, including the identity provider used to access those keys. 


This feature is available as an open beta, which means you can use it without enrolling in a specific beta program. While this feature is available for Google Docs initially, with support coming for Google Sheets and Slides in the future.




Additional details

Note that when sharing encrypted files, you can only assign “viewer” or “editor” permissions — the “comment only” permission is not supported.


Comments are saved each time the document is autosaved. If you restore the document to a previous version, the comments added to the document in that version are also restored.

Getting started

Rollout pace



Availability

  • Available to Google Workspace Enterprise Plus, Education Standard and Education Plus customers

Resources