Tag Archives: Security and Compliance

Android phone’s built-in security key now generally available

Quick launch summary 

At Next 2019, we announced beta functionality to use an Android phone’s built-in security key for 2-step verification. We’re now making this generally available. All phones running Android 7.0+ (Nougat) have a built-in key that can be activated. This means your users can use existing phones for multi-factor authentication in G Suite to protect against phishing.

For more details, see our beta announcement or our Cloud Blog post.

Availability 

Rollout details



G Suite editions
 Available to all G Suite editions

On/off by default? 
If 2-Step Verification or Security Key Enforcement is turned on for an organization, Android phone will be available as an option for security keys by default.

Stay up to date with G Suite launches

New email alerts and location for easier alert center management

What’s changing

We’re making some improvements to the alert center for G Suite. Specifically we’re:

  • Moving the location of alert management for predefined admin alerts in the Admin console to the system defined rules section.
  • Adding optional email notifications for more alerts.


Who’s impacted

Admins only

Why you’d use it

We hope that this will help you identify and take action to resolve potential issues affecting your domain. To get the most out of the alert center, you could also sign up for our recently announced beta, which will help you collaborate and track the status of alerts within your domain, as well as triage faster with insights from related alerts.

How to get started




Additional details

Moving alert management location

  • The alert management controls for predefined alerts could previously be found at Admin console > Reporting > Alerts. They will now be at Admin console > Security > Alert center > Settings (gear icon)
  • These predefined admin alerts include: 
  • There will be no change to any settings (whether email alerts are on or off, or the email subscriber list for any alerts) or the content of the alerts. We’re just moving where you should go to manage them. There will also be no change to the location of custom alerts. For the moment, they will still be at Admin console > Reporting > Alerts



Email notification options for more alerts 

  • We’re adding an option to get email notifications for several existing alerts that previously didn’t have the option to receive emails. 
  • These alerts include: 
    • Domain data export initiated 
    • Phishing message detected post-delivery 
    • Spike in user-reported spam, and others 
  • For each alert, you can choose whether to turn them on or off, and to specify which email address the alerts should go to. 
  • The email alerts will be on by default. To change or turn off email alerts, they can be adjusted at Admin console > Security > Alert center (gear icon), or directly access the new System defined rules section


Helpful links 




Availability 

Rollout details 



G Suite editions 
Available to all G Suite editions.

On/off by default?
These features will be ON by default.


Stay up to date with G Suite launches

Gmail making email more secure with MTA-STS standard

What’s changing

SMTP MTA Strict Transport Security (MTA-STS) is a new internet standard that improves email security by requiring authentication checks and good encryption for email in transit.

Gmail will start enforcing this standard in beta, which you can read more about on the Google Security blog. For G Suite admins:

  1. Security health within the security center for G Suite will start including recommendations about MTA-STS policies for your domain.
  2. G Suite admins can choose to set up MTA-STS policies and reporting for incoming mail in their DNS server. While admins could do this previously, it will become more impactful now that Gmail is enforcing the MTA-STS policies.

Use our Help Center to learn more about how to use the MTA-STS standard.

Who’s impacted

Admins only

Why you’d use it

MTA-STS is a new internet standard that will increase email security by acting as a deterrent against pervasive monitoring of email traffic and protecting against man-in-the-middle attacks. You can make your email communications more secure by setting MTA-STS policies and ask the organizations with which you communicate to also set MTA-STS policies for their mail servers.

How to get started



Additional details

Option to set up a MTA-STS policy
G Suite admins can choose to set up a policy for incoming mail with their DNS server. See the Help Center for details and instructions on how to set up an MTA-STS policy for your domain.

Possible email bouncebacks
While we don’t anticipate significant increase in bouncebacks, there are two aspects of the new standard which could result in bouncebacks:

  • TLS enforcement with certificate validation will prevent bad actors from intercepting emails in transit just like HTTPS does it for web traffic.If a bad actor tries to intercept the email, as Gmail enforces MTA-STS, it will now bounceback, preventing the intercept.
  • As Gmail will honor policies set by servers you are sending mail to, there’s a possibility that they have misconfigured policies or their servers, and that we will not deliver emails as a result. In this case, users will get an email bounceback with details.

New security center MTA-STS recommendations for your domain
If you go to the security health section of the security center for G Suite (Admin Console > Security > Security Health, available to G Suite Enterprise and Enterprise for Education domains only) you’ll see a new “MTA-STA” suggestion. It will tell you whether you have a policy set up, as well as highlighting misconfigurations in policies.

Helpful links



Availability

Rollout details


G Suite editions

  • All G Suite customers can define MTA-STS policies.
  • MTA-STS policy suggestions in the security center are available to G Suite Enterprise and G Suite Enterprise for Education customers only.

On/off by default?

  • MTA-STS policies for your domain will be OFF by default and can be enabled at the domain level.
  • MTA-STS policy suggestions in the security center will be ON by default.


Stay up to date with G Suite launches

Increase trust in cloud data security with Access Transparency

This announcement was made at Google Cloud Next ‘19 in San Francisco. Check out Next OnAir to tune into the livestream or watch session recordings following the event.


What’s changing 

We’re making Access Transparency for G Suite generally available. Access Transparency enables you to get more visibility into actions taken by Google staff related to your data. You can view the reason for each access, including references to specific support tickets where relevant, which may help you support your audit requirements.

Access Transparency is available to G Suite Enterprise and G Suite Enterprise for Education customers only.

Who’s impacted 

Admins only

Why you’d use it 

At G Suite, we work hard to earn and maintain trust with our customers. Access Transparency supports this commitment to customer trust by giving you fine grained logs of actions taken by Google staff and the reason for each access, including references to specific support tickets where relevant.

Access Transparency may help you:
  • Verify why Google is accessing your data, such as fixing a fault or attending to your requests. 
  • Bring your audit controls closer to what you can expect on premise. 


How to get started 




A Sample view of the new report for G Suite Access Transparency 

Additional details 

Access Transparency will allow admins to:

  • View the reason for data access, including references to specific support tickets where relevant. 
  • Verify why Google staff is accessing your data, such as fixing a fault or attending to your requests. 
  • View and download logs to help you support your regulatory audits or data archival needs, showing extensive information such as accessor location, access justification, and the action taken on a specific resource. 


Helpful links 




Availability 

Rollout details 

  • Rapid Release domains: Extended rollout (longer than 15 days for feature availability) starting on April 20, 2019. 
  • Scheduled Release domains: Extended rollout (longer than 15 days for feature availability) starting on April 20, 2019. 


G Suite editions 

  • Available to G Suite Enterprise and G Suite Enterprise for Education edition only. 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, and G Suite for Nonprofits 


On/off by default?

  • This feature will be ON by default.


Stay up to date with G Suite launches

Enhancing data regions by supporting more data types and products

This announcement was made at Google Cloud Next ‘19 in San Francisco. Check out Next OnAir to tune into the livestream or watch session recordings following the event.


What’s changing 

G Suite’s globally distributed cloud infrastructure reduces latency and protects data with geo redundancy. Therefore, most organizations choose not to geo-restrict their data. However, some organizations have preferences around where their data is stored at rest. To serve this need, last July, we introduced data regions allowing you to choose the regions where covered G Suite data at rest is stored - globally distributed, US or Europe. We’re now launching enhancements to data regions with two key updates:

  • Coverage for Backups: Backup data for covered Apps is now included. 
  • Coverage for additional products: Forms’ and new Sites’ covered data is now included. 


Who’s impacted 

Admins only

The expanded product and data coverage will not alter any previous settings you may have configured. Your existing settings will be applied to the additional apps and data types covered with this release. As with the prior release, there is no impact to your end users.

Why you’d use it 

Data regions has been built keeping in mind the requirements of a geographically dispersed organization. With data regions, you can create as many organizational unit-specific regions as you want with no minimum seat requirements. Your end users don’t have to deal with downtime and continue to enjoy full edit capabilities of all files, even during a data move. Additionally, when file ownership changes happen, or users switch OUs, covered data is moved dynamically according to your settings.

How to get started 




Additional details 

To ensure visibility into your data move progress, there will be a new ‘Backups’ tab in the data regions dashboard (Admin console > Dashboards). The tab shows a breakdown of the Backup data move progress for each of the covered products. See image below for an example of the new dashboard view.


Helpful links 




Availability 

Rollout details



G Suite editions 

  • Available to G Suite Business, G Suite Enterprise, G Suite Enterprise for Education and Drive Enterprise 
  • Not available to G Suite Basic, G Suite for Education, and G Suite for Nonprofits 


On/off by default?

  • For customers already using data regions, expanded product and data type coverage will automatically be supported according to the pre-established settings. 
  • For customers not using data regions, it will be OFF by default and can be enabled on the Company Profile page at individual OU levels.



Stay up to date with G Suite launches

Dynamically control G Suite access with context-aware access beta

This announcement was made at Google Cloud Next ‘19 in San Francisco. Check out Next OnAir to tune into the livestream or watch session recordings following the event.


What’s changing 

We’re launching a beta program that enables G Suite admins to dynamically control access to G Suite apps based on a user’s identity and the context of their request (device security status, IP address, etc.). Members of the beta will be able to:

  • Set up different access levels based on a user’s identity and context of the request., 
  • Use granular controls for different organizational units (OU) 
  • Control access to several G Suite apps by setting different policies for the different access level profiles that have been set up 

Who’s impacted 

Admins only

Why you’d use it 

Currently G Suite admins can turn access to apps and services on or off for specific OUs or groups of users. This beta will provide more dynamic controls, so you can take into account contextual signals, such as device security status or IP address, to control access to those apps and services. Examples of access controls that can be set up through the context-aware access beta include:

  • Only users from corporate-owned device and a corporate IP address can access Google Drive. 
  • Only a “High Trust” group can access Google Drive when not on a corporate IP address. 
  • Only users from an encrypted device with a screen lock enabled can access Gmail. 

How to get started 


  • Admins: This is an opt-in beta. Admins can opt-in by changing their security settings Admin console> Security> Context-Aware Access
  • End users: No action needed


Additional details 

In the beta, context-aware access will only be configurable for Gmail, Calendar, Drive, Docs, Sheets, Slides, Forms, Sites, and Keep. You’ll be able to use the following contextual signals to control access:

  • IP Subnet (specific IPv4 or IPv6 address) 
  • Device policies as reported through the Endpoint Verification extension, including whether a device password is active, device encryption status, minimum OS versions, and company-owned devices. 

You can apply policies by OU or to the whole domain, and all admin activity is logged in audit logs in the Admin console > Reports > Admin view.

Availability 

G Suite editions 

  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and Cloud Identity Free.


Stay up to date with G Suite launches

Use an Android phone as a security key for 2-Step Verification

This announcement was made at Google Cloud Next ‘19 in San Francisco. Check out Next OnAir to tune into the livestream or watch session recordings following the event.



What’s changing

We’re adding an option to use your Android phone’s built-in security key for multi-factor authentication in G Suite. All phones running Android 7.0+ (Nougat) have a built-in key which can be activated. This means your users can use existing phones as a primary 2-Step Verification method to protect against phishing. Using a phone as a security key is currently offered in beta.

Who’s impacted 

Admins and end users

Why you’d use it 

2-Step Verification greatly improves the security of your account by adding another layer to your account security and making it more resistant to phishing attacks. By adding the additional option of using your Android phone’s built-in security key, we’re expanding access to phishing-resistant 2-Step Verification method in a convenient form - your phone. This can make it faster for you to implement 2-Step Verification in your organization while keeping user training and overall costs to a minimum. 

Previously, in order to protect your users against password phishing, the only option was to use a security key fob. With this beta, their mobile phone can be that security key.

How to get started 




Additional details 


  • Available to G Suite, Cloud Identity, GCP customers, and personal Google Accounts. 
  • Available on phones running Android 7.0+ (Nougat) with Google Play Services. 
  • Compatible with Bluetooth-enabled Chrome OS, macOS X, or Windows 10 devices with a Chrome browser. 



2-Step Verification on a Pixel 3 

Helpful links 




Availability 

Rollout details



G Suite editions 

  • Available to all G Suite editions in beta. 


On/off by default? 

  • If 2-Step Verification or Security Key Enforcement is turned on for an organization, Android phone will be available as an option for security keys by default.


Stay up to date with G Suite launches

Increase email security with the security sandbox for Gmail beta

This announcement was made at Google Cloud Next ‘19 in San Francisco. Check out Next OnAir to tune into the livestream or watch session recordings following the event.

What’s changing 

Security sandbox for Gmail (beta) detects the presence of previously unknown malware in attachments by virtually "executing" them in a private, secure sandbox environment, and analyzing the side effects on the operating system to determine malicious behavior.

Email attachments are detonated within a sandbox in the exact same way as they would if an actual user had clicked on it. This is done in a matter of minutes prior to the delivery of the email, and provides users with an extra layer of security. Security sandbox has been developed with a focus to provide coverage against malware propagated through malicious embedded scripts and zero day threats. The security sandbox for Gmail beta will provide:

  • Granular admin controls for rules to trigger pre-delivery deep scanning and quarantine behavior for potentially malicious emails 
  • Reporting through the G Suite security center 

Who’s impacted 

Settings impact admins only. If turned on, users may notice a delay of a few minutes in the delivery of affected mail due to scanning time.

Why you’d use it 

Security sandbox provides an additional level of anti-malware protection over and above conventional detection. By virtually opening an attachment in a secure environment that can analyze the effects on the target operating system, it’s better able to detect ransomware, sophisticated malware propagated through embedded scripts (like files containing macros or .js files), and zero-day threats. 

How to get started 

  • Admins: Find and turn on the beta security sandbox feature at Admin console > Menu > Apps > G Suite > Gmail > Advanced settings. Use our Help Center to find more information on how to detect harmful attachments
  • End users: No action needed 



Additional details 

Granular admin controls 
If desired, admins will be able to set up custom rules to control which messages are tested in the security sandbox. If custom rules are not applied, all messages with attachments sent to the OU will be checked in the sandbox. Rules can be customized for each organizational unit (OU). Admins can also decide what to do with messages that have malware. Malware detected by Security Sandbox is put in the spam folder by default. You can quarantine malware attachments detected by Security Sandbox instead. Create a content compliance rule using the spam metadata attribute.


Availability 

Rollout details 



G Suite editions 

  • Available to G Suite Enterprise and G Suite Enterprise for Education 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, and G Suite for Nonprofits 


On/off by default? 
This feature will be OFF by default and can be customized at an OU level.


Stay up to date with G Suite launches

Advanced phishing and malware protection for Gmail beta

This announcement was made at Google Cloud Next ‘19 in San Francisco. Check out Next OnAir to tune into the livestream or watch session recordings following the event.


What’s changing 

We’re launching a beta program to provide admins with even more controls for advanced anti-phishing and malware protections via the advanced safety settings in Gmail. These build on the advanced protections we announced in 2018. Admins who are part of the beta will have new controls to:

  • Place emails into a quarantine - Route emails that match phishing and malware controls to a new or existing quarantine. This will be available for new and existing controls. 
  • Protect against anomalous attachment types in emails - Identify emails with unusual attachment types and choose to automatically display a warning banner, send them to spam, or quarantine the messages. 
  • Protect your Google Groups from inbound emails spoofing your domain - Identify unauthenticated emails potentially spoofing your domain and choose to automatically display a warning banner, send them to spam, or quarantine the messages. 


In addition to the new controls, we’ll also update the interface to make it easier to see what settings you have applied and understand what actions you’re taking as a result of each control.

Who’s impacted 

Admins only

Why you’d use it 

By adding more specific controls, including the ability to quarantine potentially risky messages, we hope to enable admins to optimize protections for their organization. This will help reduce threats and increase the security of your data while making the experience as simple as possible for your users. 

How to get started 


  • Admins: Find and turn on the beta features at Admin console > Menu > Apps > G Suite > Gmail > Safety. You’ll find new options to turn on anomalous attachment and groups spoofing protections, and see the quarantine option available for all controls. Use our Help Center to learn more about how to enhance phishing and malware protection
  • End users: No action needed 


Additional details 

Place emails into a quarantine 

All the advanced safety settings for Gmail now let you quarantine emails more easily. Choose to move any email that meets certain criteria to a pre-existing quarantine, or create a new quarantine for such messages. Use our Help Center to find out more about email quarantines.



Protect against anomalous attachment types in emails 

Less common file types as email attachments are often used to spread malware. However, different domains might have legitimate uses for uncommon file types. Therefore we’re giving admins more control over how to handle emails with these files attached.

What is identified as an anomalous attachment will be automatically customized for each domain. An intelligent algorithm determines which file types your domain commonly receives and will model the detection based on that. For example, a specific file type may be commonly used on Domain A, but not on Domain B. If both domains had the "Anomalous Attachment" setting enabled, an email with this file type attached would be flagged for Domain B, but not Domain A.

You can see which file types are filtered for your domain by going to the security center’s suspicious attachments chart, filtering by "Anomalous Attachments" and then looking at "Attachment Extensions" (available to G Suite Enterprise and Enterprise for Education domains only).

Admins will be able to:

  • Turn the uncommon attachment type detection on or off. 
  • If turned on, choose whether to keep relevant emails in the user’s inbox with a warning banner displayed, send emails to spam automatically, or move emails to quarantine. 
  • While we expect the anomalous attachment customization described above to work well, if needed admins can whitelist specific uncommon file types they don’t want identified. 

Admin controls for unusual attachment types 


Protect your Groups from inbound emails spoofing your domain

External senders can spoof emails to appear as if they come from your domain, using the same protocols that enable many legitimate systems to send email. This setting extends your options to control potential spoofing emails by preventing spoofed messages from posting to Google Groups on your domain. Use our Help Center to find out more about spoofing. Admins in the beta will be able to:

  • Turn the Groups spoofing protection on or off. 
  • If turned on, choose whether to keep relevant emails in the user’s inbox with a warning banner displayed, send emails to spam automatically, or move emails to quarantine (if available). 
  • Choose whether to apply the settings only to Private Groups (groups with specifically limited membership or intended for organization members only) or All Groups (Private Groups + ones without restricted membership) 

Admin controls for inbound email spoofing protections 

Availability 

Rollout details 



G Suite editions
Controls are available to all G Suite editions. Chart to view affected emails available is part of the security center and so is available to G Suite Enterprise edition only.

On/off by default?
This feature will be OFF by default.

Stay up to date with G Suite launches

Better manage threats and collaborate in new security center beta

This announcement was made at Google Cloud Next ‘19 in San Francisco. Check out Next OnAir to tune into the livestream or watch session recordings following the event.


What’s changing 

We’re launching a beta program to make it easier to assess your organization’s exposure to security issues and collaborate with colleagues to remediate them. The beta will add features to the G Suite security center which help you:

  • Save and share investigations in the security investigation tool 
  • Create rules within the security center to perform automated actions 

Find out more and sign up for the new security center beta here.

This beta will also allow you to send notifications to the alert center, where teams of admins and analysts can work together to take ownership of alerts and update status as they work through security investigations. For more information on the latest updates to the alert center, see this announcement.

Who’s impacted 

Admins only


Why you’d use it 

The G Suite security center already helps you protect your organization with security analytics and best practice recommendations from Google. It provides a unified security dashboard, a tool to investigate and remediate threats, and more. These features in the beta will make it easier to assess and manage threats by adding automated actions, improved tracking, and more to help your whole team understand and improve your security posture.


How to get started 

Additional details 

Save and share investigations 
We want to make sure admins are able to work together and collaborate to assess their organization’s exposure to security issues. With this beta launch, admins can now save their investigations in the security investigation tool and share them with other admins to improve collaboration.

Create rules and set up automated actions and alerts 
Admins can also create automated rules to perform remediative actions or send notifications to the alert center, where teams of admins and analysts can work together to take ownership of alerts and update status as they work through security investigations.

Helpful links 

Availability 

G Suite editions 
Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium.
Not available to G Suite Basic, G Suite Business, G Suite for Education, and G Suite for Nonprofits.

On/off by default? 
This will be OFF by default and only available to domains that sign up for the beta.


Stay up to date with G Suite launches