Tag Archives: Security and Compliance

Extending Trusted Types to Gmail

What’s changing

Last year, we improved the client-side security of Google Docs, Sheets, Slides, Forms, Sites, Drawings, Drive, and Calendar with Trusted Types. This browser-based runtime feature limits the uses of Document Object Model (DOM) APIs that are used by the apps listed above or third-party extensions. Trusted Types also reduce the possibility of Document Object Model Cross Site Scripting (DOM XSS), which continues to be one of the most critical threats to web security. 

DOM XSS occurs when a cyber attacker injects malicious code into a web page, which can then be executed by the victim's browser. This can allow the cyber attacker to steal cookies, hijack sessions, and even take control of the victim's computer. 

To defend against this, we’re excited to announce the expansion of Trusted Types to Gmail. This will provide a defense against DOM XSS and further enhances our advanced data protection controls to keep users and data safe across more of the apps they use everyday. 


Who’s impacted 

Developers (relying on any Chrome extensions that modify DOM APIs.) 


Additional details 

This new enforcement mode will require third-party extensions to use typed objects instead of strings when assigning values to DOM APIs. Once Trusted Types are fully enforced, the Trusted Types directive will be present in the Content Security Policy (CSP) header: 

Content-Security-Policy: require-trusted-types-for 'script';report-uri https://mail.google.com/mail/cspreport 


Getting started 

  • Admins: There is no admin control for this feature. 
  • Developers: 
    • To make code Trusted Types compliant, signal to the browser that data being used within the context of these DOM APIs is trustworthy by creating a Trusted Type special object. 
    • There are several ways to be Trusted Types compliant, such as removing the offending code, using a library (such as safevalues or DOMPurify), or creating a Trusted Types policy. To ensure a seamless experience for users, we recommend employing these techniques before Trusted Types enforcement is rolled out. Failure to make code Trusted Types compliant may cause feature breakages for third-party extensions as their DOM manipulations will be blocked by the browser. 
  • End users: There is no end user setting for this feature. 

Rollout pace 


Availability 

  • Available to all Google Workspace customers and users with personal Google Accounts 

Resources 

Google Workspace Updates Weekly Recap – December 15, 2023

2 New updates

Unless otherwise indicated, the features below are available to all Google Workspace customers, and are fully launched or in the process of rolling out. Rollouts should take no more than 15 business days to complete if launching to both Rapid and Scheduled Release at the same time. If not, each stage of rollout should take no more than 15 business days to complete.


We have begun enforcing 2-step verification for all admin accounts 
Two-step verification (2SV) is a critical security measure that has been proven to reduce password-based hijacking by more than 50%. We are committed to protecting the security of our users and are taking additional steps to help customers guard against data compromise and prevent account takeovers.

We have begun enforcing 2SV for all admin accounts and will continue this enforcement on an ongoing basis. As of December 2023, this change is already in effect for some customers. When this goes into effect for your organization, you will receive the following notifications:
  • 30 days prior to enforcement in your domain: Super admins will receive various email and in-app notifications informing them of the forthcoming enforcement, encouraging them to verify their admins’ 2SV status. 
  • Once enforcement goes into effect in your domain: All admins will receive email and in-app notifications upon signing into their accounts for the next thirty days. If they do not enable 2SV within this time period, they will be locked out and will need to follow these steps to recover an administrator account.
We highly encourage all administrators to turn on 2SV as soon as possible. Visit the Help Center for more details and further guidance.



Dynamic groups limit increased to 500 
We’re increasing the number of dynamic groups a customer can have from 100 to 500. Dynamic groups are defined as groups whose membership is managed automatically based on specific criteria, such as a user’s department or location. This increase gives admins more flexibility to create dynamic groups as needed and cuts down on manual group management tasks that would otherwise be required. | Rolling out now to Rapid Release and Scheduled Release domains at a gradual pace (up to 15 days for feature visibility). | Available for Google Workspace Frontline Standard, Enterprise Standard and Enterprise Plus, Education Standard and Education Plus, Enterprise Essentials Plus, and Cloud Identity Premium customers only. | Learn more about dynamic groups.


Previous announcements

The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.


Meet Add-ons SDK available in Developer Preview 
The Google Meet Web Add-ons SDK is available through our Developer Preview Program. Developers can use the SDK to bring their app experience right into Meet. End users can install, open, and collaborate in apps right inside a meeting, either as the meeting focal point, or in the sidebar — all without ever leaving Meet. | Learn more about Meet Add-ons SDK .

Huddly cameras bring continuous framing to Google Meet Series One room kits 
As part of our initiative to bring adaptive framing to Google Meet meeting rooms, we’re proud to announce that you can now access Huddly’s continuous framing capability available as part of the Series One room kit hardware devices. | Available to all Google Workspace customers using Google Meet Series One room kits only. | Learn more about Google Meet Series One.

Record and share your name pronunciation across Google Workspace products 
From your Google account settings, you can now record your name and share its pronunciation with other users. The pronunciation can be played from your profile card across various Google Workspace tools such as Gmail or Google Docs on web or mobile devices. | Available to Google Workspace Business Starter, Business Standard, Business Plus, Essentials Starter, Enterprise Essentials, Enterprise Essentials Plus, Enterprise Standard, Enterprise Plus, Frontline Starter, Frontline Standard, and Nonprofits customers only. | Learn more about name pronunciation. 

Easy access to people, documents, building blocks and more in Google Docs 
When moving to a blank line within your Doc, you will see an “@” button with the option to select, search and insert smart chips, such as people, dates, timers, or files, building blocks, calendar events, groups and more. | Learn more about bringing smart canvas features to the forefront of your workflow

Excuse assignments in Google Classroom 
Teachers can mark an assignment for a particular student as “Excused” instead of giving it a 0-100 score. This will exclude that particular assignment from the student’s overall grade. | Learn more about excusing assignments. 

Introducing interactive questions for YouTube videos in Google Classroom 
Educators can now turn any YouTube video into an interactive lesson by adding questions for their students to answer throughout the video. | Available to Education Plus and the Teaching and Learning Upgrade only. | Learn more about interactive videos. 

Introducing the Bitbucket app for Google Chat 
We’re adding Bitbucket for Google Chat. Bitbucket is a Git-based code and CI/CD tool optimized for teams using Atlassian’s Jira. | Learn more about Bitbucket app for Google Chat. 

Use “Profile Discovery” to display basic information only in search results, available in open beta 
Google Workspace admins can now turn on “Profile discovery” for their users. When turned on, users can customize how they appear across Google products to people who search for them by their phone number or email. Specifically, you can choose how you want your name to be displayed and how your profile picture will be displayed. | Learn more about Profile Discovery.


Completed rollouts

The features below completed their rollouts to Rapid Release domains, Scheduled Release domains, or both. Please refer to the original blog posts for additional details.


Rapid Release Domains: 
Scheduled Release Domains: 
Rapid and Scheduled Release Domains: 

For a recap of announcements in the past six months, check out What’s new in Google Workspace (recent releases).

Custom notifications for Google Chat data loss prevention rules are now generally available

What’s changing 

Earlier this year, we announced the beta availability for admins to display custom notifications when a Google Chat message is blocked or intercepted based on data loss prevention rules. Beginning today, this feature will become generally available on web and mobile. 


Custom notifications give admins the opportunity to provide their users with more context about why they were blocked from sending a specific message, what they can do to unblock themselves, and include links to additional resources, such as organization guidelines for sensitive data with actionable recommendations. For more information, please reference our original announcement.

Getting started

  • Admins: 
    • Custom notifications can be set per each data protection rule at the domain, Organizational Unit (OU), or group level. 
    • When creating a rule, in Step 4: Actions, under “User Message”, select “customize message”.  Custom notifications can also be applied to existing DLP rules. If admins do not customize the notification, the generic notification will be shown to users.
    • Visit the Help Center to learn more about preventing data leaks from Chat messages & attachments.


  • End users: There is no end user action required. Depending on your admin settings, you’ll see more detailed information if you’re trying to send a Google Chat message that meets conditions defined in a data loss prevention rule.


Rollout pace


Availability

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Standard, the Teaching and Learning Upgrade, Education Plus, and Frontline Standard customers
  • DLP for Chat is also available to Cloud Identity Premium users who are also licensed for Workspace editions that include Google Chat and Audit and investigation. Visit the Help Center for more information. 

Resources


Turn on snippets for additional context surrounding data loss prevention rule violations

What’s changing 

Admins can now view “Sensitive Content Snippets” for data loss prevention (DLP) rules. This applies to DLP events for Drive, Chat, and Chrome. When turned on, snippets will log the matched content that triggered a DLP violation in the security investigation tool. Admins can use the information captured in the snippet to better identify actual security risks, determine whether a false positive was returned, and decide on an appropriate course of action.

Getting started

  • Admins: 
    • Make sure any admins who need to review the snippets have the "view sensitive content" privilege. Only super admins have the ability to hide or unhide sensitive data.

    • This feature will be OFF by default and can be turned on in the Admin console by going to Security > Data Protection > Data Protection Settings > Sensitive Content Storage.
      • To view snippets in the security investigation tool, select any row from the “Description column” and scroll down to “Sensitive Content Snippets”. Here you’ll see the matched detector ID, the matched content starting character, and the matched content length.

    • Visit the Help Center to learn more about viewing content snippets that trigger DLP rules, using Workspace DLP to prevent data loss, and the security investigation tool.

  • End users: There is no end user impact or action required.

Rollout pace


Availability

  • Available to Google Workspace Frontline Standard, Enterprise Standard and Enterprise Plus, Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus, and Enterprise Essentials Plus customers
  • Also available to Cloud Identity Premium and BeyondCorp Enterprise customers

Resources

Set client-side encryption as the default mode for new emails, events, and files

What’s changing

Admins can now set client-side encryption (CSE) to be on by default for:

  • Newly created Gmail messages, Google Calendar events. 
  • Newly created Google Docs, Sheets, and Slides files.
  • Newly uploaded Google Drive files.

Admins can set client-side encryption as default on for users in Organizational Units (OUs) that regularly handle sensitive data requiring additional encryption. This allows organizations the flexibility to meet their compliance and regulatory requirements and reduce the burden on change management programs. Users are prompted to create a CSE object natively in each app meaning their emails, events and files are encrypted by default with customer-managed keys and are private from Google. For organizations with strict regulatory or sovereignty needs, this can help them close compliance gaps by defaulting users to the preferred mode for handling sensitive data.  

Drive:


Gmail:

This is available on the web initially, with support coming for mobile apps in the future. 

Who’s impacted

Admins and end users


Why it matters

This feature is important for Google Workspace admins as it improves users compliance behavior without sacrificing productivity and increases control for admins implementing data control policies. It also includes improved audit logs, providing more detail for admins compiling regulatory compliance reports.

Workspace already uses the latest cryptographic standards to encrypt data by default, at rest and in transit between our facilities. Client-side encryption goes beyond this, giving organizations authoritative control and privacy as the sole owner of private encryption keys and the identity provider of the encryption keys. It gives organizations higher confidence that any third party, including Google and foreign governments, cannot access their confidential data. Users can continue to collaborate across their preferred apps in Workspace while IT and compliance teams can ensure that sensitive data stays compliant with regulations. 


Getting started

Rollout pace


Availability

  • Google Workspace Assured Controls is available as an add-on to Google Workspace Enterprise Plus customers only. For more information, contact your Google account representative.

Resources


Admins in Google Vault can now export hyperlinked Google Drive content from Gmail messages

What’s changing 

Starting December 8, 2023, admins can export Drive files hyperlinked in Gmail messages directly in Google Vault. When admins select “export linked Drive files”, Vault will look for Drive hyperlinks in the body of the emails being exported from Gmail. If Drive hyperlinks are found, a separate export of Drive files will also be created.


Toggle “Export linked Drive files” on or off



In the “Exports” tab, Drive exports will be grouped with their corresponding Gmail export — you can select the arrow icon to open the collapsible menu.






Admins will be able to find their exported hyperlinked Drive content nested under the corresponding Gmail export in the “Export” tab. Vault admins can find the association between the Gmail export and Drive link export in the export file names and metadata


Who’s impacted 

Admins 


Why it matters 

Vault is critical for retaining, holding, searching, and exporting users’ Google Workspace data. This update reduces the need for admins to manually find and extract Drive files hyperlinked in Gmail messages. 

Getting started 


Rollout pace 

Vault user interface updates 
API updates 

Availability 

  • Available to Google Workspace Business Plus, Enterprise Essentials, Enterprise Essentials Plus, Enterprise Standard, Enterprise Plus, Education Standard, Education Plus customers or customers with the Vault add-on license

Resources 

Monitor insider risk of Google Workspace data with Chronicle

What’s changing 

Admins can now more seamlessly integrate their Google Workspace data with Chronicle (Google’s cloud-native Security Operations platform), to quickly detect, investigate and take action on risky activity and threats. Admins can now leverage reduced time spent syncing data from Workspace to Chronicle, as well as Chronicle’s curated preconfigured out-of-the-box detections.




Who’s impacted

Admins

Why it matters 

As an admin, you can already use the Alert Center to view notifications and take action on potentially issues within your domain. Now you can take this a step further by using Chronicle, leveraging its rich risk management capabilities and recommendations:
  • Chronicle can help detect and investigate potential threats at every level of sophistication by monitoring your data in real time. 
  • Data insights are available at your fingertips, with rich context and visualization alongside industry best recommendations, helping you make better decisions faster. 
  • Further, you can deploy Chronicle’s out-of-the-box use cases, helping to cut down on time spent building rules and playbooks. 
  • You can also build and automate repeatable playbooks with full-fledged security orchestration, automation and response capabilities (SOAR).

Getting started


Rollout pace

  • This feature is available now.

Availability

  • Available to Google Workspace Enterprise Standard and Enterprise Plus customers 

Resources


Updates for managing iOS devices: user enrollment is now supported; purchase and distribute apps using the Apple Volume Purchase program

What’s changing 

We’re expanding mobile device enrollment options for iOS devices to include user enrollment. User enrollment separates work and personal data on iOS devices, giving admins control over Workspace data on the device while users retain privacy over their personal data. 


Additionally, admins can use the Apple Volume Purchase Program (VPP) to purchase and disturbed apps in bulk to user-enrolled iOS devices in their organization. 


Who’s impacted 

Admins and end users 


Why you’d use it 

Managing how Workspace data is accessed is a cornerstone of security. The new user enrollment option ensures end users can keep their personal data separate from their work data, while admins can ensure their users are using and accessing apps appropriately. 


Using the VPP, admins can efficiently curate a suite of work-related apps—both free and paid—for their team. This streamlined process not only simplifies the deployment of essential business apps but also ensures that employees have access to the right apps they need to be productive and efficient, all within the secure perimeter of our MDM platform.


Getting started

Admins: 
  • Volume Purchasing Program:
    • To begin, admins need to access Apple’s volume purchasing program with their Business Manager credentials. Through the VPP, admins can purchase app licenses that can be distributed to their employee’s devices in bulk. 

From the Apple Business Manager, you can purchase app licenses in bulk.


Once purchased, admins will need to download the content token, which needs to be uploaded into the Admin console.


VPP tokens can be uploaded in the Admin console at Devices > Mobile and endpoints > iOS settings > Apple Volume Purchase Program (VPP).


For complete instructions, use this Help Center about distributing iOS apps with Apple VPP and applying settings for iOS devices.

  • End users:

The user enrollment process starts when a user signs-in to an app for the first time or re-signs into an app. They’ll be prompted to begin downloading the configuration profile, which will open in an internet browser with more instructions and information. Once the profile has been downloaded, the user will be directed to their devices settings to complete user enrollment.




Rollout pace


Availability

  • Available to Google Workspace Enterprise Plus, Enterprise Standard, Enterprise Essentials, Enterprise Essentials Plus, Frontline Standard, Frontline Starter, Business Plus, Cloud Identity Premium, Education Standard, Education Plus and Nonprofits customers

Resources




Understand the impact of Context-Aware Access policies with Monitor Mode

What’s changing 

Admins can now use Monitor Mode to understand the implications of a Context-Aware Access (CAA) policy before deploying it to their end users. Monitor Mode will not block end users. Instead, it will show how the policy will block user access overtime, which admins can review in the CAA audit logs. Monitor Mode is available for Google Workspace, other Google Apps & third party SAML apps.

Applying Monitor Mode to context-aware access policies

Monitor Mode reports


Who’s impacted

Admins


Why you’d use it 

Before assigning Context-Aware Access levels, it’s critical for admins to understand the impact this will have on their end users. Using Monitor Mode helps admins fully understand the end user impact before deploying them in active mode, which can help avoid disruptions while helping admins make more informed decisions regarding their security strategies. 


Getting started


Configure Android zero-touch devices directly from the Admin console

What’s changing 

We’re integrating the Android Zero-Touch iFrame with the Admin console for a better, more seamless experience for admins. Zero-Touch devices are devices which have been purchased from Zero-Touch resellers and used in company owned mode. 

Directly from the admin console, admins will be able to: 
  • Set Google Workspace provided configurations for zero-touch devices. 
  • Link Workspace accounts with zero-touch accounts, ensuring devices will always enroll under Google endpoint management. They’ll also have the ability to unlink accounts if needed. Note that one Workspace account can be linked to multiple zero-touch accounts, but a zero-touch account can be linked to only one Workspace account.
In the Admin console, navigate to Devices > Mobile & endpoints > Settings > Enrollment > Android Zero touch 



Who’s impacted

Admins


Why you’d use it 

This update makes it easier for admins to specify a Zero touch configuration for their company owned devices directly from the Admin console. For enterprise mobility management partners (EMMs) this also minimizes the number of Google APIs and portals they need to interact with as well. Zero-touch devices will always enroll an account according to the GEM provided configuration — users cannot bypass this, even if they factory reset the device.

We strongly recommend that you continue to use the Zero-Touch customer portal if you need to:
  • View a list of your zero-touch company owned devices
  • Create more than one custom configuration
  • Set or remove configurations from a device

Getting started


Admins: 

Rollout pace


Availability

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Business Plus; Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; Enterprise Essentials and Enterprise Essentials Plus, Frontline Starter and Frontline Standard customers.
  • Available to Cloud Identity Premium customers.

Resources