Tag Archives: Security and Compliance

Assign SSO profile to organizational units or groups with the SAML Partial SSO feature, now generally available

What’s changing

Earlier this year, we announced a beta for assigning SSO profiles to organizational units or groups. This feature is now generally available and allows admins to specify groups or organizational units (OUs) to authenticate a subset of your users using Google.

Who’s impacted

Admins

Why it’s important

Currently, when you configure SSO with a third-party identity provider, the setting applies to your entire domain. However, there are some instances where you may want a subset of your users, such as vendors or contractors, to authenticate with Google instead. The Partial SSO feature gives you the flexibility to specify the authentication method for various users in your organization as needed.


Getting started



  • End users: No action required.

Rollout pace


Availability

  • Available to Google Workspace Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Plus, Frontline, and Nonprofits, as well as G Suite Basic and Business customers
  • Available to all Cloud Identity customers
  • Not available to Google Workspace Essentials customers

Resources


Google Workspace Updates Weekly Recap – November 5, 2021

New updates 

Unless otherwise indicated, the features below are fully launched or in the process of rolling out (rollouts should take no more than 15 business days to complete), launching to both Rapid and Scheduled Release at the same time (if not, each stage of rollout should take no more than 15 business days to complete), and available to all Google Workspace and G Suite customers.


Updated emoji experience in Google Chat on iOS
It’s now easier to express yourself more authentically in Chat on iOS. We’re making the following updates to the emoji experience: The Emoji set is updated to the latest version (Emoji 13.1), reflecting the latest emoji set and diversity and inclusion options; Gender-neutral options for gender-modifiable emojis have been added; Emoji skin tone and gender preferences are saved per individual emoji. | Available to all Google Workspace and G Suite customers, as well as users with personal Google accounts.


Previous announcements

The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.


More easily add citations in Google Docs with new search and automated entry function
When adding citations in Google Docs, you can now search for books and online sources, then automatically populate some attributes for those sources.  | Learn more.



Refine search results in Google Drive with search chips, launching in beta
We’re launching a new beta for Google Drive that will help users refine their search and locate files faster using search chips. This beta will be available for all Google Workspace editions—eligible customers can use this form to express interest in the beta. | Learn more.



Enable advanced context-aware access to Google Workspace in the Admin console
You can now configure context-aware access (CAA) custom access levels using advanced attributes directly from the Google Workspace Admin console. You can use more advanced signals such as time/date restrictions, credential strength, Chrome browser attributes or verified ChromeOS as well as third-party signals via BeyondCorp Alliance partners. | Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, and Education Plus. Also available to Cloud Identity Premium customers. | Learn more.



Google Workspace Client-side encryption beta expanded to include Google Meet and Google Drive for desktop
We’re now expanding the client-side encryption beta to include desktop data for Google Meet and Google Drive. Additionally, key access service APIs are now publicly available for anyone to use. Lastly, we are adding two new Key access service partners (Fortanix, Stormshield) for customers looking for a dedicated partner that integrates with the key access service APIs. | Learn more.



For a recap of announcements in the past six months, check out What’s new in Google Workspace (recent releases).

Google Workspace Client-side encryption beta expanded to include Google Meet and Google Drive for desktop

What’s changing 

Earlier this year, we announced the beta for Google Workspace Client-side encryption, specifically for Google Drive, Docs, Sheets, and Slides, with support for all file types in Drive including Office files, PDFs, and more. 

We’re now expanding the beta to include desktop data for Google Meet and Google Drive. Additionally, key access service APIs are now publicly available for anyone to use. 

Encryption notice in Meet

Encryption notice in Meet

Lastly, we are adding two new Key access service partners (Fortanix, Stormshield) for customers looking for a dedicated partner that integrates with the key access service APIs. Previously, we had announced key service partnerships with Flowcrypt, FutureX, Thales and Virtru

The beta is available to Google Workspace Enterprise Plus and Google Workspace Education Plus customers—eligible customers can now apply for the beta here. Important note: Customers who are already participating in the beta will have to reapply for access to the Google Meet and functionality, but you will be able to reuse your key service configuration. 

Who’s impacted 

Admins and developers 

Why it’s important 

Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between our facilities. With Client-side encryption, we’re taking this a step further by giving customers direct control of encryption keys and the identity provider used to access those keys. This can help you strengthen the confidentiality of your data while helping to address a broad range of data sovereignty and compliance needs. 

When using Client-side encryption, customer data is indecipherable to Google. Customers can create a fundamentally stronger privacy posture to comply with regulations like ITAR and CJIS or simply to better protect the privacy of their confidential data 

Read our announcement post to learn more about this beta and our plans for Client-side encryption across Google Workspace. 

Additional details 

If you are looking to choose a key service access partner, Flowcrypt, Fortanix, Futurex, Stormshield, Thales, and Virtru have built tools in accordance with Google’s specifications and provide both key management and access control capabilities. Your partner of choice holds the key to decode encrypted Google Workspace files, and Google cannot access or decipher these files without this key. 

If you prefer to build or integrate your own in-house key services, we have published the key access service API specifications that can be used with Client-side encryption. 

Getting started 

Availability 

  • Available to Enterprise Plus and Education Plus customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Education Fundamentals, Frontline, and Nonprofits, as well as G Suite Basic and Business customers. 

Resources 

Enable advanced context-aware access to Google Workspace in the Admin console

What’s changing 

You can now configure context-aware access (CAA) custom access levels using advanced attributes directly from the Google Workspace Admin console. You can use more advanced signals such as time/date restrictions, credential strength, Chrome browser attributes or verified ChromeOS as well as third-party signals via BeyondCorp Alliance partners

Who’s impacted 

Admins 

Why you’d use it 

By making more attributes available, and by enabling set up and management of advanced access levels in the Admin console, it will be easier to help ensure your Google Workspace configuration is more secure.

Getting started 

Admin console screen to create an access level

Admin console screen to create an access level

Rollout pace 

Availability 

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, and Education Plus. Also available to Cloud Identity Premium customers. 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as G Suite Basic and Business, and Cloud Identity Free customers. 

Resources 

Google Workspace Updates Weekly Recap – October 29, 2021

New updates 

Unless otherwise indicated, the features below are fully launched or in the process of rolling out (rollouts should take no more than 15 business days to complete), launching to both Rapid and Scheduled Release at the same time (if not, each stage of rollout should take no more than 15 business days to complete), and available to all Google Workspace and G Suite customers. 


Updating Gmail "Compose" button for Chat in Gmail users on the web 
Earlier this year, we updated the "Compose" button to a smaller, icon-only button for all users of Chat in Gmail on the web. We've heard from you that the original, larger version of the button is more intuitive and will be going back to that option starting November 3, 2021. | Available to all Google Workspace customers and users with personal Google accounts.




New navigation menus in Google Sites
Site editors can now organize page and external links under new navigation menus. Simply select "New Menu" and add or move pages to allow more flexibility in structuring navigation within your sites. | Available to all Google Workspace customers and users with personal Google accounts.


Previous announcements


The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.


Enhanced menus in Google Sheets improves findability of key features
We’re updating the menus in Google Sheets to make it easier to locate the most commonly-used features. | Learn more.


Manage and share private iOS apps through Google Endpoint Management
Admins can now upload, manage, and distribute private iOS applications to advanced managed devices. | Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Cloud Identity Premium customers. | Learn more.


VirusTotal integration with the security investigation tool provides deeper insight into Gmail events
Admins can use the Security  Investigation tool to view VirusTotal reports to gain richer information regarding Gmail event logs and use that information to make more informed decisions on protecting their users and data. | Available to Google Workspace Enterprise Plus, Education Standard, and Education Plus customers. | Learn more.


Improved and updated security menu in the Admin Console
We have updated the “Security” category within the left-hand navigation of the Admin console by adding navigation access to security features previously only accessible from the security settings page, introducing subcategories, and more. | Learn more.


For a recap of announcements in the past six months, check out What’s new in Google Workspace (recent releases).

Google Workspace Updates Weekly Recap – October 29, 2021

New updates 

Unless otherwise indicated, the features below are fully launched or in the process of rolling out (rollouts should take no more than 15 business days to complete), launching to both Rapid and Scheduled Release at the same time (if not, each stage of rollout should take no more than 15 business days to complete), and available to all Google Workspace and G Suite customers. 


Updating Gmail "Compose" button for Chat in Gmail users on the web 
Earlier this year, we updated the "Compose" button to a smaller, icon-only button for all users of Chat in Gmail on the web. We've heard from you that the original, larger version of the button is more intuitive and will be going back to that option starting November 3, 2021. | Available to all Google Workspace customers and users with personal Google accounts.




New navigation menus in Google Sites
Site editors can now organize page and external links under new navigation menus. Simply select "New Menu" and add or move pages to allow more flexibility in structuring navigation within your sites. | Available to all Google Workspace customers and users with personal Google accounts.


Previous announcements


The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.


Enhanced menus in Google Sheets improves findability of key features
We’re updating the menus in Google Sheets to make it easier to locate the most commonly-used features. | Learn more.


Manage and share private iOS apps through Google Endpoint Management
Admins can now upload, manage, and distribute private iOS applications to advanced managed devices. | Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Cloud Identity Premium customers. | Learn more.


VirusTotal integration with the security investigation tool provides deeper insight into Gmail events
Admins can use the Security  Investigation tool to view VirusTotal reports to gain richer information regarding Gmail event logs and use that information to make more informed decisions on protecting their users and data. | Available to Google Workspace Enterprise Plus, Education Standard, and Education Plus customers. | Learn more.


Improved and updated security menu in the Admin Console
We have updated the “Security” category within the left-hand navigation of the Admin console by adding navigation access to security features previously only accessible from the security settings page, introducing subcategories, and more. | Learn more.


For a recap of announcements in the past six months, check out What’s new in Google Workspace (recent releases).

VirusTotal integration with the security investigation tool provides deeper insight into Gmail events

What’s changing

Earlier this year, we announced an integration between VirusTotal and the Alert Center, giving admins the ability to look into security alerts at a deeper level. Beginning today, admins can also use the Security  Investigation tool to view VirusTotal reports to gain richer information regarding Gmail event logs and use that information to make more informed decisions on protecting their users and data.


Within the security investigation tool, you select “View VirusTotal report” for a given investigation result.

The report will surface more details about potential security threats.


The Standard version of VirusTotal reports includes the following:

  • File identification: Identifiers and characteristics allowing you to reference the threat and share it with other analysts (file hashes, file type, size, etc).
  • Threat reputation: Maliciousness assessments coming from 70+ security vendors.
  • Threat time spread: Key dates that enable you to understand when a given threat was first observed in-the-wild and how long it’s been active.

The Enhanced version of VirusTotal reports includes additional features such as:
  • Multi-angular detection: Additional threat analysis coming from crowdsourced rule matches and community scoring (for example: YARA, Sigma, and IDS rules).
  • Allowlist information: Useful details to power false positive discarding (National Software Reference Library, Software Distributors, Microsoft Clean Metadata Feed, etc.). 
  • Related indicators of compromise (IOCs): Examples of IOCs include a network infrastructure distributing a malware file, servers acting as a command-and-control for a given threat, first-stage delivery vectors for a file being studied, etc.
  • Interactive threat graph: Graphical format that maps out entire threat campaigns by visualizing the relationships between IOCs.
  • Security-relevant metadata: Includes software publisher information, identification of malicious macros in documents, Android application permissions, etc.
  • In-the-wild details: Geographical and time-spread details for threats, common attacker deception techniques, and more, through VirusTotal submission metadata.
  • Suspicious attribute pivoting: Clickable details in VirusTotal reports, allowing you to explore the global VirusTotal dataset for other threats that share the same properties.

Who’s impacted

Admins


Why it matters

Integrating VirusTotal with existing notifications and warnings surfaced through the security investigation tool provides Admins with richer information regarding potential threats. 

By giving our admins greater context over these threats, they can confidently take swift action to protect their users and data. For example, Admins can use VirusTotal to further investigate inconsistencies with users’ accounts to determine whether their device is infected with a virus. Using the VirusTotal integration tool to determine whether any shared attachments are malicious and whether the attachment has been seen elsewhere across their organization.


Additional details

VirusTotal provides an investigation layer on top of alerts but isn’t being used directly for detection or alerting. 

Data (file attachment hashes) is only shared to VirusTotal after your admin selects to view the VirusTotal report. No data is otherwise shared.

VirusTotal data is shared with the broader security community. This enables security vendors to collaborate with each other, share important details, and take action to fight security threats.

The VirusTotal report has two versions: Standard and Enhanced. The Standard version is displayed for admins who have the Security Center > VirusTotal > View report privilege, and who have one of the required Google Workspace editions. The Enhanced version is automatically displayed for paid VirusTotal subscribers who have an active virustotal.com login session with their VT Enterprise user account. Visit the Help Center for more information.


Getting started

Rollout pace


Availability

  • Available to Google Workspace Enterprise Plus, Education Standard, and Education Plus customers
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Education Fundamentals, Frontline, and Nonprofits, as well as G Suite Basic and Business customers

Resources


Integrate Google Chat with a 3rd-party archiving solution

What’s changing 

You can now send an email archive of Google Chat messages to a 3rd party archiving solution. 

For users that have archiving of Chat messages enabled, the 3rd party archiving solution will be able to receive email archives containing 1:1 conversations and conversations in rooms and groups. Content within the Chat message is also archived, such as reactions, Drive links, and file attachments. 

Who’s impacted

Admins and developers

Why it’s important

If you’re required to archive Chat messages for compliance purposes, or are already using a 3rd party archiving solution, you’ll now be able to integrate Google Chat with these 3rd-party partners. 

Getting started 

Turning on third party archiving setting



End users: 

  • There is no end user setting for this feature. 

Rollout pace 

  • This feature is available now for all users.

Availability 

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Plus customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Frontline, and Nonprofits, as well as G Suite Basic and Business customers 

Resources 

New beta to add data loss prevention to Google Chat

Quick launch summary

At Google Cloud Next ‘21, we announced a beta for data loss prevention (DLP) in Google Chat to help prevent sensitive and confidential information from leaking outside of your organization.

Error message shown to users when they try to share sensitive information outside of the organization in Chat
Prevent sensitive data from leaking with the DLP in Chat beta



Adding DLP to Chat enables admins to create custom policies to prevent sensitive data leaks from Chat. Admins can choose to simply audit (monitor) any DLP violations or block end users from sending sensitive content. Admins are alerted about policy violations and can quickly investigate and take action.


DLP in Chat rules in the Admin console
Set up DLP rules in the Admin console


With this beta, you can set all the same policies across Chat, Drive, and Chrome.

You can sign up your organization for the beta using this form.

Getting started


  • Admins: This feature will be OFF by default and, once added to the beta, can be enabled at the domain, OU, or group level. You can create DLP rules in the Admin console under Security > Data Protection. Visit the Help Center to learn more about turning data loss prevention in Chat on for your organization.
  • End users: There is no end user setting for this feature.

Rollout pace


Availability

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Standard and Education Plus customers
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Frontline, and Nonprofits, as well as G Suite Basic and Business customers

Resources

Updated flows for managing backup codes for 2-step verification purposes

Quick summary 

We’ve made a slight adjustment to how users create and manage backup codes for 2-step verification. Rather than generating or accessing backup codes from the 2-step verification homepage, users be taken to a dedicated backup codes page. 

2-step verification page

Here, users can generate new backup codes or re-fresh for additional backup codes, and print or download the codes as before. Additionally, we’ve added a new option to delete your backup codes. 


Backup codes


This update will be available on web, Android, and iOS devices. 

Getting started 

Rollout pace 

Availability 

  • Available to all Google Workspace customers, as well as G Suite Basic and Business customers 

Resources