Tag Archives: Security and Compliance

New Rules homepage in the Admin console make security simpler

What’s changing

We're making some updates to how you create, view, and manage rules in the Admin console. Specifically we're:

  • Making the Rules homepage available to all Google Workspace customers.
  • Consolidating the rules and security rules pages to make rule discovery and management easier.
  • Introducing a rule templates page, available to Enterprise Standard and Enterprise Plus customers, which helps quickly set up rules for common use cases.
  • Adding one-click rule analysis via the Investigation Tool, available to Enterprise Plus customers.
The new Rules homepage in the Admin console

See below for more information.



Who’s impacted

Admins



Why you’d use it

We hope this information makes it easier for admins to decide which rules to proactively implement, easier to maintain with centralized management, and easier to investigate with direct Investigation tool integration.


Additional details


On the new Rules homepage, admins can find information about:
  • The benefits of enabling rules with use-case based guidance for managing alerts and email notifications for Google-provided rules. 
  • The benefits of creating custom rules for other use cases including defining alerts for specific audit log events, protecting sensitive content, automating actions on specific activities, and securing devices. 
For Enterprise Standard and Enterprise Plus admins:
We’re introducing a new Rules Templates page. You can customize these pre-made templates to quickly set up rules for common use cases based on best practices. This includes scenarios such as preventing the sharing of sensitive personal, financial, or health information.

For Enterprise Plus customers, we’ve enabled one-click rule analysis of activity and data protection rules with investigation tool integration directly from the list view.



Rollout pace


Availability

New Rules homepage 
  • Available to all Google Workspace customers, as well as G Suite Basic and Business customers

Data protection
  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Standard, and Education Plus customers
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Frontline, and Nonprofits customers
Device management rules
  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, Education Plus
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits customers

Activity Rules
  • Available to Google Workspace Enterprise Plus, Education Standard, and Education Plus customers
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Education Fundamentals, Frontline, and Nonprofits, as well as G Suite Basic and Business customers
Investigation tool integration
  • Available to Google Workspace Enterprise Plus, Education Standard, and Education Plus customers
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Education Fundamentals, Frontline, and Nonprofits, as well as G Suite Basic and Business customers

Restrict third-party API access to Google Workspace and end user data with new app access control

What’s changing 

You can now block all third-party API access to Google Workspace data with a new setting. This compliments other available OAuth settings which help you control which third-party & internal apps access Google Workspace data

When selected, all third-party apps are denied access to Workspace and end user data, blocking all OAuth 2.0 scopes. This also means that users cannot use their Google Workspace accounts to sign into third-party apps and websites. 

Who’s impacted 

Admins and end users

Why it’s important 

This new setting adds another layer of protection over your Workspace and end user data. Not every third party application has robust security measures in place or conforms to your security policy — by restricting third-party APIs from requesting sensitive information, such as login or email scopes, you can ensure your data and user data stays secure.

When all third party API access is blocked, an app will not be able to access any Workspace user date, across web and mobile. If users try to authorize an untrusted app, they’ll see an authorization error message. Admins can customize this error message if they choose.

Getting started 

Rollout pace 


New recommended DLP rules help protect sensitive data

What’s changing 

To help our customers more easily implement security controls, we will start providing recommended data loss prevention (DLP) rules personalized for your organization. These recommendations are based on the results of your data protection insights report and any rules you’ve already implemented, and will be surfaced in the admin console. 

Each rule that DLP recommends is a fully realized, ready-to-use rule that is preconfigured to warn users on sharing sensitive data. You can use the rules as they are, or edit the rules to customize them for your organization. The rules will only be enforced when you choose to activate them. 


Who’s impacted 

Admins 


Why it’s important 

Protecting your company’s confidential data is critical. DLP rules can give you control over what users can share, and helps prevent the unintended exposure of sensitive information. Your data protection insights report can help identify priority areas to address, but creating, testing, and implementing rules can be time consuming. 

By generating fully realized, ready-to-use rules recommended based on your organization’s specific situation, we aim to make it easier to add controls and help protect sensitive information within your organization. 

The DLP rule performance charts can help you understand rule performance so you can make any necessary adjustments, and help identify where additional investigation is needed, with one-click integration to the investigation tool where available. 

See recommended rules at Admin console > Security > Data protection 

Getting started 

  • Admins: 
    • To see the recommended rules, go to Admin Console > Security > Data Protection. To view the data protection insights report you must be a DLP admin or an admin that received an email invitation to view the report. 
    • Rule suggestions will be enabled by default for all organizations with data protection insights report, but rules will not be enforced unless you choose to activate them. Recommended rules will not be available if data protection insights reports are turned off. 
    • Visit our Help Center to learn more about how to prevent data leaks with DLP recommended rules
  • End users: No end user impact. 

Rollout pace 

Availability 

  • Available to Google Workspace Enterprise Standard and Enterprise Plus customers. 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Education Plus, and Nonprofits, as well as G Suite Basic and Business customers 

New Assured Controls help support your information governance goals

What’s changing 

Today we’re introducing Assured Controls for Google Workspace Enterprise Plus, an add-on that helps customers control cloud service provider access and attain their information governance goals. 


As part of the Assured Controls feature set, we’ll first roll out Access Management. Access Management enables customers to geographically limit Google staff support actions to U.S. Persons within our Support teams. At launch, Access Management will be limited to accesses that are covered by Access Transparency in Gmail, Google Calendar, Google Docs, Google Drive, Google Sheets, and Google Slides, and will only be supported in the U.S. region. To learn more, contact Google Support or your account representative.


Note that we do not access customer data for any reason other than those necessary to provide support services and fulfill our contractual and legal obligations. When Support access is warranted, Access Management helps customers geographically limit that access. 


For more information on this and other Google Workspace Security launches, see our Cloud Blog post and register for our upcoming Google Cloud Security Talk


Who’s impacted 

Admins only 


Why you’d use it 

Some customers in regulated industries, particularly the public sector, have specific requirements related to cloud service provider access to data in the course of customer support interactions. Access Management provides customers with the ability to geographically limit those Google staff support actions. 

As Assured Controls is available on Google Workspace’s native platform, you don’t need to move to a separate environment for access to these restriction capabilities. This can help reduce costs and complexity, while allowing your organization to benefit from the full set of advanced features that Google Workspace offers. 


Getting started 

  • Admins: Once you’ve purchased the Assured Controls add-on, you can assign licenses and manage the feature at Admin Console > Access Management. Users assigned the policy will have any data owned by them restricted to designated U.S. Persons within our support teams. Access Management is surfaced for logging in the Access Transparency logs. To learn more contact Google Support or your account representative 
  • End users: No end user impact. 



Rollout pace 

  • Contact your Google account representative to learn more about availability and timing. 

Availability 

  • Google Workspace Assured Controls is available as an add-on to Google Workspace Enterprise Plus customers only. For more information, contact your Google account representative. 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Education Fundamentals, and Education Plus, as well as G Suite Basic, Business, and Nonprofits customers 

Resources 

Expanding data regions coverage to Google Drive, Docs, Sheets, and Slides user indices

What’s changing 

Data regions for Google Workspace allows customers to choose a specific geographic location—in the U.S., in Europe, or globally distributed—for their covered data at rest to help meet organizational or compliance needs. We’re now extending data regions coverage to user indices for Google Drive, Docs, Sheets, and Slides for the U.S. data region. 

For more information on this and other Google Workspace Security launches, see our Cloud Blog post and register for our upcoming Google Cloud Security Talk


Who’s impacted 

Admins 


Why you’d use it 

Google Workspace’s globally distributed cloud infrastructure reduces latency and protects data with geo redundancy, so most organizations choose not to geo-restrict their data. If, however, your organization has preferences as to where its data is stored at rest, data regions can help you achieve your compliance goals.

Since launching data region controls in 2018, we’ve continued to make improvements, including the addition of new covered apps and data types in 2019 and expanded coverage and group-based admin controls in 2020. By expanding data regions coverage to Google Drive, Docs, Sheets, and Slides user indices, we hope to better support our customers’ data location preferences and give them great control. 




Getting started 

  • Admins: Data location is OFF by default and can be enabled at the group or OU level. However, when this launch is rolled out to your domain, Google Drive, Docs, Sheets, and Slides user indices will automatically be migrated to comply with existing U.S. data location policies you’ve set up. Visit the Help Center to learn more about how to choose a geographic location for your data
  • End users: No end user impact. 

Rollout pace 

Availability 

  • Available to Google Workspace Enterprise Plus and Education Plus customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, or Education Fundamentals, or G Suite Basic, Business, or Nonprofits customers 

Resources 

New option to download third-party apps and domain wide delegation to CSV

Quick launch summary 

Google Workspace customers can set up and manage apps for app access control and domain-wide delegation through the Admin console at Admin console > Security > API Controls. However, for some customers the lists of apps in these sections can be long, which can make it difficult to see and manage the information in the Admin console. 


With this launch, we’re adding new options to download 3rd party API apps and domain wide delegated apps to a CSV file. This file will contain all the information which is displayed in the Admin console list. Having the information in CSV format may make it easier to understand and analyze how these apps and features are accessed in your organization. 


Getting started 

  • Admins: You’ll see the option to download app and client info at Admin console > Security > API Controls > App access control or Domain wide delegation. Use our Help Center to learn more about app access control and domain-wide delegation
  • End users: No end user impact. 

Rollout pace 

Availability 

  • Available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, and Enterprise Plus, as well as G Suite Basic, Business, Education, Enterprise for Education, and Nonprofits customers 

Resources 

More notifications added to the alert center in Google Workspace

What’s changing 

We’re adding new alerts to the alert center. Specifically, you can now see alerts for: 
  • Reporting rules (formerly known as custom audit log alerts) 
  • Eleven other new alerts related to changes to app settings and user accounts (formerly known as predefined admin alerts, see more details below) 
Within the alert center, you can view important details about specific alerts, including a summary of the alert, date and time of the event, event description, and name of the related audit log. You can also click to search in audit logs to view more details about the event that triggered the alert. 


Who’s impacted 

Admins only 


Why it’s important 

You can use the alert center to view notifications about potential issues within your domain and take action (like end-user education or updates to existing policies or settings) to resolve the issues and protect your organization from security threats. You can also use the alert center API to export alerts into existing systems, such as a Security Information and Event Management system (SIEM) or ticketing platform. 


We previously moved management of both the reporting rules (formerly known as custom alerts) and other alerts (formerly known as predefined admin alerts) to the security rules section of the Admin console. This provided a more consolidated view of rules and alerts and made it easier to manage alerts from a single location. By bringing notifications from those alerts to the alert center, we are creating a more complete and centralized location to view important notifications and potential security threats to your organization. We hope this provides a more comprehensive view of relevant alerts and helps you better understand and manage your organization. 



Additional details 

Reporting rules now in the alert center 
Reporting rules are custom rules that allow you to create custom alerts based on your organization’s audit logs. Previously, you could only get email notifications when these rules were triggered. With this launch, you can see these events in the alert center. 

For reporting rules that are already set up, admins will need to opt in manually to turn on alert center notifications for each rule. For newly set up reporting rules, the alert center notifications will be on by default, but admins can turn this off during or after rule setup. 


Eleven alerts for user and app setting changes now in the alert center 
You can now choose to see notifications for the 11 alerts listed below. The alert center notifications for these will be off by default, and admins can choose to turn them on. 
  • Calendar settings changed 
  • Drive settings changed 
  • Email settings changed 
  • Mobile settings changed 
  • New user added 
  • Suspended user made active 
  • User deleted 
  • User granted Admin privilege 
  • User suspended (Administrator email alert) 
  • User’s Admin privilege revoked 
  • User’s password changed 

Getting started 

  • Admins: 
    • Reporting rules: For alerts that are already set up, alerts will be off by default. For alerts that are newly set up, alerts will be on by default. Admins can turn alert center notifications on or off while creating or editing a rule. Visit our Help Center to learn how to create and view reporting rules and set up alerts
    • User and app settings changes: Alerts are off by default, but can be turned on for each alert individually. Visit our Help Center to learn or view and manage alerts in the alert center
  • End users: No end user impact 

Rollout pace 

Availability 

  • Available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education Fundamentals, and Education Plus, as well as G Suite Basic, Business, and Nonprofits customers 

Resources 

More notifications added to the alert center in Google Workspace

What’s changing 

We’re adding new alerts to the alert center. Specifically, you can now see alerts for: 
  • Reporting rules (formerly known as custom audit log alerts) 
  • Eleven other new alerts related to changes to app settings and user accounts (formerly known as predefined admin alerts, see more details below) 
Within the alert center, you can view important details about specific alerts, including a summary of the alert, date and time of the event, event description, and name of the related audit log. You can also click to search in audit logs to view more details about the event that triggered the alert. 


Who’s impacted 

Admins only 


Why it’s important 

You can use the alert center to view notifications about potential issues within your domain and take action (like end-user education or updates to existing policies or settings) to resolve the issues and protect your organization from security threats. You can also use the alert center API to export alerts into existing systems, such as a Security Information and Event Management system (SIEM) or ticketing platform. 


We previously moved management of both the reporting rules (formerly known as custom alerts) and other alerts (formerly known as predefined admin alerts) to the security rules section of the Admin console. This provided a more consolidated view of rules and alerts and made it easier to manage alerts from a single location. By bringing notifications from those alerts to the alert center, we are creating a more complete and centralized location to view important notifications and potential security threats to your organization. We hope this provides a more comprehensive view of relevant alerts and helps you better understand and manage your organization. 



Additional details 

Reporting rules now in the alert center 
Reporting rules are custom rules that allow you to create custom alerts based on your organization’s audit logs. Previously, you could only get email notifications when these rules were triggered. With this launch, you can see these events in the alert center. 

For reporting rules that are already set up, admins will need to opt in manually to turn on alert center notifications for each rule. For newly set up reporting rules, the alert center notifications will be on by default, but admins can turn this off during or after rule setup. 


Eleven alerts for user and app setting changes now in the alert center 
You can now choose to see notifications for the 11 alerts listed below. The alert center notifications for these will be off by default, and admins can choose to turn them on. 
  • Calendar settings changed 
  • Drive settings changed 
  • Email settings changed 
  • Mobile settings changed 
  • New user added 
  • Suspended user made active 
  • User deleted 
  • User granted Admin privilege 
  • User suspended (Administrator email alert) 
  • User’s Admin privilege revoked 
  • User’s password changed 

Getting started 

  • Admins: 
    • Reporting rules: For alerts that are already set up, alerts will be off by default. For alerts that are newly set up, alerts will be on by default. Admins can turn alert center notifications on or off while creating or editing a rule. Visit our Help Center to learn how to create and view reporting rules and set up alerts
    • User and app settings changes: Alerts are off by default, but can be turned on for each alert individually. Visit our Help Center to learn or view and manage alerts in the alert center
  • End users: No end user impact 

Rollout pace 

Availability 

  • Available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education Fundamentals, and Education Plus, as well as G Suite Basic, Business, and Nonprofits customers 

Resources 

Security groups now generally available

Quick launch summary 

We’re making security groups generally available. Security groups help you easily regulate, audit, and monitor groups used for permission and access control purposes by simply adding the security label. See our beta announcement for more details and use cases for security groups

We’ve recently announced several other features that can help you better manage groups in your organization and improve your security posture. These include group membership expiration and the indirect membership visibility and membership hierarchy APIs


Getting started 

Rollout pace 

Availability 

  • Available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Standard and Enterprise Plus customers, as well as G Suite Basic, Business, Education, Enterprise for Education and Nonprofits customers 

Resources 

New option to block devices with basic management from accessing your organization’s data

What’s changing 

We’re adding the ability for admins to manually block or unblock mobile apps from accessing access to their organization’s Google Workspace data on Android and iOS devices with basic mobile management. These actions can be automated using device management rules (for supported editions). 


Who’s impacted 

Admins 


Why it’s important 

Previously, admins had a limited set of actions they could perform with basic management—they could wipe an account or delete the device from inventory. However, they couldn’t block apps on those devices from accessing organizational data in the way that they could for devices with advanced mobile management. This launch makes that possible, helping to keep your organization’s data secure. 

While the blocking action is the same for devices with basic and advanced management, advanced management allows you to proactively block devices based on the Require Admin Approval setting. With basic management, you can only do this on a per-device basis. 


Getting started 

  • Admins: This feature will be available by default. To use it, navigate to a device page in the Admin console and click block device. Visit the Help Center to learn more about blocking and unblocking devices
  • End users: If a user’s device is blocked by an admin, the user will be signed out of all Google Workspace mobile apps. If they try to sign in again, they will see a message indicating that they do not have access to the app, and that they should contact their administrator for help. 
New option to block a device available for devices with basic management 

Once a device is manually blocked, admins can unblock the device 

Those trying to access Google Workspace apps on a blocked device will see a message to contact the administrator for help 


Rollout pace 

Availability 

  • Available to Google Workspace Business Starter, Business Standard, Business Plus, Essentials, Enterprise Essentials, Enterprise Standard, and Enterprise Plus, as well as G Suite Basic, Business, Education, Enterprise for Education, and Nonprofits customers 

Resources