Tag Archives: Security and Compliance

Distribute certificates for mobile devices via MDM

What’s changing 

We’re making it possible to issue digital certificates to iOS and Android devices for secure access even when those devices are not connected to the corporate network. This will make it easier to provide new mobile devices with identification, authentication, and access to G Suite and other corporate resources. This is available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers using Google Endpoint Management via an on-premises connector.

Who’s impacted 

Admins

Why it’s important 

Certificates are an important way to identify and authenticate mobile devices so they are able to securely access corporate resources. These resources can include G Suite, enterprise WiFi hotspots, and more.

Some customers include a requirement for devices to be on-premise and protected by a firewall in order to distribute device certificates. As some users can no longer access corporate locations and networks, customers need a way to issue these certificates remotely.

By providing this feature, we are helping these customers keep their employees connected and productive even when they’re not in the office.

Getting started 



Rollout pace 


  • This feature is available now. 

Availability 


  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and Cloud Identity Free customers 

Resources 


Less secure app turn-off suspended until further notice

Last December, we announced that we’d be turning off less secure app (LSA) access to G Suite accounts, and that you should migrate to OAuth authentication instead. The first phase of the LSA turn-down was scheduled for June 15, 2020. As many organizations deal with the impact of COVID-19 and are now focused on supporting a remote workforce, we want to minimize potential disruptions for customers unable to complete migrations in this timeframe.

As a result, we are suspending the LSA turn-off until further notice. All previously announced timeframes no longer apply. 

This applies to all categories of applications and protocols outlined in our original blog post, including Google Sync for iOS Mail. We’ll announce new timelines on the G Suite Updates blog at a later date.

Despite these timing adjustments, Google does not recommend the use of any application that does not support OAuth. We recommend that you switch to using OAuth authentication whenever possible for your organization. OAuth helps protect your account by helping us identify and prevent suspicious login attempts, and allows us to enforce G Suite admin-defined login policies, such as the use of security keys. See our original blog post for details and instructions on migrating to OAuth

Getting started 


  • Admins: No action required. However, we do recommend switching to OAuth authentication. See our original blog post for details on migrating to OAuth.
  • End users: No end user impact.
  • Developers: Update your app to use OAuth 2.0 as soon as possible.

Important changes to less secure apps and account recovery management in the Admin console

What’s changing

We’re making some updates to how you manage less secure app (LSA) settings and account recovery (AR) settings in the Admin console. This is part of a wider migration of our Admin console pages to a simplified and more streamlined experience, and will affect the sections at Admin console > Security > Settings > Less Secure Apps and Admin console > Security > Settings > Account Recovery. In those sections you may notice:

  • An updated interface, which reorganizes the settings to make them easier to find and change.
  • A new system to apply group-based policies in these areas. As a result of this change, existing settings will be migrated to the new system. See "Additional details" below for more information.


Who’s impacted

Admins

Why it’s important

The interface updates will make security settings more findable and scannable, reducing the number of clicks it takes to manage these settings. The new group-based policy system is the same one used in other areas of the Admin console and so should be more familiar and intuitive than the legacy system. The new system allows for multiple group based policies to be applied in a single UI view, and makes it possible to manage policies exclusively using groups, instead of a combination of OU-based policy with group-based exceptions.

Additional details

As part of migrating LSA and AR pages to the new UI, we will migrate any currently applied group-based policies to the new groups-based system. This migration will have no functional impact for most customers.

However, for a very small number of organizations (specifically those that currently have group based policies for LSA and AR applied at child-OU levels,) this transition may impact your existing settings. We will email the primary admin at affected domains with more details on how we will do the transition, and instructions for how to prepare. If you don’t receive an email, no action is required.

Getting started

Admins: Existing policies will be migrated to the new group-based policy system automatically unless you’re notified by email (see “Additional details” above). Visit the Help Center to learn more about using groups to manage Admin console settings, controlling access to LSAs, or setting up account recovery for users.

End users: There is no end-user impact unless admins change settings applied to them.
Before

After

Rollout pace




Availability


  • Available to all G Suite customers


Resources


Enroll security keys on more devices

What’s changing

We’re making it easier to enroll security keys on Android and MacOS devices by making it possible to use additional web browsers to initially register the security keys to your account.

Now, you can register security keys on:

  • Android devices running Android 7.0 “N” and up using the Google Chrome web browser (version 70 and up)
  • MacOS devices using Safari (v. 13.0.4 and up)

This will work for security keys registered independently, as well as those registered when a user signs up for the Advanced Protection Program for the enterprise.

Who’s impacted

End users

Why it’s important

Security keys provide the strongest form of 2-Step Verification (also known as two-factor authentication or 2FA) to help protect your account against phishing. By making it easier to register security keys, we hope more users will be able to take advantage of the protection they offer.

This builds on other recent announcements around security keys for G Suite and Cloud Identity, including using an iPhone as a security key for 2-Step Verification, and enabling phones as security keys in the Advanced Protection Program.

Getting started



Registering a security key on an Android mobile device with the Chrome browser

Rollout pace

  • This feature is available now for all users.


Availability

  • Available to all G Suite and Cloud Identity customers


Resources

Improving data regions with expanded coverage and group-based admin controls

What’s changing 

Data regions allows G Suite customers to choose a specific geographic location for their covered data. We’re enhancing data regions with three key updates:

  • Coverage of user indices for Gmail and Calendar 
  • Coverage of Google Keep primary data at rest and backups 
  • More granular group-based controls 

In addition to these new features, we’re also moving the location of the data region reporting dashboard from Admin Console > Dashboard to Admin Console > Reports > Data Regions.


Who’s impacted 

Admins

Why you’d use it 

G Suite’s globally distributed cloud infrastructure reduces latency and protects data with geo redundancy. Therefore, most organizations choose not to geo-restrict their data. However, some organizations have preferences around where their data is stored at rest.

To support those customers, we launched data region controls in 2018. Data regions lets customers designate the region in which covered data is stored when at rest—globally, in the US, or in Europe. Last year, we enhanced data regions with increased coverage of apps and data types.

By covering more apps, additional data types, and more granular admin controls, we hope to better support our customers’ data location preferences.


Additional details 


Coverage of user indices for Gmail and Calendar 
Gmail and Calendar construct user indices based on information in their accounts, similar to an index in a library, which lists information about all the books the library has available. This index is used to serve user search queries in Gmail and Calendar. These indices will now be covered by data regions. Once rolled out, index data for Gmail and Calendar will automatically be migrated to comply with existing data location policies. Use our Help Center to learn more about how to monitor data location move progress.


Gmail and Calendar user indices will now be supported 


Coverage of Google Keep primary data at rest and backups 
This addition extends data regions coverage to a total of 11 apps. Once rolled out, Keep’s primary data at rest and backups will automatically be migrated to comply with existing data location policies. Use our Help Center to learn more about how to track data location move progress.

More granular group-based controls 
You can now set data regions for specific groups of users in your organization. You could previously only enable them by organizational unit (OU). This additional flexibility and control helps you use the feature without changing your organizational structure.


You can now control data region settings using groups 


Getting started 



Admins: Data location is OFF by default and can be enabled at the group or OU level. However, when it’s rolled out to your domain, Keep data and indices data for Gmail and Calendar will automatically be migrated to comply with any existing data location policies you’ve set up. Visit the Help Center to learn more about how to choose a geographic location for your data.
End users: There is no end user setting for this feature.


Rollout pace 


  • Rapid Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on February 5, 2020. 
  • Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on February 5, 2020. 


Availability 


  • Available to G Suite Business, G Suite Enterprise, and G Suite Enterprise for Education customers 
  • Not available to G Suite Basic, G Suite for Education, and G Suite for Nonprofits customers 


Resources 


Use groups to manage Context Aware Access for G Suite

What’s changing 

You can now use groups to manage context-aware access for your organization. You could previously only manage them by organizational unit (OU). Context-aware access lets you control access based on user identity and context. Managing this with groups provides extra flexibility, so you can make sure the right users have the right levels of access at the right time.

Use our Help Center to find out how to manage context-aware access.

Who’s impacted 

Admins

Why you’d use it 

With context-aware access, you can set up different access levels based on a user’s identity and the context of the request (location, device security status, IP address). This can help you provide granular access controls without the need for a VPN, and give users access to G Suite resources based on organizational policies. Find out more about context-aware access.

Using groups enables more granular access controls while minimizing the amount of work required to create and manage different OUs. For example, groups may make it easier to set up different policies for:

  • Users at different organizational levels (e.g. executives) 
  • Users in specific roles (e.g. admins) 
  • Users with different employment statuses (e.g. full-time employees or temporary workers) 


Getting started 



Admins: There will be no change to existing context-aware access policies, but you can now set policies at the group level. Visit the Help Center to get an overview of context-aware access, or learn how to customize context-aware access with groups.

End users: There is no end user setting for this feature.

Rollout pace 




Availability 


  • Available to G Suite Enterprise, G Suite Enterprise for Education, Cloud Identity Premium, and Drive Enterprise customers. See more details
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and Cloud Identity Free customers 


Resources 


Changing default scope for Service Settings delegated admins

Quick launch summary 

We’re changing the default scope for delegated admins with the “Service Settings” privilege. As a result, some admins may need to be re-granted access to the security center.

Previously, when an admin was assigned the “Service Settings” privilege, the “Security Center” privilege was also checked by default. Now, the “Security Center” must be granted specifically. As a result of this change, some delegated admins may lose their security center privileges. If this happens to an admin that should have access to the security center, a Super Admin of the domain can grant them (or the administrator role they are assigned) permission at Admin console > Admin roles. 


Getting started 




Rollout pace 



Availability 


  • Available to all G Suite customers

Resources 


New system to improve data loss prevention (DLP) in Google Drive

What’s changing 

We’re introducing a new data loss prevention (DLP) system that will make it easier to deploy more advanced detection policies for content on Google Drive. The new Drive DLP functionality can be found at: Admin console > Security > Data Protection. Key updates include:

  • Advanced detection policies that enable more detailed rules using nested conditions, volume-based detection, finer detection thresholds, and more. 
  • New DLP incident management dashboard to see incident trends, view detailed incident reports, dry run rules, and more. 
  • Simplified deployment with more flexible scoping, roles based access for admins, and more. 


Use our Help Center to learn more about the differences between the legacy and new DLP systems.

The new system is separate from the legacy Drive DLP system. 

Currently, the new DLP system (at Admin console > Security > Data Protection) will exist alongside the legacy DLP system (at Admin console > Rules). Rules created in the new system will be separate from rules in the legacy system, and both will continue to work. You can migrate legacy DLP rules to the new DLP by manually creating a new rule in the DLP and then deleting the legacy DLP rule. When you perform this migration, we encourage you to consider reconfiguring them to use the more advanced functionality offered by the new system. Use our Help Center to learn more about migrating from the legacy to the new DLP system.

Who’s impacted 

Admins

Why you’d use it 

Protecting your company’s confidential data is critical. DLP supports this by giving you control over what users can share, and prevents unintended exposure of sensitive information. You can use it to prevent or warn users from sharing sensitive content (such as confidential information and customer social security numbers) outside of the domain on a per file basis. As an admin, you can also use the system to get alerts about policy violations and DLP incidents and to investigate information on the policy violation.

We have developed this new system to provide a more advanced way for you to configure DLP for Drive, going beyond the previously announced Drive DLP systems (DLP for Drive, and DLP for shared drives). You can use it to make your deployment more powerful and flexible with more granular policies customized for the specific needs of your organization. Combined with added deployment flexibility, it will be easier to deploy more advanced DLP policies that add visibility into and control over your data. Use our Help Center to learn more about how the new DLP system is different from the legacy system.

Additional details 


Advanced detection policies 
The new Drive DLP system provides more advanced functions to help admins configure deeper content detection rules including:

  • Nested conditions with AND, OR, and NOT - You can now define complex DLP rules leveraging a wide variety of conditions. 
  • Volume-based detection - Enforce DLP actions based on the number of violations to reduce the incident volume. 
  • Finer detection thresholds - Additional detection confidence thresholds help to balance DLP settings and reduce false positives. 
  • Targeted detection - Choose to target detection to comments, suggestions, title, body or all content of a Drive file. 


Additionally, you can now utilize DLP rule templates to quickly author new policies. Templates utilize predefined content detectors, which can then be fine-tuned with appropriate threshold levels suitable for your environment.


More advanced rules can leverage nested conditions, targeted detection, and more. 

Incident management dashboard 

The new system includes a DLP dashboard that will help you test, understand, and manage rules and alerts in your domain, including by showing incident trends. Features include:

  • “Dry Run” for your data protection rules - Generate reports without having the rule active so you can start monitoring your environment without enforcing blocking actions. 
  • New alert delivery options - Choose who receives alerts for specific rules, including additional members of the organization outside the super admin groups. 
  • Detailed incident reports - See more detailed reports for all the DLP actions (block, warn, audit). 
  • Integration with policy investigation tool - Help DLP response teams dig deeper into violations when needed. 



New dashboard helps you see violation trends. 


New dashboard gives insight into your DLP alerts. 

Simplified deployment 
The new system makes it easier to deploy DLP rules with features like:

  • Roles-based access for administrators - Assign delegated admins for DLP functions in the Admin console. Learn more
  • Predefined content detectors - Use 90+ predefined content detectors to help expand coverage and better manage policy violations. 
  • Policy exports - Download a copy of DLP policies. 
  • Flexibility for scoping policies - Scope DLP policies to include or exclude specific groups or OUs. 


Getting started 


  • Admins: This feature will be OFF by default and can be controlled at the domain, OU, or group level. Find the new DLP system at Admin console > Security > Data Protection. Use our Help Center to learn more about the new Drive DLP system.
  • End users: No action needed. 


Rollout pace 




Availability 


  • Available to G Suite Enterprise, G Suite for Education, G Suite Enterprise for Education, and Drive Premium customers 
  • Not available to G Suite Basic, G Suite Business, and G Suite for Nonprofits customers 


Resources 




Roadmap 


Use phones as security keys in the Advanced Protection Program


What’s changing 


You can now use your mobile phone as a security key in the Advanced Protection Program for the enterprise. This means you can use your Android or iOS device’s built-in security key for 2-Step Verification, which makes it easier and quicker to protect high-risk users with our strongest account security settings.

Users can learn more and sign up for the Advanced Protection Program at g.co/advancedprotection

Who’s impacted 

Admins and end users

Why you’d use it 


The Advanced Protection Program for the enterprise enforces a package of several security policies, which can help protect the accounts of employees who are most at risk for targeted attacks. By adding the option to use your phone as a security key with this program, we hope more G Suite users will be able to take advantage of the protection it offers due to:

  • Simpler enrollment - Users can sign up quickly using devices they already have. 
  • Intuitive user experience - Users are familiar with the phone interface, and often already carry phones with them. 
  • Lower costs - This reduces the need to purchase security keys. 


Additional details 

Targeted attacks describe sophisticated, low volume handcrafted attacks that are often carried out by highly motivated professional or government backed groups. Employees at risk of targeted attacks that may benefit from the program include, for example, IT admins, executives, and employees in regulated industries such as finance or government.

The individual policies currently included in the Advanced Protection Program are also available to G Suite admins and users outside of the program. However, the Advanced Protection Program for the enterprise offers an easy-to-use bundle of our strongest account security settings

Getting started 


Admins: By default, users will be able to sign up for the Advanced Protection Program. You can disable it at the OU level. Visit the Help Center to learn more about managing the Advanced Protection Program in your organization.

End users: Android users can go directly to g.co/advancedprotection to enroll their phone as a security key. iPhone users must first activate the security key with Google’s Smart Lock app, then enroll in the Advanced Protection Program.

Rollout pace 


  • This feature is available now for all users. 


Availability 


  • Available to all G Suite customers 


Resources 


Use an iPhone as a security key for 2-Step Verification

What’s changing

We’re adding an option to use your iPhone as a security key for your Google Account. Security keys provide the strongest form of 2-Step Verification (also known as two-factor authentication or 2FA) to help protect your account against phishing, and are an essential part of the Advanced Protection Program for the enterprise. To use your iPhone as a security key, you need to install the Google Smart Lock app.

Read more about this launch in our Security Blog post, or use our Help Center to learn more about security keys and 2-Step Verification. Also see our other announcement today - Use phones as security keys in the Advanced Protection Program.


Who’s impacted

Admins and end users


Why you’d use it

2-Step Verification adds another layer to your account security, making it more resistant to phishing and account takeover attacks. By adding the option to use iPhones as a security key, we’re making the strongest form of phishing protection more accessible and convenient. As a result, we hope you’ll be able to implement Advanced Protection in your organization more quickly, while also minimizing user training and overall costs.

We previously announced that you can use the security key built into your Android phone, in addition to physical security keys, including Google’s Titan Security Keys.

We also announced today that you can use phones as security keys in the Advanced Protection Program for the enterprise. We hope that these launches bring the added protection of security keys to more users, including making it easier to enrol in the Advanced Protection Program, and helps ensure that all users have access to more convenient forms of security.


Additional details


  • The iPhone security key is enabled through the Google Smart Lock app.
  • Installation of the Google Smart Lock app is only available on devices running iOS 10.0 and up.
  • The security keys on iPhones are compatible with Bluetooth-enabled Chrome OS (version 79 and up), iOS, macOS, or Windows 10 devices with a Chrome browser.


Getting started




Rollout pace

  • This feature is available now for all users

Availability


  • Available to all G Suite customers


Resources