Tag Archives: Security and Compliance

Add or remove client-side encryption from a Google Doc

What’s changing 

You can now choose to add client-side encryption to an existing document or remove it from an already encrypted document (File > Make a copy > Add/Remove additional encryption). This update gives you the flexibility to control encryption as your documents and projects evolve and progress.



Getting started

Rollout pace


Availability

  • Available to Google Workspace Enterprise Plus, Education Standard and Education Plus customers

Resources


Google Workspace Updates Weekly Recap – March 17, 2023

New updates 

There are no new updates to share this week. Please see below for a recap of published announcements. 


Previous announcements

The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.


Introducing new space manager capabilities in Google Chat
Space managers now have additional capabilities to ensure effective conversations take place in spaces: space configuration, member management, and conversation moderation. | Learn more.

External label for Google Meet participants
“External” labels will be available in Google Meet. Users will see a label in the top-left corner of their meeting screen indicating that participants who are external to the meeting host’s domain have joined the meeting. In the people panel, external participants will be denoted with the same icon. | Learn more.

Provide custom Google Meet background images for your users
Admins can now provide a set of images for the background replace feature in Google Meet. This will enable users to easily select an image that properly represents their company's specific brand and style. | Learn more

Improving your security with shorter Session Length defaults
To further improve security for our customers, we are changing the default session length to 16 hours for existing Google Cloud customers. Note that this update refers to managing user connections to Google Cloud services (e.g. Google Cloud console), not connections to Google services (e.g. Gmail on the web). | Learn more



Completed rollouts

The features below completed their rollouts to Rapid Release domainsScheduled Release domains, or both. Please refer to the original blog post for additional details.


Rapid Release Domains:
Scheduled Release Domains:
Rapid and Scheduled Release Domains:

Improving your security with shorter Session Length defaults

What’s changing 

To further improve security for our customers, we are changing the default session length to 16 hours for existing Google Cloud customers. Note that this update refers to managing user connections to Google Cloud services (e.g. Google Cloud console), not connections to Google services (e.g. Gmail on the web). 


For existing customers who have session length configured to Never Expire, we are updating the session length to 16 hours. See below for more information. 




Who’s impacted 

Admins, end users, and developers 


Why you’d use it 

Many apps and services can access sensitive data or perform sensitive actions. Because of this, managing session length is foundational to cloud security and compliance. It ensures that access to the Google Cloud Platform is finite after a successful authentication, which helps deter bad actors should they gain access to credentials or devices.


Additional details 

Google Cloud session controls 
For existing customers who have session length configured to Never Expire, we are updating the session length to 16 hours. This ensures customers do not mistakenly grant infinite session length to users or apps using Oauth user scopes. After the session expires, users will need to re-enter their login credentials to continue their access. This impacts the following: 

Settings can be customized for specific organizations, and will impact all users within that org. This is a timed session length that expires the session regardless of the user's activity. When choosing a session length, admins have the following options:
  • Choose from a range of predefined session lengths, or set a custom session length between 1 and 24 hours. 
  • Configure whether users need just a password, or require a Security Key to re-authenticate.


Third-party SAML identity providers and session length controls 
If your organization uses a third-party SAML-based identity provider (IdP), the cloud sessions will expire, but the user may be transparently re-authenticated (i.e. without actually being asked to present their credentials) if their session with the IdP is valid at that time. This is working as intended, as Google will redirect the user to the IdP and accept a valid assertion from the IdP. To ensure that users are required to re-authenticate at the correct frequency, evaluate the configuration options on your IdP and review the Help Center article to Set up SSO via a third party Identity provider.


Trusted applications
Some apps are not designed to gracefully handle the re-authentication scenario, which can cause confusing app behavior. Other apps are deployed for server-to-server purposes via user credentials — because they don’t require service account credentials, they are not prompted to periodically re-authenticate.

If you have specific apps like this, and you do not want them to be impacted by session length reauthentication, the org admin can add these apps to the trusted list for your organization. This will exempt the app from session length constraints, while implementing session controls for the rest of the apps and users within the organization.


Getting started

  • Admins: For customers who have their session length set to "Never Expire", your session length will reset to 16 hours. It can be turned off or modified at the OU level. Visit the Help Center article to learn how to set session length for Google Cloud services for your organization.  
  • End users: If a session ends, users will simply need to log in to their account again using the familiar Google login flow. 

Rollout pace

Availability

  • Available to all Google Workspace and Cloud Identity customers, as well as legacy G Suite Basic and Business customers

Client-side encryption for Gmail is now generally available

What’s changing 

Beginning today, client-side encryption for Gmail is now generally available for Google Workspace Enterprise Plus, Education Plus, and Education Standard customers. For customers currently enrolled in the beta, your experience will not change. 




Workspace already encrypts data at rest and in transit by using secure-by-design cryptographic libraries. Client-side encryption takes existing encryption capabilities to the next level by ensuring that customers have sole control over their encryption keys—and thus complete control over access to their data. For more information, read the latest Workspace blog and our original beta announcement.

Getting started 

  • Admins
  • End users: Once enabled by your Workspace admin, to add client-side encryption to any message, click the lock icon and select additional encryption, and compose your message and add attachments as normal. 

Rollout pace 


Availability 

  • Available to Google Workspace Enterprise Plus, Education Plus, and Education Standard customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers 
  • Not available to users with personal Google Accounts 

Resources

Google Vault support for client-side encrypted emails

What’s changing 

Vault now supports retention, search, and export of client-side encrypted emails. Note that admins can't preview the email body and attachments, including inline images — they’ll only be able to see the subject line, sender, and receiver. 


Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between our customers and Google facilities. Client-side encryption helps strengthen the confidentiality of your data while helping to address a broad range of data sovereignty and compliance needs. Visit the Help Center for more information on client-side encryption and our original announcement regarding client-side encryption for Gmail


Getting started


Rollout pace 


Availability 

  • Available to Google Workspace Enterprise Plus, Education Plus, and Education Standard customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers 
  • Not available to users with personal Google Accounts

Resources 

Google Vault support for client-side encrypted emails

What’s changing 

Vault now supports retention, search, and export of client-side encrypted emails. Note that admins can't preview the email body and attachments, including inline images — they’ll only be able to see the subject line, sender, and receiver. 


Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between our customers and Google facilities. Client-side encryption helps strengthen the confidentiality of your data while helping to address a broad range of data sovereignty and compliance needs. Visit the Help Center for more information on client-side encryption and our original announcement regarding client-side encryption for Gmail


Getting started


Rollout pace 


Availability 

  • Available to Google Workspace Enterprise Plus, Education Plus, and Education Standard customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers 
  • Not available to users with personal Google Accounts

Resources 

Google Workspace Updates Weekly Recap – December 23, 2022

New updates 


There are no new updates to share this week. Please see below for a recap of published announcements. 


Previous announcements


The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.


Updated experience for exporting your organization’s data
We’re introducing new capabilities for exporting your organization’s data, giving our customers greater flexibility over managing their organization’s data export needs. | Available to Google Workspace Enterprise Plus, Education Standard, and Education Plus customers only. | Learn more


Google Voice Standard customers can assign phone numbers in other Voice countries in their region 
Google Voice customers on the Standard subscription in Canada, Europe and the US can assign phone numbers to any supported country in their region:
  • Customers in Europe can assign phone numbers in supported European countries
  • Customers in Canada and the US can assign phone numbers in both countries
This change gives our customers on the Standard SKU the flexibility to deploy Voice across the different countries they operate in within the same region. | Available for Google Voice Standard customers only. | Learn more.


More filter effects available for Google Meet
Google Workspace users can now access a variety of new filter effects on Google Meet on the web and mobile. These filters, such as loghead, strawberry, and working bunny, can help bring an element of fun to meetings. | Learn more


Quickly refine search results in Google Chat with search chips
We’re expanding an existing mobile feature to the web that helps you find exactly what you’re looking for much faster using search chips that filter your search results. | Learn more



Completed rollouts


The features below completed their rollouts to Rapid Release domainsScheduled Release domains, or both. Please refer to the original blog post for additional details.


Rapid Release Domains:


Rapid and Scheduled Release Domains:


For a recap of announcements in the past six months, check out What’s new in Google Workspace (recent releases).


Updated experience for exporting your organization’s data

What’s changing

We’re introducing new capabilities for exporting your organization’s data, giving our customers greater flexibility over managing their organization’s data export needs. These changes include the option to:

  • Export user generated content by organizational unit
  • Export user generated content by group

This update is available for Google Workspace Enterprise Plus, Education Standard, and Education Plus customers.

Who’s impacted

Admins


Why it’s important

Historically, data export has been limited to a customer’s full set of user generated content. However, we know our customers sometimes need a more frictionless experience for managing their data exports, especially as their business and compliance needs continue to evolve. By providing more granular and flexible export tools, our customers can retrieve the specific data they need, when they need it.


Getting started




Rollout pace


Availability


  • Available to Google Workspace Enterprise Plus, Education Standard, and Education Plus customers
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers

Resources




Google Workspace Updates Weekly Recap – December 16, 2022

New updates

Unless otherwise indicated, the features below are fully launched or in the process of rolling out (rollouts should take no more than 15 business days to complete), launching to both Rapid and Scheduled Release at the same time (if not, each stage of rollout should take no more than 15 business days to complete), and available to all Google Workspace and G Suite customers.


Drive approvals available on Android and iOS apps

Google Drive users have had the ability to send an item for approval on the web since 2021. These approvers can comment, approve, or reject a request on a file. Starting this week, Drive approvals are now available on the Drive Android and iOS apps. | Available to Google Workspace Essentials, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education Plus, and legacy G Suite Business customers only. | Learn more.


New keyboard shortcuts for Google Sheets on Android

In continuing our mission to provide a top-class user experience on large screen devices, we’re releasing new and updated keyboard shortcut options on Android that better align with the Google Sheets web experience. | View the full list of shortcuts and learn more here. 


Additional functionality for storage management

Adding shared drive storage limits and shared drives IDs are now available as part of the new set of tools for managing storage. Please refer to our original announcement for more information. | Learn more.


Previous announcements

The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.


Facet Enhancements for Cloud Search

It’s now easier to configure and use Cloud Search search filters and facets with multiple enhancements to our existing functionalities. With this launch, you can use the Cloud Search Query API to configure new additional capabilities. | Available to Google Cloud Search Customers. | Learn more. 


Easily format and display code in Google Docs

We’ve added a new smart canvas feature that makes this process much easier by enabling you to format and display code in Docs with code blocks. | Available to Google Workspace Business Standard, Business Plus, Enterprise Standard, Enterprise Plus, Education Standard, Education Plus customers and Nonprofits only. | Learn more. 


Email notifications from Google now available in the Alert Center

Admins routinely receive notifications from Google to inform them about important Google Workspace updates. Now when admins receive these notifications, they’ll also be captured in the Alert Center in the admin console. This will help make it easier for admins to stay on top of important communications from Google. | Learn more. 


Enjoy improved call performance with intelligent network switching in Google Voice

To ensure the best call experience, Google Voice now automatically switches ongoing calls between cellular data service and Wi-Fi when it determines that one network type will lead to better call quality. | Learn more.


Expanded language support for captions and translated captions in Google Meet

We’ve expanded language support for standard captions and translated captions in Google Meet. | Standard captions are available for all users. Translated captions are available for meetings organized by Google Workspace Business Standard, Business Plus, Enterprise Starter, Enterprise Standard, Enterprise Plus, Education Plus, and the Teaching and Learning Upgrade customers.| Learn More.


Client-side encryption for Gmail available in beta

We’re expanding customer access to client-side encryption in Gmail on the web. Google Workspace Enterprise Plus, Education Plus, and Education Standard customers are eligible to apply for the beta until January 20th, 2022. | Learn more.


Completed feature rollouts

The features below have finished rolling out to Rapid Release domains, Scheduled Release domains, or both. Please refer to the original blog posts for additional details.


Rapid Release Domains:


Rapid and Scheduled Release Domains:



For a recap of announcements in the past six months, check out What’s new in Google Workspace (recent releases).



More ways to prevent data exfiltration on iOS devices

What’s changing 

In 2020, we released several data exfiltration protections for iOS devices. Today, we’re announcing the next set of enhancements for data exfiltration protections for iOS. We’re expanding these security controls to give admins more ways to protect sensitive company data on iOS devices. 


Admins can now turn the following actions on or off for Google Workspace data: 
  • Copying Google Workspace files and data to personal apps 
  • Sharing Google Workspace data to personal accounts via AirDrop and the iOS share sheet 
  • Air Printing Google Workspace files 
  • Saving Google Workspace items to files with the iOS share sheet 
  • Saving Google Workspace images/videos to iOS photos 
  • Assigning items from Google Workspace to Contacts with the iOS share sheet. 


Who’s impacted 

Admins and end users 


Why it’s important 

This is the next step in ensuring we continue to enhance data protections for Google workspace data and how that information is stored, shared, and used across the iOS devices within your organization. Similar protections are already available on Android devices through Work Profiles


Getting started 

  • Admins: These settings can also apply to any OU level throughout the organization, to scale your policy settings to any iOS mobile device within your organization. These settings can be configured in the Admin console under Devices > Mobile and endpoints > iOS settings > Data Sharing. Visit the Help Center to learn more about data protection on iOS devices


  • End users: There is no end-user setting for this feature. Restricted actions are not shown or except for “Save to files”, in which case a dialog pops up notifying the user that this action is restricted. 

Rollout pace


Availability 

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Enterprise for Education, and Cloud Identity Premium customers. 

Resources