Tag Archives: Security and Compliance

Google Workspace Updates Weekly Recap – July 23, 2021

New updates

Unless otherwise indicated, the features below are fully launched or in the process of rolling out (rollouts should take no more than 15 business days to complete), launching to both Rapid and Scheduled Release at the same time (if not, each stage of rollout should take no more than 15 business days to complete), and available to all Google Workspace and G Suite customers.

Gmail now displays the latest emojis
Now you can see all the latest emojis in Gmail, with emojis now rendered in the latest Unicode standard 13.1.

Improved Tabular Data Handling for Gmail DLP
We are improving the way we handle Tabular data files like .csv or .xlsx to best account for the structure of these files. This will result in more accurate content scans. | Available to Google Workspace Enterprise, Education Fundamentals, Standard, Teaching and Learning Upgrade, and Plus customers. | Learn more.

Previous announcements

The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.

Updates to Google Workspace Public Status Dashboard and service status alerts
We're introducing a new Public Status Dashboard experience for Google Workspace. As part of this update, we’re enhancing the functionality of the existing Apps outage alert system-defined rule, which provides email notifications regarding service disruptions or outages via the Public Status Dashboard. | Learn more.

Hangouts to Google Chat upgrade beginning August 16th, with option to opt-out
Beginning August 16, 2021, we will start upgrading users who have the “Chat and classic Hangouts” setting selected to “Chat preferred,” unless you explicitly opt out. Additionally, the “Chat and classic Hangouts'' setting will also be removed for all users in your domain unless you opt out of the upgrade. | Learn more.

Fundamental data regions now available to more Google Workspace customers
Data regions give you the ability to choose where covered data for select Google Workspace apps is stored at rest. We’re introducing a more limited version of data regions, known as Fundamental data regions, which will be available to Google Workspace Enterprise Standard, Business Plus, Business Standard and Frontline customers. | Learn more.

Bulk convert Classic Sites to new Sites using the Classic Sites Manager
Beginning today, you can now bulk convert Classic Sites to new Sites using the Classic Sites Manager. | Learn more.

Block shares from another user in Google Drive

We’re adding the ability to block another user in Google Drive. If blocked, the user will not be able to share any Drive items with you, and items owned by the user will not be able to be shared with you or be shown when you’re browsing Google Drive. In addition, your files will not be available to the user you’ve blocked, even if you’ve previously shared items with them. | Learn more.

Select multiple tabs in Google Sheets and perform basic actions on the selection

Now you can select multiple tabs in Google Sheets and perform basic actions on the selection (such as moving the tabs together, deleting, duplicating, copying, coloring, or hiding). | Learn more.

Image placeholders make it easy to work as a team with images in Slides themes and layouts

Now when you create a theme in Slides, you can add image placeholders to your layouts. | Learn more.

Easily collaborate and share Slide presentations with side-by-side viewing in Google Chat

In Google Chat, you can now open and edit a Slide presentation in a side-by-side view. | Learn more.

For a recap of announcements in the past six months, check out What’s new in Google Workspace (recent releases).

Source: Google Workspace Updates

Fundamental data regions now available to more Google Workspace customers

What’s changing

Data regions gives you the ability to choose where covered data for select Google Workspace apps is stored at rest. The existing data regions feature, now known as Enterprise data regions, offer a full range of features to Google Workspace Enterprise Plus and Education Plus customers.

Now, we’re introducing a more limited version of data regions, known as Fundamental data regions, which will be available to Google Workspace Enterprise Standard, Business Plus, Business Standard and Frontline customers.

Who’s impacted

Admins

Why you’d use it

Google Workspace’s globally distributed cloud infrastructure reduces latency and protects data with geo redundancy, so most organizations choose not to geo-restrict their data. If, however, your organization has preference to control where its data is stored at rest, data regions can help you meet those needs.

Additional details

Fundamental data regions is a more limited version of data regions compared to Enterprise data regions, which is available to Google Workspace Enterprise Plus and Education Plus customers. Some key differences include:

Single vs multiple regions: Enterprise data regions enables you to set multiple region policies, whereas the Fundamental data regions only offers one region of your choosing.
Root OU vs full OU and group controls: Enterprise data regions allows for customizing data regions for different groups and organizational units (OUs) within your organization. Fundamental data regions only allows you to set a single policy at the root OU level.
Report availability: Enterprise data regions includes detailed reports on the move progress of your covered data. These reports will not be available to Fundamental data regions users.

Admins that need the full functionality of Enterprise data regions can get access by visiting their Subscriptions page in the Admin console to upgrade licenses to Google Workspace Enterprise Plus or Education Plus.

Getting started

Admins: This feature will be turned off by default. Visit the Help Center to learn more about choosing a geographic location for your data.

End users: No end user impact.

Settings available for Fundamental data regions in the Admin console

Rollout pace

Rapid Release and Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on July 21, 2021

Availability

Fundamental data regions newly available to Google Workspace Business Standard, Business Plus, Enterprise Standard, and Frontline customers
Enterprise data regions already available to Google Workspace Enterprise Plus and Education Plus customers.
Not available to Google Workspace Essentials, Enterprise Essentials, Education Fundamentals, Nonprofits, as well as G Suite Basic and Business customers.

Resources

Source: Google Workspace Updates

Enhanced desktop security for Windows is now available for Google Workspace Business Plus customers

Quick launch summary

Google Workspace Business Plus customers can now manage and secure Windows devices through the Admin console, just as you do for Android, iOS, Chrome, and Jamboard devices. Now, Business Plus Admins can:

Set Windows policies in the admin console which will ensure that all Windows 10 devices used to access Workspace are updated, secure, and within compliance of organizational policies.
Perform admin actions, such as wiping a device and pushing device configuration updates, to Windows 10 devices from the cloud without connecting to corp network.

See our previous announcement for more details on the Windows 10 management features and benefits and the Help Center to learn more about enhanced desktop security for Windows.

Getting started

Admins:

Use our Help Center to learn how to enroll a device in Windows device management, how to enable enhanced desktop security for Windows, and how to manage Windows devices.
Within Workspace and Cloud Identity, multiple devices per user can be managed at no additional cost.

Rollout pace

This feature is available now.

Resources

Source: Google Workspace Updates

Improving email security with BIMI

What’s changing

In July 2020, we announced a pilot for Brand Indicators for Message Identification (BIMI) in Gmail. Starting today, Gmail announces general availability of BIMI support across Gmail.

BIMI aims to increase the adoption of strong authentication in the email ecosystem for those who have implemented Domain-based Message Authentication, Reporting, and Conformance (DMARC). For senders that have adopted DMARC and have validated their imagery, Gmail will display the validated logos in the avatar slots, increasing confidence in the source of emails for recipients.

Before and after BIMI: Validated logos display on authenticated emails.

See below for more information, as well as the Cloud Blog for more information on BIMI for Gmail.

Who’s impacted

Admins

Why it matters

BIMI promotes another layer of security to Gmail by requiring strong authentication and verification of logos before they’re displayed in the Gmail avatar slot. Strong authentication increases confidence in the source of emails and provides recipients with a more immersive experience. Further, this helps email security systems filter spoofed, phishing emails from legitimate messages.

Getting started

Admins:

To learn more about BIMI and see the latest news, visit the working group’s website.
To take advantage of BIMI for your outgoing emails to Gmail and other platforms, ensure that your organization has adopted DMARC, and that you have validated your logo with a VMC, issued by a Certification Authority such as Entrust or DigiCert.
Visit the Help Center to learn more about setting up BIMI.

End users: No action required.

Availability

Available to all Google Workspace customers, as well as G Suite Basic and Business customers

Resources

Source: Google Workspace Updates

Stronger data security and privacy with Google Workspace Client-side encryption beta

What’s changing

Today we announced the beta for Google Workspace Client-side encryption, which is available to Google Workspace Enterprise Plus and Google Workspace Education Plus customers. The beta will be available for Google Drive, Docs, Sheets, and Slides, with support for all file types in Drive including Office files, PDFs, and more. We’re committed to a roadmap that enables Client-side encryption across Google Workspace, including Gmail, Meet, and Calendar. Support for Google Meet is coming in the fall. Follow the Google Workspace Updates blog to learn when that’s available.

The beta will start rolling out in the next few weeks, but eligible customers can now apply for the beta here.

Who’s impacted

Admins

Why it’s important

Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between our facilities. But with Client-side encryption, we’re taking this a step further by giving customers direct control of encryption keys and the identity provider used to access those keys. This can help you strengthen the confidentiality of your data while helping to address a broad range of data sovereignty and compliance needs.

When using Client-side encryption, customer data is indecipherable to Google. Customers can create a fundamentally stronger privacy posture, whether that’s to comply with regulations like ITAR and CJIS or simply to better protect the privacy of their confidential data

Read our announcement blog post to learn more about this beta and our plans for Client-side encryption across Google Workspace.

Additional details

To enable Client-side encryption, you’ll choose a key access service partner: Flowcrypt, Futurex, Thales, or Virtru. Each of these partners have built tools in accordance with Google’s specifications and provide both key management and access control capabilities. Your partner of choice holds the key to decode encrypted Google Workspace files, and Google cannot access or decipher these files without this key. If you prefer to build or integrate your own in-house key services, we will be publishing the key access service API specifications that can be used with Client-side encryption later this year.

Getting started

Admins: Use our Help Center to learn more and apply for the beta here.
End users: No end-user impact.

Rollout pace

The beta will start rolling out in the next few weeks, but eligible customers can now apply for the beta here. You’ll get more details via email a few weeks after registering your interest in the beta via the form.

Availability

Available to Enterprise Plus and Education Plus customers
Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Education Fundamentals, Frontline, and Nonprofits, as well as G Suite Basic and Business customers.

Resources

Source: Google Workspace Updates

Enhanced content classification and DLP with Drive labels beta

What’s changing

We’re expanding betas for two related features which can help categorize content and enhance content protection at scale. Specifically, we’re adding:

Drive labels. This renaming and update to the previously-announced Drive metadata feature enables admins to configure custom labels (formerly “metadata”) for a domain, and then enable users to apply these labels to files in Drive.
Automated classification and Drive data loss prevention (DLP) integration. Automated classification can help organizations automatically add Drive labels to content based on administrator-defined rules and predefined content detectors.

As part of this launch, we’re adding 60 new content detectors, including resumes, SEC filings, patents, and source code.
Using automated classification makes it easier to scale your use of labels while reducing the risk of manual classification errors.
Both manual and automated labels can be used with DLP to prevent external sharing, downloading, and printing of some files.

These features are currently available in beta. Interested customers can now apply for the beta here.

Drive labels will be available to Google Workspace Essentials, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Nonprofits customers. Automated classification and DLP will be available to Google Workspace Enterprise Standard, Enterprise Plus, and Education Plus customers.

Read our announcement blog post to learn more about this and other features that are helping Google Workspace to deliver new levels of trusted collaboration for a hybrid work world.

Who’s impacted

Admins and end users

Why you’d use it

Special handling of sensitive data is an integral part of a strong information governance policy, and that begins with labeling files which may contain sensitive intellectual property, personally identifiable information, data subject to special compliance regulations, and more. Additionally, they can help admins prevent external sharing, downloading, and printing of classified files via an integration with data loss prevention (DLP). Moreover, admins can create labels to indicate department names, document types, document status, and anything else you can think of, to facilitate content discovery in advanced search.

When used in conjunction with automated classification, labels in Drive can be added automatically based on administrator-defined DLP rules and predefined content detectors. This automated classification can help scale data classification and protection efforts by reducing the administrative burden and potential errors associated with manual labels.

Admins can define custom labels for their organization

Users can add labels to Drive files (if permitted by admin), or take advantage of automatic classification

Admins can set data loss prevention (DLP) rules for files with a certain label

Getting started

Admins: Apply for the beta here.
End users: No end-user impact unless their admin enrolls in the beta.

Rollout pace

The betas will start accepting new organizations on a rolling monthly cadence. Eligible customers can now apply to join the beta here. You’ll get more details via email when the beta is available to use.

Availability

Drive labels

Available to Google Workspace Essentials, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Nonprofits customers
Not available to Google Workspace Business Starter, Education Fundamentals, and Frontline, as well as G Suite Basic and Business customers.

Automated classification & DLP integration

Available to Google Workspace Enterprise Standard, Enterprise Plus and Education Plus customers.
Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as G Suite Basic and Business customers

Resources

Source: Google Workspace Updates

Get more control over how files can be shared with trust rules for Google Drive beta

What’s changing

Because sharing ideas and information is at the heart of trusted collaboration, it’s critical that you have the ability to powerfully and precisely manage your files. That’s why we’re introducing a beta for trust rules for Google Drive. Trust rules is a new security feature which allows admins to set fine-grained rules defining whom their users can collaborate with in Drive, both within and outside of their organization.

Trust rules will replace the existing “Sharing options” in the Google Drive admin controls. Admins will be able to choose to allow, deny, or display warnings to end-users within specific organizational units (OUs) or groups when they attempt to:

Share Drive files with external users or external domains
Receive Drive files from external users or external domains
Share Drive files with other OUs or groups within the organization
Receive Drive files from other OUs or groups within the organization

Read our announcement blog post to learn more about this beta and our plans for Client-side encryption across Google Workspace. The beta for trust rules for Drive will be rolling out in the coming months and will be available for Google Workspace Enterprise Plus and Education Plus customers. Eligible customers can now apply for the beta here.

Who’s impacted

Admins and end users

Why you’d use it

Trust rules will help Admins to create more sophisticated and secure access policies which help ensure their data is shared with, and accessed by, desired parties. Some examples of how you could use Drive trust rules to better control collaboration include:

Block your internal audit team from sharing files outside of their team.
Warn your finance team when they share files with the sales team to help ensure that sharing is deliberate and thoughtful.
Allow your legal team to share with a specific group of external counsels, but not allow them to share with users outside of that group.
Prevent any users in your organization from receiving files from a specific external domain.

Getting started

Admins: Learn more and apply for the beta here. The beta will start rolling out in the next few months, but once enabled, trust rules can be scoped at the domain, OU, or groups level with coverage of both My Drive and shared drives. If you are accepted into the beta program, you will get more documentation on the feature.
End users: No end-user impact until their admin joins the beta and configures trust rule settings.

Rollout pace

The beta will start rolling out in the next few months, but eligible customers can now apply for the beta here. You’ll get more details via email when the beta is available to use.

Availability

Available to Google Workspace Enterprise Plus and Education Plus customers
Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Education Fundamentals, Frontline, and Nonprofits, as well as G Suite Basic and Business customers.

Resources

Source: Google Workspace Updates

New iOS Data Protection setting protects data sharing between Google Workspace and personal Google accounts

What’s changing

We’re adding a new admin setting which restricts data and content sharing between Google Workspace accounts and personal Google accounts in Gmail, Drive, Docs, Sheets, and Slides on iOS.

When the data protection setting is enabled, users can only share or save content–such as files, emails, or copied & pasted content—within Workspace accounts. This will protect users from sharing a file with their personal Google accounts or saving a file to their personal Google Drive.

Who’s impacted

Admins and end users

Why it’s important

Google applications on iOS support multi-user logins, allowing users to access Gmail, Google Drive, Docs, Sheets, and Slides with their personal and Google Workspace accounts. Giving admins the ability to control how data is shared across user accounts helps minimize accidental data sharing. Together with the previously released copy and paste and drag and drop restrictions, these security measures help increase the security of your corporate data on iOS.

Getting started

Admins: This feature will be OFF by default and can be enabled at the OU and domain level. Visit the Help Center to learn more about applying settings for iOS devices.

End users: There is no end user setting for this feature. When enabled by your admin, you will be able to securely share enterprise Google Workspace content between your Google Workspace apps.

Rollout pace

Rapid Release and Scheduled Release domains: This feature is available now for all users.

Availability

Available to Google Workspace Enterprise Standard, Enterprise Plus, and Education Plus customers
Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Plus, Frontline, and Nonprofits, as well as G Suite Basic and Business customers

Resources

Google Workspace Admin Help: Apply settings for iOS devices

Source: Google Workspace Updates

Specify which attributes are available for the Secure LDAP client

What’s changing

The Secure LDAP service provides a simple and secure way to connect your LDAP-based applications and services to Cloud Identity or Google Workspace. Admins can now specify which attributes they’d like to make available for the LDAP Client:

System attributes: Default user attributes that are available for all user accounts—for example, Email, Phone, and Address. Note that you can't disable this option.
Public custom attributes: Custom user attributes that are marked as visible to the organization.
Private custom attributes: Custom user attributes that are marked as visible only to the user and administrators. Use caution when using private custom attributes, as you're exposing private information to the LDAP client.

Who’s impacted

Admins and end users

Why it’s important

LDAP clients are in the secure LDAP service, which enables users to access traditional LDAP-based apps and IT infrastructure using their Google Workspace credentials. This new feature gives admins more control over the connections your LDAP-based applications and services interact with Google Workspace and Cloud Identity services.

Additional details

Custom attribute naming requirements and guidelines:

Names for custom attributes can contain only alphanumeric text and hyphens.
There should be no duplicate attribute names across all custom schemas.
If the custom attribute name matches with an existing system attribute, we will return the system attribute value.

Important: If attribute names don't adhere to the above guidelines, the attribute values in question are excluded from the LDAP response.

Getting started

Admins: Visit the Help Center to learn more about the Secure LDAP service, creating custom attributes for user profiles, and configuring access permissions.
End users: No action required.

Rollout pace

Rapid Release and Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility) May 5, 2021

Availability

Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Fundamentals, and Education Plus, G Suite Enterprise, and Cloud Identity Premium customers
Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Frontline, and Nonprofits, as well as G Suite Basic and Business customers

Resources

Source: Google Workspace Updates

Specify which attributes are available for the Secure LDAP client

What’s changing

System attributes: Default user attributes that are available for all user accounts—for example, Email, Phone, and Address. Note that you can't disable this option.
Public custom attributes: Custom user attributes that are marked as visible to the organization.
Private custom attributes: Custom user attributes that are marked as visible only to the user and administrators. Use caution when using private custom attributes, as you're exposing private information to the LDAP client.

Who’s impacted

Admins and end users

Why it’s important

Additional details

Custom attribute naming requirements and guidelines:

Names for custom attributes can contain only alphanumeric text and hyphens.
There should be no duplicate attribute names across all custom schemas.
If the custom attribute name matches with an existing system attribute, we will return the system attribute value.

Important: If attribute names don't adhere to the above guidelines, the attribute values in question are excluded from the LDAP response.

Getting started

Admins: Visit the Help Center to learn more about the Secure LDAP service, creating custom attributes for user profiles, and configuring access permissions.
End users: No action required.

Rollout pace

Rapid Release and Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility) May 5, 2021

Availability

Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Fundamentals, and Education Plus, G Suite Enterprise, and Cloud Identity Premium customers
Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Frontline, and Nonprofits, as well as G Suite Basic and Business customers