Tag Archives: Security and Compliance

Gmail data loss prevention now supports “sensitive content snippets”

What’s changing

We recently launched data loss prevention for Gmail and, beginning today, Admins can see “Sensitive content snippets” for Gmail messages that trigger data loss prevention rules. This content is logged  in the security investigation tool and admins can use the information to better identify security risks, determine whether a false positive was returned, and decide on an appropriate course of action.

Snippets are already available for DLP events for Drive, Chat, and Chrome. Visit our Help Center and our previous announcement for more information.

Matched content and information about the data detector type is displayed in the side panel under ‘Log Details’ in the Security Investigation Tool

Getting started

Rollout pace

Availability

Available to Google Workspace 
  • Frontline Standard
  • Enterprise Standard and Plus 
  • Education Fundamentals, Standard, Plus, and the Teaching and Learning add-on
  • Enterprise Essentials Plus
  • Also available for Chrome Enterprise Premium

Resources


Beta update: Data loss prevention rules based on classification labels are now applied instantly in Gmail on the web

What’s changing

In November 2024, we announced an open beta for data classification labels in Gmail. To further enhance the experience, we’re pleased to announce that auto-classification labeling with data loss prevention (DLP) rules and actions triggered by classification labels detected in the message will now be applied instantly when using Gmail on the web. Previously, users were informed of any implications after messages left the inbox. With this update, the feedback is instant, providing the opportunity to educate users on why their message is classified, blocked or quarantined, and how to remedy the issue to keep their email communications flowing. 

With this new functionality, and with this feature still in an open beta period, we strongly encourage you to continue providing feedback so we can optimize the feature for general availability. You can also use the form to sign-up for feedback sessions with the Google user research team to provide more detailed feedback.




Who’s impacted

Admins and end users

Why it matters
Google Workspace's expansion of data classification labels to Gmail gives admins the ability to mitigate data exfiltration and gain a deeper understanding of shared data based on information type and sensitivity level to apply data protection policies appropriately. Some ways you can use Data Protection Rules with Classification Labels are:

    • Prevent messages based on a specific classification (e.g. Confidential, Internal, NTK) from being accidentally shared with unauthorized users.
      • You can create a rule with specific label(s) as a condition and choose an action to trigger when a message is sent:
        • Warn: users will see a notification that their message may contain sensitive information, helping to prevent accidental sharing. Note that this action does not block the message from being sent.
        • Block: users will be notified that their message will not be sent unless the label is changed or removed (if data organization policy allows).
        • You can also create a rule in a way that allows for sharing labeled messages only if confidential mode is enabled for the message.

    • Enforce classification on every message or specific messages
      • You can create a rule that warns users or blocks the message if a specific classification label is not found in the message. This can help educate users and drive adoption of your organization’s data classification policy among users.
    • Automatically apply classification labels messages if specific information types are found in the message
      • You can create a rule to automatically apply a specific classification label if certain criteria is met. For example, credit card information or medical information are contained within the email. 
      • You can also configure the rule to allow users to modify the label to a more appropriate one based on the situation and data classification policy of your organization.
    For more detailed information, please refer to our beta announcement as well as our Help Center.


    Additional details

    At this time, this update is only supported when using Gmail on the web. Stay tuned for further updates about instantaneous support in Gmail iOS and Android clients.

    Getting started

    Rollout pace

    Availability

    The Label Manager and manual classification is available to Google Workspace:
    • Frontline Starter and Standard
    • Business Standard and Plus
    • Enterprise Standard and Plus
    • Education Standard and Education Plus
    • Essentials, Enterprise Essentials, and Enterprise Essentials Plus


    Data loss prevention rules with labels as a condition or labels as an action are available to:
    • Enterprise Standard and Plus
    • Education Fundamentals, Standard, Plus, and the Teaching & Learning Upgrade
    • Frontline Standard
    • Cloud Identity Premium (with a Workspace Edition that includes Gmail)

    Resources



    Admins can now deploy Context-Aware Access for NotebookLM and NotebookLM Plus

    What’s changing

    Building upon the recent announcement of NotebookLM and NotebookLM Plus becoming available as a Google Workspace core service with enterprise-grade data protection, we’re excited to introduce the ability for admins to specify Context-Aware Access (CAA) policies when their users access NotebookLM and NotebookLM Plus. 

    Context Aware Access support for NotebookLM

    Who’s impacted 

    Admins and end users 


    Why it’s important

    Using Context-Aware Access, admins can set up different access levels for NotebookLM and NotebookLM Plus based on a user’s identity and the context of the request (location, device security status, IP address). This can help provide granular access controls without the need for a VPN, and give users access to Google Workspace resources based on organizational policies. 


    Getting started 


    Rollout pace 


    Availability 

    Context-Aware Access is available for Google Workspace: 
    • Enterprise Standard and Plus 
    • Education Standard and Plus 
    • Enterprise Essentials Plus 
    • Frontline Standard 
    • Cloud Identity Premium 

    Resources 

    Available in beta: Convert your client-side encrypted documents after a Vault or Takeout export

    What’s changing 

    After a Vault or Data export (takeout), admins can now convert their exported client-side encrypted documents to Word files. This allows organizations to maintain ownership over, access to, and analysis of sensitive data in a portable format even after it has been exported from Google Workspace. 


    Eligible Google Workspace admins can use this form to request access to the beta. We’ll share more specific instructions once you’re accepted into the beta.



    Getting started

    • Admins: Client-side encryption can be enabled at the domain, OU, and Group levels (Admin console > Data > Compliance > Client-side encryption). Visit our Help Center to learn more about client-side encryption.

    Rollout pace

    • The feature will be available immediately once you're accepted into the beta.

    Availability

    • Available to Google Workspace Enterprise Plus, Education Standard and Education Plus customers.

    Resources


    Consent re-confirmation for under 18 users accessing Additional Services will soon be required

    What’s changing

    When a Google Workspace for Education admin chooses to enable Additional Services for students under the age of 18 to use, they acknowledge that they may be required to collect parental or guardian consent. This includes access to services like YouTube, Google Translate, Google Photos, Google Books, Google Earth and more.

    In September 2024, we communicated that we now require admins who have Additional Services enabled for users under the age of 18 to re-review them on an annual basis. Admins are always in control of which services their users have access to, and this gives admins an opportunity to ensure the right users have access to the right services.

    • If admins do not want to provide access to Additional Services for their under 18 users, they can turn them off for those users. 
    • If admins want to keep Additional services enabled for under 18 users, they need to reconfirm parental consent in the admin console.  
    • If admins do not take action, under 18 users who previously had access to Additional Services will lose access in the coming weeks. Admins can re-enable access to Additional Services at any time. 

    How admins can take action
    Admins were first provided notice of this re-confirmation requirement in September 2024, which indicated a 6 months notice to complete the re-review process before the March 2025 rollout. The banner in the admin console has turned red to alert admins that action is required. While the rollout begins in March, it might take several weeks before some users in your organization are impacted.

    You can easily view which applications require consent reconfirmation from Admin console > Apps > Additional Google services. You can re-confirm consent by checking the box next to the app, hovering over the app, or using the three-dot overflow menu. 

    Experience for impacted end users
    If users lose access to a specific service they’ll be notified “Your Google Workspace for Education account is designated as under 18 and your organization’s admin has not granted you access to this Additional Service. To regain access, inform your admin that you need this service to be enabled.“ 



    Who’s impacted

    Admins and end users under the age of 18


    Why it’s important

    Admins are in control of which services their users have access to, and to do so in alignment with both our terms of service and local laws and regulations that determine what services are appropriate for users under 18. Since admins manage which services their students have access to, only they can enable or disable access for their under 18 users. 


    This is a guide to support admins with collecting consent from parents, which includes this template for communicating with parents and guardians around collecting consent. 

    Additional details

    The requirement to review and re-confirm access to Additional Products is an annual requirement customers must complete for their under 18 users, subject to their Google Workspace for Education Terms of Service

    Getting started


    Rollout pace


    Availability

    This change impacts Google Workspace:
    • Education Fundamentals, Standard, and Plus

    Resources




    Export your client-side encrypted documents to Microsoft Word files

    What’s changing 

    Launching in beta, you can now export client-side encrypted Google Docs to Word files. This means you'll continue to own the encryption keys that protect your files to prevent unauthorized access from any third party (including Google or foreign governments) but convert your files as needed. 


    Eligible Google Workspace admins can use this form to request access to the beta. We’ll share more specific instructions once you’re accepted into the beta.

    In Google Docs, navigate to File > Download and decrypt.


    Getting started

    • Admins: Client-side encryption can be enabled at the domain, OU, and Group levels (Admin console > Data > Compliance > Client-side encryption). Visit our Help Center to learn more about client-side encryption.
    • End users: To export your client-side encrypted Google Doc to a Microsoft Word file go to File > Download and decrypt > Microsoft Word (.docx).

    Rollout pace

    • The feature will be available immediately once you're accepted into the beta.

    Availability

    • Available to Google Workspace Enterprise Plus, Education Standard and Education Plus customers

    Resources

    The Policy API is now generally available with support for auditing more security features

    What’s changing 

    We recently introduced the Policy API in open beta, letting super admins programmatically access information regarding how their Google Workspace environment service level settings and rules are configured. Beginning today, the Policy API is now generally available with more functionality: 

    Admins can now use the API to audit more settings, specifically: 
    • Calendar 
    • Gmail 
    • Multi-factor authentication settings (2-Step Verification) 

    Refer to our developer documentation for a full list of settings that can be audited by the API. 


    Who’s impacted 

    Super admins 


    Why it’s important 

    Simplifying the management of Workspace settings continues to be a priority for us. The Policy API is an important new tool that helps streamline the process by providing a comprehensive view of security settings as needed, eliminating the need to navigate to numerous pages in the Admin console. In forthcoming releases, the Policy API will also include the ability to configure settings. 


    Due to the increasing sophistication and scale of cyber threats, the Cybersecurity & Infrastructure Security Agency’s Secure Cloud Business Applications (SCuBA) project provides guidance to help agencies secure their cloud business application environments. The general availability of Google’s Workspace Policy API marks a significant milestone, enabling CISA to expand Scuba Goggles’ capabilities in assessing Google Workspace environments against CISA’s SCuBA secure configuration baselines. This advancement helps organizations better align with industry-leading security practices while maintaining operational efficiency. 


    ScuBA has published a new release to leverage the GWS Policy API with ScubaGoggles, an automated assessment tool that compares tenant configurations with CISA’s Google Workspace Secure Configuration Baselines.

    Getting started

    • Admins: 
      • You must be a super admin to use the Policy API. Use our developer documentation to learn more about the Policy API.
      • You can also use GAM, an open source tool for managing Workspace, which now supports the Policy API.
    • End users: There is no end user impact or action required.

    Rollout pace


    Availability

    • Available to all Google Workspace customers.

    Resources


    Workspace data loss protection (DLP) for Gmail is now generally available

    What’s changing 

    A big threat organizations must prepare for is the risk of data exfiltration through unwanted and/or unauthorized means. Whether it’s small-scale, unintended sharing, or a larger breach scenario, organizations need powerful defenses to protect themselves from these risks. To that end, we’re pleased to announce that today Data Loss Prevention (DLP) is generally available in Gmail, alongside Drive and Chat.

    DLP is one of the most powerful ways organizations can protect themselves from these risks. With DLP capabilities in Gmail, organizations can identify, monitor, and control the sharing of sensitive data. It works through a series of easy to apply data protection rules that can be implemented to instantly detect sensitive content in outgoing messages, including body content, attachments, headers, and subject lines. 


    Additional details

    How does DLP in Gmail compare to Content Compliance rules?
    To prevent the exfiltration of sensitive data from Gmail, data protection rules with DLP are recommended. These rules offer a rich set of predefined detectors and the ability to build flexible conditions. 


    Additionally, organizations can tailor warning messages based on their organization's data governance requirements, terminology, and processes; these messages will help educate users on their organization's specific security and data protection policies to prevent sharing sensitive content.


    Other features, such as content compliance, can still be used for different purposes, like evaluating inbound messages and routing them internally to relevant departments.


    For more information, please refer to our initial open beta announcement.


    DLP within the Google Workspace ecosystem
    As part of Google Workspace ecosystem, DLP for Gmail comes with capabilities available across other applications, such as Drive and Chat, so admins can configure, implement and investigate Data Loss Prevention incidents using unified tools, such as Security Investigation Tool, or build custom dashboards using unified audit logs or export to BigQuery. 


    Taken together, DLP capabilities across Workspace provide powerful protections for organizations to reduce the risk of data breaches, comply with regulatory requirements, and protect their reputation and intellectual property.


    Getting started

    • Admins: 
      • Data loss prevention rules can be configured at the domain, OU, or group level. DLP rules can be enabled in Gmail in the Admin console under Security > Access and data control > Data protection. Visit the Help Center to learn more about controlling sensitive data shared in Gmail. Note that you can modify existing DLP rules for Drive and Chat to also apply to Gmail. 
      • DLP events can be reviewed in the Security Investigation Tool or Security > Alert Center, if alerts are configured in rules.
      • With DLP for Gmail, data protection rules can be scanned synchronously or asynchronously. Visit our Help Center for more information.
      • For new rules, we recommend starting with “Audit only” mode. This allows you to thoroughly test and monitor the rule's performance and ensure it correctly identifies the intended data without interrupting email flow for users. Once you've validated the rule's behavior and are confident in its accuracy, you can then implement actions such as blocking or warning users as needed.

    • End users: Depending on your admin configuration, you’ll be notified if your message contains information that violates DLP rules.

    Rollout pace


    Availability

    Available to Google Workspace:
    • Enterprise Standard, Enterprise Plus
    • Education Fundamentals, Standard, Plus, and the Teaching & Learning add-on
    • Frontline Standard
    • Cloud Identity Premium customers

    Data classification labels in Gmail are now available on all Android and iOS devices

    What’s changing 

    In November 2024, we launched an open beta for data classification labels in Gmail. Beginning today, data classification labels will be available when using the Gmail app on mobile Android and iOS devices. Expanding data classification labels to mobile enables organizations to protect their data whether their users are sharing and accessing information from desktop devices or from mobile devices in the field or on-the-go.

    Classification labels on mobile when composing a message, reading a message, and a message thread.



    Additionally, these protections provide an automated way to enhance data security. For more information on data classification labels in Gmail, please refer to our original announcement.

    Getting started

    • Admins: 
    • End users: If configured by your admin, you’ll see the “Classification” option when composing a new messaging or replying to or forwarding an existing message on mobile. When you open the menu, you can select labels relevant to your message. Visit the Help Center to learn more about adding classification labels in Gmail.

    Rollout pace



    Availability

    The Label Manager and manual classification is available to Google Workspace:
    • Frontline Starter and Standard
    • Business Standard and Plus
    • Enterprise Standard and Plus
    • Education Standard and Education Plus
    • Essentials, Enterprise Essentials, and Enterprise Essentials Plus

    Data loss prevention rules with labels as a condition or labels as an action are available to:
    • Enterprise Standard and Plus
    • Education Fundamentals, Standard, Plus, and the Teaching & Learning Upgrade
    • Frontline Standard
    • Cloud Identity Premium (in combination with a Workspace Edition eligible for Gmail)

    Resources


    Know who an event is shared with when using shared Google Calendars

    What’s changing 

    Users can have one of the following access permissions for shared Google Calendars
    • “See only free/busy (hide details)” 
    • “See all event details” 
    • “Make changes to events” 
    • “Make changes and manage sharing” 
    The “Make changes to events” permission enables users to create events on shared calendars, but when those events are created, the user does not know which other users the event is shared with. 

    To improve upon experience and ensure users are aware of who they are sharing content with, users with the ability to “Make changes to events” can now see the members of the shared calendar, i.e. who their events are shared with. 

    users with the ability to “Make changes to events” can now see the members of the shared calendar, i.e. who their events are shared with.

    Getting started 

    • Admins: As an admin, you can control how much calendar information people in your organization can share with users external to your organization. You can also set the default level of sharing for users within your organization. Visit the Help Center to learn more about setting Calendar sharing options. 
    • End users: On Calendars with “make changes to events” access permission, you will now see the members of calendars. You can control the access permission of other users for your Calendars only on Calendars with “make changes and manage sharing” access permissions. Visit the Help Center to learn more about sharing your calendar with someone. 
    • Developers: For Calendars where a user has “make changes to events” (aka “writer”) permissions, the Acl.list and Acl.get method will newly return the members of the shared calendar and Acl.watch will notify about changes to members. 

    Rollout pace 


    Availability 

    • Available to all Google Workspace customers, Workspace Individual Subscribers, and users with personal Google accounts 

    Resources