Tag Archives: Security and Compliance

Use Directory Sync to replace the domain name for synced users

What’s changing 

Using Directory Sync, admins can automatically replace the domain name for synced users and groups in their Google cloud directory. This means synced Google users and groups can have a different domain name than the domain used in the external directory following a sync. 


Verified domain names within your Google Workspace account can be used to replace user and group domain names. Admins can specify whether the domain change will occur for: 
  • Newly synced users and groups 
  • New and previously synced users and groups 


Directory Sync is available as an open beta, meaning no sign-up is required. Use our Help Center to learn more about using Directory Sync and FAQs.



Getting started


Simplify and strengthen sign-in by enabling passkeys for your users, available now in open beta

What’s changing

Google Workspace is enabling the use of passkeys as a simpler and safer alternative to passwords to sign-in to Google Accounts. Additionally, Workspace admins can now allow users to use passkeys to skip passwords at sign-in for Workspace apps — this feature gives users the option to skip entering their password and sign-in with passkeys using a fingerprint, face recognition, or other screen-lock mechanism across phones, laptops, or desktop. 

This feature is available as an open beta, which means admins can use it without enrolling in a specific beta program. 
passkeys for your users, available now in open beta

Passkeys have been designed with user privacy in mind. When a user signs in with a passkey to their Workspace apps, such as a Gmail or Google Drive, the passkey can confirm that a user has access to their device and can unlock it with a fingerprint, face recognition, or other screen-lock mechanism. The user’s biometric data is never sent to Google’s servers or other websites and apps. 


Who’s impacted 

Admins and end users 


Why you’d use it 

Passkeys are a new, passwordless sign-in method that can offer a more convenient and secure authentication experience across websites and apps. Passkeys are based on an industry standard and available across popular browsers and operating systems that people use every day, including Android, ChromeOS, iOS, macOS, and Windows. Google early data (March - April 2023) shows that passkeys are 2x faster and 4x less error prone than passwords. 

Passkeys are based on the same public key cryptographic protocols that underpin physical security keys, such as Titan Security Key, and therefore can be resistant to phishing and other online attacks. In fact, Google research has shown that security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication (2FA). For a closer look at how passkeys work under the hood, check out our technical blog post

Getting started 

  • Admins: Admins can allow users in their organizations to skip passwords at sign-in using a passkey. By default, this setting is off, which means that users can’t skip passwords during sign-in, but can still create and use passkeys as a 2-Step Verification (2SV) method. To allow users to skip passwords, administrators can follow these simple steps in the Admin console
admin: passkeys for your users, available now in open beta
Admins can turn on / off the ability to use passkeys to skip passwords in the Admin console under Security > Passwordless. 
passkeys for your users, available now in open beta
If enabled by your admin, you can opt to skip password entry in your account settings.

Rollout pace

Availability 

  • Available to all Google Workspace customers and Cloud Identity customers 

Resources


Extending client-side encryption to chat messages in Google Meet

What’s changing 

If you’re using client-side encryption for Meet, in-meeting chat will now be supported. As with the audio and video content of your client-side encrypted meetings, all in-meeting chat messages will be encrypted and inaccessible by any third party, including Google. 

Meet already encrypts all of your data at rest and in transit between our facilities — client-side encryption gives users direct control of their encryption keys and the identity service that they choose to authenticate for those keys. For more information, see our original announcement.


Getting started


Rollout pace

  • Rapid Release domains:  Extended rollout (potentially longer than 15 days for feature visibility) starting on May 24, 2023
  • Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on June 26, 2023

Availability

  • Available to Google Workspace Enterprise Plus, Education Standard, and Education Plus customers hosting client-side encrypted calls 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, The Teaching and Learning Upgrade, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers 

Resources 


Monitor abuse related events in the Alert Center

What’s changing 

Admins will now receive alerts related to abuse related events in their organization. This includes events related to content that has been marked abusive or user access restrictions to apps. 


This update makes it easier for admins to stay on top of abuse within their accounts, and easily take necessary action such as suspending users or restricting access to certain services. 

Admins will be alerted via email of abuse related events and can find more information in the Alert Center



Getting started

  • Admins: 
  • End users: There is no end user action required. 

Rollout pace 


Availability 

  • Available to all Google Workspace customers

Resources

New Alert Center notifications for Apple push certificates

What’s changing 

The Apple Push Notification Service (APNS) certificate is a critical component for advanced mobile management for iOS devices. This certificate expires yearly and requires manual renewal. If you don't renew the certificate, your organization’s iOS devices will not be able to access Google Workspace applications after the certificate expires. To help you stay on top of their renewal period and take action in a timely manner, we will: 

Notify you via the Alert Center and email when: 
  • Your certificate is 30, 10, and 1 day from the date of expiration. 
  • Your certificate has expired. 








Getting started 

  • Admins: 
  • End users: There is no end user impact or action required.


Rollout pace 


Availability 

  • Google Workspace Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, The Teaching and Learning Upgrade, Education Fundamentals, Frontline, and Cloud Identity Premium customers 

Resources 

Fine tune access to data with additional options for Access Approvals

What’s changing 

In 2022, we introduced Access Approvals, which enables customers to control when Google support personnel can access specific data during support and general maintenance. Beginning today, we’re introducing additional options that provide customers even more control over these data interactions: 
  • Specify: Google support personnel can indicate which specific product data they need access to - for example: Gmail data only, instead of all Workspace Data. 
  • Access duration: Specify a time limit wherein data can be accessed. 
  • Control: Revoke previously granted access if no longer applicable. 
  • Context: Denote the reason an access request was approved or denied, or why a previously approved request was revoked, to streamline the process for future requests.




Who’s impacted

Admins


Why it’s important

We know it’s essential that our customers have visibility and control over their systems and data and how they’re accessed by any third party, including Google. Introducing additional controls for our customers helps ensure that their data is accessed in an explicitly consensual manner that best suits the needs of their business.


Read more about Sovereign Controls for Google Workspace, Client-side encryption, data regions, and Access Management capabilities, for more information on how we provide our customers solutions to reach their digital sovereignty goals. 


Getting started

Rollout pace



Availability

  • Access Approvals is part of Google Workspace Assured Controls, which is available as an add-on for Google Workspace Enterprise Plus customers only. For more information, contact your Google account representative. 

Resources


Add or remove client-side encryption from a Google Doc

What’s changing 

You can now choose to add client-side encryption to an existing document or remove it from an already encrypted document (File > Make a copy > Add/Remove additional encryption). This update gives you the flexibility to control encryption as your documents and projects evolve and progress.



Getting started

Rollout pace


Availability

  • Available to Google Workspace Enterprise Plus, Education Standard and Education Plus customers

Resources


Google Workspace Updates Weekly Recap – March 17, 2023

New updates 

There are no new updates to share this week. Please see below for a recap of published announcements. 


Previous announcements

The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.


Introducing new space manager capabilities in Google Chat
Space managers now have additional capabilities to ensure effective conversations take place in spaces: space configuration, member management, and conversation moderation. | Learn more.

External label for Google Meet participants
“External” labels will be available in Google Meet. Users will see a label in the top-left corner of their meeting screen indicating that participants who are external to the meeting host’s domain have joined the meeting. In the people panel, external participants will be denoted with the same icon. | Learn more.

Provide custom Google Meet background images for your users
Admins can now provide a set of images for the background replace feature in Google Meet. This will enable users to easily select an image that properly represents their company's specific brand and style. | Learn more

Improving your security with shorter Session Length defaults
To further improve security for our customers, we are changing the default session length to 16 hours for existing Google Cloud customers. Note that this update refers to managing user connections to Google Cloud services (e.g. Google Cloud console), not connections to Google services (e.g. Gmail on the web). | Learn more



Completed rollouts

The features below completed their rollouts to Rapid Release domainsScheduled Release domains, or both. Please refer to the original blog post for additional details.


Rapid Release Domains:
Scheduled Release Domains:
Rapid and Scheduled Release Domains:

Improving your security with shorter Session Length defaults

What’s changing 

To further improve security for our customers, we are changing the default session length to 16 hours for existing Google Cloud customers. Note that this update refers to managing user connections to Google Cloud services (e.g. Google Cloud console), not connections to Google services (e.g. Gmail on the web). 


For existing customers who have session length configured to Never Expire, we are updating the session length to 16 hours. See below for more information. 




Who’s impacted 

Admins, end users, and developers 


Why you’d use it 

Many apps and services can access sensitive data or perform sensitive actions. Because of this, managing session length is foundational to cloud security and compliance. It ensures that access to the Google Cloud Platform is finite after a successful authentication, which helps deter bad actors should they gain access to credentials or devices.


Additional details 

Google Cloud session controls 
For existing customers who have session length configured to Never Expire, we are updating the session length to 16 hours. This ensures customers do not mistakenly grant infinite session length to users or apps using Oauth user scopes. After the session expires, users will need to re-enter their login credentials to continue their access. This impacts the following: 

Settings can be customized for specific organizations, and will impact all users within that org. This is a timed session length that expires the session regardless of the user's activity. When choosing a session length, admins have the following options:
  • Choose from a range of predefined session lengths, or set a custom session length between 1 and 24 hours. 
  • Configure whether users need just a password, or require a Security Key to re-authenticate.


Third-party SAML identity providers and session length controls 
If your organization uses a third-party SAML-based identity provider (IdP), the cloud sessions will expire, but the user may be transparently re-authenticated (i.e. without actually being asked to present their credentials) if their session with the IdP is valid at that time. This is working as intended, as Google will redirect the user to the IdP and accept a valid assertion from the IdP. To ensure that users are required to re-authenticate at the correct frequency, evaluate the configuration options on your IdP and review the Help Center article to Set up SSO via a third party Identity provider.


Trusted applications
Some apps are not designed to gracefully handle the re-authentication scenario, which can cause confusing app behavior. Other apps are deployed for server-to-server purposes via user credentials — because they don’t require service account credentials, they are not prompted to periodically re-authenticate.

If you have specific apps like this, and you do not want them to be impacted by session length reauthentication, the org admin can add these apps to the trusted list for your organization. This will exempt the app from session length constraints, while implementing session controls for the rest of the apps and users within the organization.


Getting started

  • Admins: For customers who have their session length set to "Never Expire", your session length will reset to 16 hours. It can be turned off or modified at the OU level. Visit the Help Center article to learn how to set session length for Google Cloud services for your organization.  
  • End users: If a session ends, users will simply need to log in to their account again using the familiar Google login flow. 

Rollout pace

Availability

  • Available to all Google Workspace and Cloud Identity customers, as well as legacy G Suite Basic and Business customers

Client-side encryption for Gmail is now generally available

What’s changing 

Beginning today, client-side encryption for Gmail is now generally available for Google Workspace Enterprise Plus, Education Plus, and Education Standard customers. For customers currently enrolled in the beta, your experience will not change. 




Workspace already encrypts data at rest and in transit by using secure-by-design cryptographic libraries. Client-side encryption takes existing encryption capabilities to the next level by ensuring that customers have sole control over their encryption keys—and thus complete control over access to their data. For more information, read the latest Workspace blog and our original beta announcement.

Getting started 

  • Admins
  • End users: Once enabled by your Workspace admin, to add client-side encryption to any message, click the lock icon and select additional encryption, and compose your message and add attachments as normal. 

Rollout pace 


Availability 

  • Available to Google Workspace Enterprise Plus, Education Plus, and Education Standard customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers 
  • Not available to users with personal Google Accounts 

Resources