Tag Archives: Security and Compliance

Use Key Migration to change or add key services for Client-side encryption

What’s changing 

As we continue to expand Client-side encryption (CSE) across Google Workspace products, we’re introducing Key Migration which allows admins to enable additional key services or change their existing key service. In both cases, built-in controls ensure key migrations are performed safely, with support for backup key services and potential roll backs. These ensure encrypted data remains inaccessible to Google and fidelity is maintained through the migration process. 




Who’s impacted 

Admins 


Why it’s important 

Client-side encryption gives admins direct control of their encryption keys and the identity service that they choose to authenticate for those keys. Google never has access to the keys, rendering the data indecipherable, which may help organizations meet regulatory compliance in many regions. 


This update gives admins the flexibility to perform key rotations that best suit their organizational policies—including having different key services —or resolve key service availability issues. Customers can add a new key, assign it to an organizational unit or group and migrate any content encrypted by the previous key to be encrypted by the new key. During this migration process the new key is backed up by an existing key as a safeguard mechanism. Once customers are confident in their new key and have completed any migrations they can remove the backup key. 


Additionally, this release provides more granular control for our customers in maintaining their encryption keys by accommodating situations where they may choose to switch key service providers, move from on-premise to a managed service, and migrate encrypted content. 


Getting started 


Rollout pace 


Availability 

  • Available to Google Workspace Enterprise Plus, Education Standard, and Education Plus customers 

Resources

Trust rules in Google Drive now generally available

What’s changing 

In July 2022, we announced an open beta for trust rules in Google Drive. Beginning today, this feature will become available for eligible Google Workspace customers. 

Trust rules give admins more control over how files can be shared, both within and outside of their organization. For example, admins can limit what specific departments can access versus other parts of their organization. See our original announcement for more information. 



Getting started 

  • Admins: Eligible Admins can enable this feature in the Admin console by going to the Rules > Turn on trust rules. Visit the Help Center to learn more about trust rules


  • End users: Your Admin’s trust rules will determine who you can share and collaborate with on Drive files.

Rollout pace 


Availability 

  • Available to Google Workspace Enterprise Plus, Enterprise Standard, Education Plus, and Education Standard Customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as G Suite Basic and Business customers 

Resources 

Google Workspace Updates Weekly Recap – October 28, 2022

New updates 

Unless otherwise indicated, the features below are fully launched or in the process of rolling out (rollouts should take no more than 15 business days to complete), launching to both Rapid and Scheduled Release at the same time (if not, each stage of rollout should take no more than 15 business days to complete), and available to all Google Workspace and G Suite customers. 



New keyboard shortcuts for Keep
In continuing our efforts to provide a top-class user experience on large screen devices, we’re releasing updated keyboard shortcuts for Keep on Android that better align with the web experience. | View the full list of shortcuts and learn more here

Enhancing spell check in Google Docs
Words whose spelling is not recognized will now be underlined in red, even if there is no suggestion. When you click on such a word, you'll see it labeled as an "unknown word" -- from here you can choose to add the word to your personal dictionary or ignore the suggestion. This improvement will highlight more potential spelling errors - helping you write correctly and with confidence. Note that this feature is only available in English at this time. | Learn more. 
Improved hearing aid support for Google Meet on Android
We’ve expanded Google Meet hearing aid support on Android devices to recognize a wider variety of hearing aid devices. Meet will automatically default to using hearing aid support when they’re connected. You can also select hearing aids during a meeting from the audio settings menu. If the hearing aid has a built-in microphone, this microphone will be used. If it doesn’t the mobile phone or tablet microphone will be used.

Previous announcements


The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.



Use built-in mail merge tags like @firstname to personalize multi-send emails
We’ve launched the ability to personalize multi-send emails with mail merge tags like @firstname and @lastname. | Available to Google Workspace Business Standard, Business Plus, Enterprise Starter, Enterprise Standard, Enterprise Plus, Education Plus, and Workspace Individual customers only. | Learn more.


Stronger Admin console protection with risk-based re-authentication challenges
In August 2022, we announced strengthened safeguards for sensitive actions taken in your Google Workspace end users accounts. Specifically, this update protected users from bad actors taking over accounts via cookie theft. Beginning this week, we’re extending this protection to the Admin console. | Learn more.


Custom emojis coming to Chat
We’re making emojis even more expressive and personalized by allowing people to create custom emojis. Everyone in an organization can view and use custom emojis uploaded by their colleagues in Chat messages and reactions. | Learn more


Save time by adding in grading category information before exporting Google Assignments in Google Classroom
Starting this week, teachers can include grading category information when exporting Google Classroom assignments to the SIS. | Available to Education Fundamentals, Education Plus, Education Standard, the Teaching and Learning Upgrade, and Aspen and Skyward 2.0 (SaaS Customers Only) SIS customers only. | Learn more.


Create and manage AppSheet databases, available in public preview
AppSheet is Google’s platform for building and deploying end-to-end apps and automation without writing code. As we continue to enhance and streamline app creation, we’re introducing a built-in structured database in public preview. | Available to Google Workspace Enterprise Plus customers, as well as those with an AppSheet license. | Learn more


Configure App Access Control for third-party applications in bulk
You can now use that CSV file to specify the status of each app—trusted, blocked, or limited—and upload the file back into the Admin console for updates. | Available to Google Workspace Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Plus, Education Standard, the Teaching and Learning Upgrade, Frontline, and Nonprofits, legacy G Suite Basic and Business, and Cloud Identity Pro customers only. | Learn more. 





For a recap of announcements in the past six months, check out What’s new in Google Workspace (recent releases).

Google Workspace Updates Weekly Recap – October 28, 2022

New updates 

Unless otherwise indicated, the features below are fully launched or in the process of rolling out (rollouts should take no more than 15 business days to complete), launching to both Rapid and Scheduled Release at the same time (if not, each stage of rollout should take no more than 15 business days to complete), and available to all Google Workspace and G Suite customers. 



New keyboard shortcuts for Keep
In continuing our efforts to provide a top-class user experience on large screen devices, we’re releasing updated keyboard shortcuts for Keep on Android that better align with the web experience. | View the full list of shortcuts and learn more here

Enhancing spell check in Google Docs
Words whose spelling is not recognized will now be underlined in red, even if there is no suggestion. When you click on such a word, you'll see it labeled as an "unknown word" -- from here you can choose to add the word to your personal dictionary or ignore the suggestion. This improvement will highlight more potential spelling errors - helping you write correctly and with confidence. Note that this feature is only available in English at this time. | Learn more. 
Improved hearing aid support for Google Meet on Android
We’ve expanded Google Meet hearing aid support on Android devices to recognize a wider variety of hearing aid devices. Meet will automatically default to using hearing aid support when they’re connected. You can also select hearing aids during a meeting from the audio settings menu. If the hearing aid has a built-in microphone, this microphone will be used. If it doesn’t the mobile phone or tablet microphone will be used.

Previous announcements


The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.



Use built-in mail merge tags like @firstname to personalize multi-send emails
We’ve launched the ability to personalize multi-send emails with mail merge tags like @firstname and @lastname. | Available to Google Workspace Business Standard, Business Plus, Enterprise Starter, Enterprise Standard, Enterprise Plus, Education Plus, and Workspace Individual customers only. | Learn more.


Stronger Admin console protection with risk-based re-authentication challenges
In August 2022, we announced strengthened safeguards for sensitive actions taken in your Google Workspace end users accounts. Specifically, this update protected users from bad actors taking over accounts via cookie theft. Beginning this week, we’re extending this protection to the Admin console. | Learn more.


Custom emojis coming to Chat
We’re making emojis even more expressive and personalized by allowing people to create custom emojis. Everyone in an organization can view and use custom emojis uploaded by their colleagues in Chat messages and reactions. | Learn more


Save time by adding in grading category information before exporting Google Assignments in Google Classroom
Starting this week, teachers can include grading category information when exporting Google Classroom assignments to the SIS. | Available to Education Fundamentals, Education Plus, Education Standard, the Teaching and Learning Upgrade, and Aspen and Skyward 2.0 (SaaS Customers Only) SIS customers only. | Learn more.


Create and manage AppSheet databases, available in public preview
AppSheet is Google’s platform for building and deploying end-to-end apps and automation without writing code. As we continue to enhance and streamline app creation, we’re introducing a built-in structured database in public preview. | Available to Google Workspace Enterprise Plus customers, as well as those with an AppSheet license. | Learn more


Configure App Access Control for third-party applications in bulk
You can now use that CSV file to specify the status of each app—trusted, blocked, or limited—and upload the file back into the Admin console for updates. | Available to Google Workspace Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Plus, Education Standard, the Teaching and Learning Upgrade, Frontline, and Nonprofits, legacy G Suite Basic and Business, and Cloud Identity Pro customers only. | Learn more. 





For a recap of announcements in the past six months, check out What’s new in Google Workspace (recent releases).

Configure App Access Control for third-party applications in bulk

What’s changing 

Currently, you can download and view a CSV file with information on accessed and configured apps. Now, you can use that CSV file to specify the status of each app—trusted, blocked, or limited—and upload the file back into the Admin console for updates. 





In the Admin console, under Security > API Controls > App Access Controls, you’ll see the option to “Bulk update list”. 


Controlling how apps across your organization access Google Workspace data is critical to the security of your end users and sensitive data. This change makes it easier for Admins to set these policies in bulk, versus taking these actions individually, which can be time consuming. 


Getting started 


Rollout pace


Availability 

  • Available to Google Workspace Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Plus, Education Standard, the Teaching and Learning Upgrade, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers 
  • Available to Cloud Identity Pro customers 
  • Not available to Google Workspace Essentials customers 

Resources 

Stronger Admin console protection with risk-based re-authentication challenges

What’s changing 

In August 2022, we announced strengthened safeguards for sensitive actions taken in your Google Workspace end users accounts. Specifically, this update protected users from bad actors taking over accounts via cookie theft. Beginning today, we’re extending this protection to the Admin console. 


Currently, the Admin console prompts users to re-authenticate every hour. We are extending our current protections with additional signals to detect potential cookie theft. If a risky session is detected, we will issue extra challenges such as mobile notifications or the use of a security key. Once the user has successfully verified, they’ll be directed back to the admin page they came from. 



Who’s impacted 

Admins 


Why it’s important 

This added layer of security helps to intercept bad actors who have gained access to the Admin console using a stolen cookie. Cookie theft is a session hijacking technique whereby accounts can be accessed by exploiting cookies stored in the browser. 


The additional “Verify it’s you” challenges help ensure only authorized users are accessing your organization’s sensitive information and data, preventing bad actors from taking damaging actors. Further, these challenge attempts will be logged as Admin log events allowing for further admin investigation. 



Additional details 

To avoid situations where a bad actor has a cookie that marks a device as trusted, admins can configure a device to be trusted based upon login. 




If an admin gets legitimately stuck trying to access the Admin console, other admins can temporarily turn off login challenges, including additional log-in challenges. We strongly recommend only using this option if contact with the user is credibly established, such as via a video call. 



Getting started 


Rollout pace 


Availability 

  • Available to all Google Workspace customers, as well as legacy G Suite Basic and Business customers 

Resources

Google Workspace Client-side encryption beta expanded to include Google Calendar

 This announcement was made at Google Cloud Next ‘22. Visit the Cloud Blog to learn more about the latest Google Workspace innovations for the ever-changing world of work. 


What’s changing 

In 2021, we announced Google Workspace Client-side encryption to help customers strengthen the confidentiality of their data while helping to address a broad range of data sovereignty and compliance requirements. 


Since then, we’ve made this feature available for Google Meet, Drive, Docs, Sheets, and Slides, with support for multiple file types including Office files, PDFs, and more. Today, we’re happy to announce the beta for Client-side encryption for Google Calendar. When using Client-side encryption for Calendar events, your event description, attachments, and Meet data is indecipherable to Google servers. You have control over encryption keys and the identity service to access those keys. 


Google Workspace Enterprise Plus, Education Plus, and Education Standard customers are eligible to apply for the beta here until November 11, 2022. 

Who’s impacted 

Admins and end users 


Why it’s important 

Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between our facilities. With Client-side encryption, we’re taking this a step further by giving customers direct control of encryption keys and the identity provider used to access those keys. This can help you strengthen the confidentiality of your data while helping to address a broad range of data sovereignty and compliance needs. 


When using Client-side encryption, your event description, attachments, and Meet data is indecipherable to Google. You can create a fundamentally stronger privacy posture, whether that’s to help your organization comply with regulations like ITAR and CJIS or simply to better protect the privacy of your confidential data. 


Getting started 

  • Admins: This feature will be OFF by default and can be enabled at the domain, OU, and Group levels by going to the Admin console > Security > Access and data control > Client-side encryption. Visit the Help Center to learn more about client side encryption
  • End users: 
    • You will need to be logged in with your Identity Provider to have access to encrypted content.
    • To add encryption to any event in Calendar, click on the shield icon at the top of the event creation card. This will add encryption to event description, attachments, and Meet, while other items such as event tile, time, and guests remain on standard encryption. 

Availability 

  • Available to Google Workspace Enterprise Plus, Education Plus, and Education Standard customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers 
  • Not available to users with personal Google Accounts 

Resources 

Preview or download client-side encrypted files with Google Drive on Android and iOS

Quick summary 

Admins for select Google Workspace editions can update their client-side encryption configurations to include Drive Android and iOS. When enabled, users can preview or download client-side encrypted files. This feature is available for file types supported by Google Drive, including Microsoft Office and PDF files. Google Docs, Sheets, and Slides are not yet supported.




Support for Google identity on Drive Android & Drive iOS will be introduced in a future release — we will provide an update on the Workspace Updates blog at that time.


Getting started 


Rollout pace 


Availability 

  • Admins — Configure client-side encryption for Google Drive Android and iOS: Available to Google Workspace Enterprise Plus, Education Standard and Education Plus customers
  • End users — Preview or download client-side encrypted files with Google Drive Android and iOS: Available to all Google Workspace customers, as well as legacy G Suite Basic and Business customers

Resources 


Google Workspace Updates Weekly Recap – October 14, 2022

New updates 


There are no new updates to share this week. Please see below for a recap of published announcements. 


Previous announcements


The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.



In-room meeting participants can now join break out rooms 
When using Google Meet Hardware devices, meeting hosts can now assign conference rooms to breakout rooms. | Available to Google Workspace Essentials, Business Standard, Business Plus, Enterprise Starter, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education Plus, the Teaching and Learning Upgrade, Frontline, and Nonprofits customers only. | Learn more


Transcribe speech during Google Meet calls into a Google Doc 
You can now transcribe a Google Meet video meeting into a Google Doc. The transcribed file is saved in the hosts “Meet Recordings” folder in Google Drive, similar to meeting recordings. | Available to Google Workspace Business Standard, Business Plus, Enterprise Starter, Enterprise Standard, Enterprise Plus, Education Plus, and the Teaching and Learning Upgrade customers only. | Learn more


Use SIP Link to link phone numbers from local carriers to Google Voice 
For Google Voice Standard and Premier customers, admins can now connect a Session Initiation Protocol (SIP) trunk with Voice. This allows phone numbers (PSTN services) from local carriers to be used for Google Voice through a secure set of certified Session Border Controllers (SBCs), such as Audiocodes, Cisco, Oracle, and Ribbon. | Available with Voice Standard and Voice Premier licenses only. | Learn more


Preview and interact with files using smart chips in Google Sheets 
As an extension of smart canvas, you can now add Google Drive files directly into a Google Sheet as a smart chip. | Learn more


Expanding smart chips to include events in Google Sheets 
In addition to the recent announcement of adding files to Google Sheets using smart chips, we're also making it easier for you to quickly insert Calendar events into Sheets. | Learn more


Join or start a meeting directly from Jamboard on the web to kickstart collaboration 
We’re expanding interoperability with Google Meet and Jamboard with the option to join or start a meeting directly from Jamboard on the web. This makes it easier for you to seamlessly present your jam and start collaborating. | Learn more


Data loss prevention for Google Chat now generally available 
Over the next several weeks, data loss prevention (DLP) rules for Google Chat will become generally available for select Google Workspace editions. Data protection rules for Chat help admins and security experts build a stronger framework around sensitive data to prevent personal or proprietary information from ending up in the wrong hands. | Learn more

Improve your visibility in Google Meet video calls
Google Meet can now automatically frame your video before joining a meeting to help ensure equal visibility for all participants. The automatic framing happens only once, so there are no motion distractions that can divert attention from the content of the meeting. | Available to Google Workspace Business Standard, Business Plus, Enterprise Essentials, Enterprise Starter, Enterprise Standard, Enterprise Plus, Education Plus, Education Teaching and Learning Upgrade, and Workspace Individual customers with eligible devices. Also available to Google One subscribers with 2TB or more storage space with eligible devices. | Learn more

For a recap of announcements in the past six months, check out What’s new in Google Workspace (recent releases).

Data loss prevention for Google Chat now generally available

This announcement was made at Google Cloud Next ‘22. Check out Next OnAir to tune into the livestream or watch session recordings following the event. Visit the Cloud Blog to learn more about the latest Google Workspace innovations for the ever-changing world of work. 

What’s changing

In July 2022, we announced data loss prevention (DLP) rules for Google Chat as an open beta. Over the next several weeks, this feature will become generally available for select Google Workspace editions. 


Data protection rules for Chat help admins and security experts build a stronger framework around sensitive data to prevent personal or proprietary information from ending up in the wrong hands. These leaks, whether accidental or malicious, are a top concern for our customers. 


Admins can selectively apply data protection rules to: 
  • Messages in group conversations, spaces, and/or direct messages 
  • Messages between internal and/or external participants 
  • Message text and/or attachments 

Once DLP rules are applied, messages and files in relevant conversations will automatically be scanned for sensitive information. Admins can configure the action to be taken in response to sensitive data being detected, such as: block from sending, warn before sending, and log for audit. 


In the Security Investigation Tool, we’ve added additional tabs which contain more information on incidents, such as Incident Details, containing information about the message, sender and a triggered rule, and Chat Transcript, showing preceding and following messages to the triggering one, providing a detailed context for investigation.

Additional information regarding Chat events

Getting started 

  • Admins: 
    • This feature will be OFF by default and can be enabled at the domain, OU, or group level. You can create DLP rules in the Admin console under Security > Data Protection
      • Note: You can modify existing DLP rules for Drive and Chrome to also apply to Chat. 
    • Visit the Help Center to learn more about turning data loss prevention in Chat on for your organization
    • If admins opt to log these events, they can be accessed in the Security Investigation Tool
  • End users: There is no action required. 

Rollout pace 


Availability 

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, Education Plus. 
  • DLP for Chat is also available to Cloud Identity Premium users who are also licensed for Workspace editions that include Google Chat and Audit and investigation. Visit the Help Center for more information. 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers 

Resources