Tag Archives: Security and Compliance

Add shared drives to specific organizational units

What’s changing 

For select Google Workspace editions, admins can now place shared drives into sub organizational units (OUs). Doing so enables admins to configure sharing policies, data regions, access management, and more at a granular level. 


This feature is available now as an open beta, which means you can use the feature without opting-in to a specific program. 


Who’s impacted 

Admins and end users 


Why it matters 

Currently, all shared drives reside in the “root” OU. As such, all shared drives are subject to the same policies. This update gives admins the option to move shared drives to sub OUs within their organizations, such as Marketing or Legal, which allows for more control over the privacy and security of the shared drive's contents on a case-by-case basis. For example, admins can restrict sharing of a shared drive belonging to the legal department because it contains highly confidential information. Additionally, this also gives admins more flexibility over applying default sub OUs to newly-created shared drives, assuring each new shared drive subject to appropriate security policies. 


With this update admins will have greater control and more options to control how their data is accessed and shared on a case by case basis. 

Getting started 

  • Admins: Admins can assign shared drives to various OUs using the new “Organizational Unit” column found in Apps > Google Workspace > Drive and Docs > Manage Shared Drives. Visit the Help Center to learn more about shared drives and managing shared drive users and activity.





  • End users: There is no end user setting for this feature — the ability to access or share certain files contained in a shared drive will vary. Visit the Help Center to learn more about sharing files in Google Drive

Availability 

  • Available to Google Workspace Essentials, Business Standard, Business Plus, Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Standard, Education Plus, the Teaching and Learning Upgrade, and Nonprofits customers 
  • Not available to Google Workspace Business Starter, Enterprise Essentials, Frontline, as well as legacy G Suite Basic and Business customers Not available to users with personal Google Accounts 

Send group membership information in outbound SAML responses

Quick launch summary 

We’re adding the ability for admins to configure and send group membership information as part of SAML responses. 


Currently, you are able to configure SSO to send user attributes in the SAML response when a user logs in to an app using SAML SSO. With this launch, admins can configure SSO to send group membership information to the application. Apps can then use these attributes to assess user authorization and to implement other business logic. 

Getting started 






Rollout pace 


Availability 

  • Available to all Google Workspace customers, as well as legacy G Suite Basic and Business customers and Cloud Identity customers 

Resources 

Use Connected Sheets with VPC-SC protected data, improved Cloud Audit Logs for Connected Sheets events

What’s changing 

BigQuery datasets that are behind a perimeter created by VPC Service Controls can now be accessed using Connected Sheets


We’ve also made improvements to the Connected Sheets logging in the Cloud Audit Logs. See the “Additional details” section below for more information. 


Who’s impacted 

Admins and end users 



Why you’d use it 

This change gives VPC Service Controls Admins and Editors the ability to allow members of your organization to access, collaborate on, and generate insights from VPC Service Controls protected data via Connected Sheets. 



Additional details 

By default, Connected Sheets cannot access BigQuery data that is protected by VPC Service Controls; however, VPC Service Controls perimeters can now be configured to allow queries issued through Connected Sheets to succeed. This configuration can only be changed by VPC Service Controls Admins and Editors. 



Improved Connected Sheets logging 
Whenever BigQuery data is accessed in Connected Sheets, entries are recorded for who accessed the data and when in Cloud Audit Logs


Now, the Cloud Audit Logs will additionally include the ID of the spreadsheet that generates the BigQuery data access. Every spreadsheet has a unique ID containing letters, numbers, hyphens, or underscores, which can be found in the Google Sheets URL. Use this documentation to learn more about where to find this additional information in the Cloud Audit Logs. 


Getting started 


Rollout pace 


Availability 

  • Available to all Google Workspace customers Available to users with personal Google Accounts 
  • Not available to legacy G Suite Basic and Business customers

Resources 

Google Workspace Updates Weekly Recap – May 13, 2022

New updates 

Unless otherwise indicated, the features below are fully launched or in the process of rolling out (rollouts should take no more than 15 business days to complete), launching to both Rapid and Scheduled Release at the same time (if not, each stage of rollout should take no more than 15 business days to complete), and available to all legacy Google Workspace and G Suite customers. 


New idle status in Google Chat 
In Google Chat on web and Chat in Gmail, you'll see an orange clock badge for users that were recently active in Chat, but aren't currently active. We hope this makes it easier to determine the best time to connect with your colleagues. Visit the Help Center to learn more about availability statuses in Google Chat





Changes to the default Host Management controls in Google Meet for users with personal accounts 
The default setting for Host Management controls is changing for users with personal Google accounts. Previously, Host Management controls were ON by default — going forward, this setting will be OFF by default for new meetings. There are no changes to the behavior for Google Workspace customers or Google Workspace Individual users.



Previous announcements


The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.


Improved user interface for sharing your working location in Google Calendar
This update improves the working location feature by offering the same functionality for easily entering and updating location information in a more compact format that uses screen space more efficiently. | Learn more here and here

Available to Google Workspace Business Standard, Business Plus, Enterprise Standard, Enterprise Plus, Education Plus, and Nonprofits, as well as G Suite Business customers. 


Easily search for Google Meet content in Google Drive
In Google Drive, you can now use app:”Google Meet” to easily find and organize Meet content such as Meet recordings, meeting transcripts, and more. | Learn more.


Import existing custom themes to new Google Sites
You can now import a custom theme from one new Google Site to another. | Learn more.


Create Spaces and Add Members with the Google Chat API, available in Developer Preview
Using the Google Chat API, you can now programmatically create new Spaces and add members to those Spaces. This functionality is available in preview – developers can apply for access through our Google Workspace Developer Preview Program. | Learn more.


Require email verification to book appointments in Google Calendar
When using appointment scheduling in Google Calendar, you can now opt to have users verify their email before booking an appointment. When enabled, the user must be signed into a Google account or validate their email address using a PIN code to complete the booking. | Learn more.

Available to Google Workspace Business Standard, Business Plus, Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Standard, Education Plus, the Teaching and Learning Upgrade, and Nonprofits customers.


New delegated VirusTotal privilege in the Alert Center
In 2021, we announced an integration between the Alert Center and VirusTotal. At that time, any admin who had the Alert Center privilege could access all VirusTotal reports. Now, we’ve added the ability for admins to control who can view VirusTotal reports. | Learn more.

Available for Google Workspace Business Plus, Enterprise Standard, Enterprise Plus, Education Standard and Education Plus.


Set up SSO profiles for multiple third-party identity providers with the Multi-IdP SSO beta launch
You can further customize authentication by setting up single sign-on (SSO) profiles for multiple identity providers and then configuring authentication for each group or OU. This feature is available beginning today as an open beta, which means you can use it without enrolling in a specific beta program. | Learn more.


For a recap of announcements in the past six months, check out What’s new in Google Workspace (recent releases).

Set up SSO profiles for multiple third-party identity providers with the Multi-IdP SSO beta launch

What’s changing 

For over a decade, we have given admins the ability to configure authentication through a third-party identity provider . In 2021, we expanded this capability by making it possible to choose between third-party identity provider or Google authentication for specific groups or organizational units (OUs). 


Now, you can further customize authentication by setting up single sign-on (SSO) profiles for multiple identity providers and then configuring authentication for each group or OU. This feature is available beginning today as an open beta, which means you can use it without enrolling in a specific beta program.


You can now set up SSO profiles for multiple third-party identity providers




Who’s impacted


Admins

Why you’d use it

Currently, you can configure SSO with a third-party identity provider to apply to your entire domain and then require a subset of your users, such as vendors or contractors, to authenticate with Google instead. However, if you have more than one identity provider, you might require greater customization of authentication options. For example, your company might be migrating from one provider to another, or it might have acquired another company that uses a different provider.


The Multi-IdP SSO beta lets you set up SSO profiles for each of your third-party identity providers, giving you the flexibility to specify the authentication method for various users in your organization as needed.

Getting started

  • Admins: In the Admin console, navigate to Security > Settings > Set up single sign-on (SSO) with a third party IdP > Manage SSO Profile assignments. Visit the Help Center to learn more about setting up SSO for your organization.


Go to the Security settings to set up SSO profiles for third-party identity providers

  • End users: There is no end user setting for this feature.

Rollout pace

  • This feature is available now for all users.


Availability

  • Available to Google Workspace Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Plus, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers
  • Available to all Cloud Identity customers
  • ​​Not available to Google Workspace Essentials customers
  • Not available to users with personal Google Accounts

Resources

New delegated VirusTotal privilege in the Alert Center

What’s changing 

In 2021, we announced an integration between the Alert Center and VirusTotal. At that time, any admin who had the Alert Center privilege could access all VirusTotal reports. Now, we’ve added the ability for admins to control who can view VirusTotal reports. 




Important note: Once this feature is rolled out in your domain, some admins may lose access to VirusTotal. If so, super admins will have to re-provision access by going to Admin Privileges > View VirusTotal Reports


Who’s impacted 

Admins 


Why you’d use it 

This change will help ensure only those with proper privileges can view VirusTotal reports regarding sensitive data. The VirusTotal integration provides an added layer of investigation on top of existing alerts, empowering admins to take deeper look into threats and potential abuse, helping them better protect their organization and data. Visit the Help Center to learn more about using VirusTotal reports in the Alert Center


Additional details 

VirusTotal provides an investigation layer on top of alerts but isn’t being used directly for detection or alerting. No customer information is shared from Google to VirusTotal. 


Getting started 


Rollout pace 


Availability 

  • Available to Google Workspace Business Plus, Enterprise Standard, Enterprise Plus, Education Fundamentals and Education Plus customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Enterprise Essentials, Frontline, and Nonprofits, as well as G Suite Basic and Business customers 

Resources 

Additional one-click recommended actions in the Alert Center

Quick summary 

In the Alert Center, Admins will see new, additional one-click recommended actions for certain events: 

  • Device wipeout: for “device compromised” and “suspicious device activity” alerts. If the admin feels blocking the device is not sufficient to protect the data at risk, they can can remotely wipe out the data of the device.

  • Quarantine email: for alerts such as malware detected post delivery, user phishing reported, suspicious message reported, and more. Once in quarantine, admins can take additional actions such as delivering the message to the intended recipient or denying message delivery.

Recommended actions help Admins quickly triage, take action, and remedy various incidents without leaving the Alert Center. To learn more about recommended actions, use this article in our Help Center and see this post on the Google Workspace Updates blog


Getting started 


Rollout pace 


Availability 

  • Available to Google Workspace Enterprise Plus, Education Standard, and Education Plus customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Education Fundamentals, Frontline, and Nonprofits, as well as G Suite Basic and Business customers 

Resources 

Use context-aware access to help protect Admin console access

Quick summary 

You can now apply contextual access rules to the Admin console. This enables you to control access to the Admin console based on user and device context. For example, you can enable restrictions based on IP, minimum device operating system version, and more. This can improve your security posture and reduce the risk of incorrect access to your Admin console. 


Getting started 


Rollout pace 



Availability 

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Cloud Identity Premium customers. 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as G Suite Basic and Business customers. 


Resources 

New beta for data loss prevention helps protect sensitive data when users upload files to external Google Forms

What’s changing 

Previously, users in organizational units (OUs) or groups with active Drive Data Loss Prevention (DLP) policies couldn’t respond to external forms with File Upload questions. 


Now, we’re launching a new beta that will allow users to respond to external forms that contain File Upload questions, while also helping to prevent the leak of sensitive and confidential information. This beta will apply your domain’s existing Drive DLP policies to files that your users submit to Google Forms, without creating new rules or updating any existing ones. 


Admins of eligible customers can express interest in the beta using this form




Who’s impacted 

Admins and end users 


Why it’s important 

With this launch, end users will be unblocked from responding to Google Forms with File Upload questions across domains. At the same time, DLP gives admins control over what their users can share, and prevents unintended exposure of sensitive information such as credit card numbers or personal identifiable information. 


Getting started 

  • Admins: 
    • Use this form to express interest in the beta. 
    • Once accepted into the beta, Drive DLP rules defined for your domain will be applied to files submitted to File Upload questions in Google Forms. 
    • If you are not using DLP for Drive, you can create DLP rules at the domain, OU, or group level in the Admin console under Security > Data protection. You can apply block, warn or audit actions, consistent with DLP for Drive.Visit the Help Center to learn more about turning data loss prevention in Google Forms on for your organization
  • End users: 
    • End users can respond to forms as usual, but can now respond to forms outside their domain, including forms that have File Upload questions. 
    • If a form violates Drive DLP rules for their domain, end users may see warnings or be blocked from submitting. 


Availability 

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Standard and Education Plus customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Frontline, and Nonprofits, as well as G Suite Basic and Business customers 


Resources 

Stronger data security and privacy with Google Workspace Client-side encryption, GA support for Drive, Docs, Sheets, and Slides

 What’s changing 

Last year we announced the beta for Google Workspace Client-side encryption. Now, this feature is generally available for Google Drive, Docs, Sheets and Slides, with support for multiple file types including Office files, PDFs, and more. 
This is a step in our commitment to enable Client-side encryption across Google Workspace, including Gmail, Meet, and Calendar. Follow the Google Workspace Updates blog to be informed on our next milestones on Client-side encryption. 

Who’s impacted 

Admins 

Why it’s important 


Google Workspace already uses the latest cryptographic standards to encrypt all data by default, at rest and in transit between our facilities. Client-side encryption goes beyond this, giving you authoritative control and privacy as the sole owner of private encryption keys and the identity provider used to access those keys. 
This can help you strengthen the confidentiality of your sensitive or regulated data while addressing a broad range of data sovereignty and compliance needs. 
When using Client-side encryption, your data is indecipherable to Google. You can create a fundamentally stronger privacy posture, whether that’s to help your organization comply with regulations like ITAR and CJIS or simply to better protect the privacy of your confidential data. 
Read our announcement blog post to learn our plans for Client-side encryption across Google Workspace.

Additional details 

To enable Client-side encryption, you’ll choose a key access service partner: Flowcrypt, Fortanix, Futurex, Stormshield, Thales, or Virtru. Each of these partners have built tools in accordance with Google’s specifications and provide both key management and access control capabilities. Your partner of choice either holds the key to decode encrypted Google Workspace files or simply provides you with software that allows you to hold the keys on-premise. Either way, Google cannot decipher these files without this key, which Google never has access to. You can also decide to build your own key service implementation using our API specifications


Client side encryption



Getting started 

Rollout pace 

Availability 

  • Available to Enterprise Plus and Education Plus customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Education Fundamentals, Frontline, and Nonprofits, as well as G Suite Basic and Business customers.  

Resources