Tag Archives: Security and Compliance

Export search results to .CSV files from the security investigation tool

Quick summary 

In addition to a Google Sheets file, admins can now download log event data from the security investigation tool to as a .CSV file. This will allow admins to further analyze data outside of the tool. The export limit for .CSV files is 100,000 rows.




Note: Sharing permissions for exported Sheets files will default to your domain configuration (meaning, if newly created files are shared with everyone, the exported data will be available to everyone). 


Getting started 


Rollout pace 


Availability 

  • Available to all Google Workspace customers, as well as legacy G Suite Basic and Business customers 

Resources 

VirusTotal integration with the security investigation tool provides deeper insight into Chrome events

What’s changing 

You can now use VirusTotal to view deeper insights on Chrome log events in the Security Investigation Tool. This ability is already available for Gmail event logs



Who’s impacted 

Admins 


Why it’s important 

Admins can use the VirusTotal integration to view more information on Chrome log events, specifically to determine whether any content transfers via Chrome are malicious. 


Additional details 

VirusTotal provides an investigation layer on top of alerts but isn’t being used directly for detection or alerting. 


Data (file attachment hashes) is only shared to VirusTotal after the admin selects to view the VirusTotal report. No data is otherwise shared. 


VirusTotal data is shared with the broader security community. This enables security vendors to collaborate with each other, share important details, and take action to fight security threats. 


The VirusTotal report has two versions: Standard and Enhanced. The Standard version is displayed for admins who have the Security Center > VirusTotal > View report privilege, and who have one of the required Google Workspace editions. The Enhanced version is automatically displayed for paid VirusTotal subscribers who have an active virustotal.com login session with their VT Enterprise user account. Visit the Help Center for more information. 

Getting started 


Rollout pace 


Availability 

  • Available to Google Workspace Enterprise Plus, Education Standard, and Education Plus customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Education Fundamentals, Frontline, and Nonprofits, as well as G Suite Basic and Business customers 

Resources 

Google Workspace Updates Weekly Recap – June 10, 2022

New updates 

Unless otherwise indicated, the features below are fully launched or in the process of rolling out (rollouts should take no more than 15 business days to complete), launching to both Rapid and Scheduled Release at the same time (if not, each stage of rollout should take no more than 15 business days to complete), and available to all legacy Google Workspace and G Suite customers. 

Find and insert GIFs faster on Google Chat on iOS Devices 
You can now easily browse, select and insert GIFs while using the Chat iOS mobile app. When enabled by your admin, select the “GIF” icon in the Google Chat compose bar. We hope this makes it easier for you to express yourself when interacting with your colleagues. | Learn more


Set a custom duration for "Do Not Disturb" in Google Chat on web and iOS devices 
You can now set the duration of your "Do Not Disturb" status to a specific date and time. We hope this feature gives you the flexibility to mute notifications the way it best suits you. This feature is now available on web, Android and iOS devices. | Learn more


Previous announcements 

The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.


New admin controls for access to discoverable spaces in Google Chat 
We’ve added the ability for Admins to set the default for newly created spaces and enable sharing scoped to specific audiences. | Learn more

Available to Google Workspace Business Plus, Enterprise Standard, Enterprise Plus, Education Plus, and Education Standard customers. 


Context-Aware Access remediator provides more context for access denials 
Admins using Context-Aware Access can now provide more information to end users when their access is blocked using the user remediation feature. | Learn more.

Available to Google Workspace Enterprise Plus, Education Plus, and Cloud Identity Premium customers. 


Mark your important tasks with a star in Google Tasks 
You can now mark important tasks with a star in Google Tasks. Additionally, you’ll be able to view or sort your starred items across various tasks lists in the new starred view. | Learn more
 
For a recap of announcements in the past six months, check out What’s new in Google Workspace (recent releases).

Context-Aware Access remediator provides more context for access denials

What’s changing 

Admins using Context-Aware Access can now provide more information to end users when their access is blocked using the user remediation feature. This feature will help end users quickly understand what steps they need to take to re-access Google Workspace. 


Who’s impacted 

Admins and end users 


Why it’s important 

Context-Aware Access allows admins to assign granular access control policies to apps based on attributes such as user identity, location, device security status, IP address, etc. When a user or device does not meet the requirements, they will be unable to access the respective apps. 


Currently, the only course of action for end users is to contact their admin for further support, which causes unnecessary delay, churn, and support calls. End user remediation will enable admins to provide their users with details about why their access has been denied and what steps need to be taken to restore access. 


Further, once an admin enables remediation, they’ll see a message in the Admin console noting whether remediation is enabled. Each remediation action corresponds to an attribute which is causing access to be denied. Visit the Help Center for a list of the possible remediation actions that may be shown to end users. 


Getting Started 

  • Admins: Admins can apply the new remediation messaging within the Context-aware Access section of the admin UI by navigating to Security > Context-Aware Access > User Message. Visit the Help Center to learn more about allowing users to unblock apps with remediation messages in Context Aware Access. 



  • End Users: End users will see the following message if they try to access a Google Workspace app when access is not allowed. 




Rollout pace 


Availability 

  • Available to Google Workspace Enterprise Plus, Education Plus, and Cloud Identity Premium customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Education Fundamentals, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers 

Resources 

Copy your client-side encrypted Google Docs, Sheets, and Slides files

Quick summary 

If you have client-side encryption enabled for Docs, Sheets and Slides, you can now make a copy of an existing encrypted document, spreadsheet or presentation. Encryption will be preserved when copies of the file are made. This feature makes it easier to leverage existing content as a baseline for new encrypted Docs, Sheets, or Slides. 



Getting started 


Rollout pace 


Availability 

  • Available to Google Workspace Enterprise Plus, Education Standard and Education Plus customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers 

Resources 

Add shared drives to specific organizational units

What’s changing 

For select Google Workspace editions, admins can now place shared drives into sub organizational units (OUs). Doing so enables admins to configure sharing policies, data regions, access management, and more at a granular level. 


This feature is available now as an open beta, which means you can use the feature without opting-in to a specific program. 


Who’s impacted 

Admins and end users 


Why it matters 

Currently, all shared drives reside in the “root” OU. As such, all shared drives are subject to the same policies. This update gives admins the option to move shared drives to sub OUs within their organizations, such as Marketing or Legal, which allows for more control over the privacy and security of the shared drive's contents on a case-by-case basis. For example, admins can restrict sharing of a shared drive belonging to the legal department because it contains highly confidential information. Additionally, this also gives admins more flexibility over applying default sub OUs to newly-created shared drives, assuring each new shared drive subject to appropriate security policies. 


With this update admins will have greater control and more options to control how their data is accessed and shared on a case by case basis. 

Getting started 

  • Admins: Admins can assign shared drives to various OUs using the new “Organizational Unit” column found in Apps > Google Workspace > Drive and Docs > Manage Shared Drives. Visit the Help Center to learn more about shared drives and managing shared drive users and activity.





  • End users: There is no end user setting for this feature — the ability to access or share certain files contained in a shared drive will vary. Visit the Help Center to learn more about sharing files in Google Drive

Availability 

  • Available to Google Workspace Essentials, Business Standard, Business Plus, Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Standard, Education Plus, the Teaching and Learning Upgrade, and Nonprofits customers 
  • Not available to Google Workspace Business Starter, Enterprise Essentials, Frontline, as well as legacy G Suite Basic and Business customers Not available to users with personal Google Accounts 

Send group membership information in outbound SAML responses

Quick launch summary 

We’re adding the ability for admins to configure and send group membership information as part of SAML responses. 


Currently, you are able to configure SSO to send user attributes in the SAML response when a user logs in to an app using SAML SSO. With this launch, admins can configure SSO to send group membership information to the application. Apps can then use these attributes to assess user authorization and to implement other business logic. 

Getting started 






Rollout pace 


Availability 

  • Available to all Google Workspace customers, as well as legacy G Suite Basic and Business customers and Cloud Identity customers 

Resources 

Use Connected Sheets with VPC-SC protected data, improved Cloud Audit Logs for Connected Sheets events

What’s changing 

BigQuery datasets that are behind a perimeter created by VPC Service Controls can now be accessed using Connected Sheets


We’ve also made improvements to the Connected Sheets logging in the Cloud Audit Logs. See the “Additional details” section below for more information. 


Who’s impacted 

Admins and end users 



Why you’d use it 

This change gives VPC Service Controls Admins and Editors the ability to allow members of your organization to access, collaborate on, and generate insights from VPC Service Controls protected data via Connected Sheets. 



Additional details 

By default, Connected Sheets cannot access BigQuery data that is protected by VPC Service Controls; however, VPC Service Controls perimeters can now be configured to allow queries issued through Connected Sheets to succeed. This configuration can only be changed by VPC Service Controls Admins and Editors. 



Improved Connected Sheets logging 
Whenever BigQuery data is accessed in Connected Sheets, entries are recorded for who accessed the data and when in Cloud Audit Logs


Now, the Cloud Audit Logs will additionally include the ID of the spreadsheet that generates the BigQuery data access. Every spreadsheet has a unique ID containing letters, numbers, hyphens, or underscores, which can be found in the Google Sheets URL. Use this documentation to learn more about where to find this additional information in the Cloud Audit Logs. 


Getting started 


Rollout pace 


Availability 

  • Available to all Google Workspace customers Available to users with personal Google Accounts 
  • Not available to legacy G Suite Basic and Business customers

Resources 

Google Workspace Updates Weekly Recap – May 13, 2022

New updates 

Unless otherwise indicated, the features below are fully launched or in the process of rolling out (rollouts should take no more than 15 business days to complete), launching to both Rapid and Scheduled Release at the same time (if not, each stage of rollout should take no more than 15 business days to complete), and available to all legacy Google Workspace and G Suite customers. 


New idle status in Google Chat 
In Google Chat on web and Chat in Gmail, you'll see an orange clock badge for users that were recently active in Chat, but aren't currently active. We hope this makes it easier to determine the best time to connect with your colleagues. Visit the Help Center to learn more about availability statuses in Google Chat





Changes to the default Host Management controls in Google Meet for users with personal accounts 
The default setting for Host Management controls is changing for users with personal Google accounts. Previously, Host Management controls were ON by default — going forward, this setting will be OFF by default for new meetings. There are no changes to the behavior for Google Workspace customers or Google Workspace Individual users.



Previous announcements


The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.


Improved user interface for sharing your working location in Google Calendar
This update improves the working location feature by offering the same functionality for easily entering and updating location information in a more compact format that uses screen space more efficiently. | Learn more here and here

Available to Google Workspace Business Standard, Business Plus, Enterprise Standard, Enterprise Plus, Education Plus, and Nonprofits, as well as G Suite Business customers. 


Easily search for Google Meet content in Google Drive
In Google Drive, you can now use app:”Google Meet” to easily find and organize Meet content such as Meet recordings, meeting transcripts, and more. | Learn more.


Import existing custom themes to new Google Sites
You can now import a custom theme from one new Google Site to another. | Learn more.


Create Spaces and Add Members with the Google Chat API, available in Developer Preview
Using the Google Chat API, you can now programmatically create new Spaces and add members to those Spaces. This functionality is available in preview – developers can apply for access through our Google Workspace Developer Preview Program. | Learn more.


Require email verification to book appointments in Google Calendar
When using appointment scheduling in Google Calendar, you can now opt to have users verify their email before booking an appointment. When enabled, the user must be signed into a Google account or validate their email address using a PIN code to complete the booking. | Learn more.

Available to Google Workspace Business Standard, Business Plus, Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Standard, Education Plus, the Teaching and Learning Upgrade, and Nonprofits customers.


New delegated VirusTotal privilege in the Alert Center
In 2021, we announced an integration between the Alert Center and VirusTotal. At that time, any admin who had the Alert Center privilege could access all VirusTotal reports. Now, we’ve added the ability for admins to control who can view VirusTotal reports. | Learn more.

Available for Google Workspace Business Plus, Enterprise Standard, Enterprise Plus, Education Standard and Education Plus.


Set up SSO profiles for multiple third-party identity providers with the Multi-IdP SSO beta launch
You can further customize authentication by setting up single sign-on (SSO) profiles for multiple identity providers and then configuring authentication for each group or OU. This feature is available beginning today as an open beta, which means you can use it without enrolling in a specific beta program. | Learn more.


For a recap of announcements in the past six months, check out What’s new in Google Workspace (recent releases).

Set up SSO profiles for multiple third-party identity providers with the Multi-IdP SSO beta launch

What’s changing 

For over a decade, we have given admins the ability to configure authentication through a third-party identity provider . In 2021, we expanded this capability by making it possible to choose between third-party identity provider or Google authentication for specific groups or organizational units (OUs). 


Now, you can further customize authentication by setting up single sign-on (SSO) profiles for multiple identity providers and then configuring authentication for each group or OU. This feature is available beginning today as an open beta, which means you can use it without enrolling in a specific beta program.


You can now set up SSO profiles for multiple third-party identity providers




Who’s impacted


Admins

Why you’d use it

Currently, you can configure SSO with a third-party identity provider to apply to your entire domain and then require a subset of your users, such as vendors or contractors, to authenticate with Google instead. However, if you have more than one identity provider, you might require greater customization of authentication options. For example, your company might be migrating from one provider to another, or it might have acquired another company that uses a different provider.


The Multi-IdP SSO beta lets you set up SSO profiles for each of your third-party identity providers, giving you the flexibility to specify the authentication method for various users in your organization as needed.

Getting started

  • Admins: In the Admin console, navigate to Security > Settings > Set up single sign-on (SSO) with a third party IdP > Manage SSO Profile assignments. Visit the Help Center to learn more about setting up SSO for your organization.


Go to the Security settings to set up SSO profiles for third-party identity providers

  • End users: There is no end user setting for this feature.

Rollout pace

  • This feature is available now for all users.


Availability

  • Available to Google Workspace Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Plus, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers
  • Available to all Cloud Identity customers
  • ​​Not available to Google Workspace Essentials customers
  • Not available to users with personal Google Accounts

Resources