Tag Archives: Security and Compliance

New delegated VirusTotal privilege in the Alert Center

What’s changing 

In 2021, we announced an integration between the Alert Center and VirusTotal. At that time, any admin who had the Alert Center privilege could access all VirusTotal reports. Now, we’ve added the ability for admins to control who can view VirusTotal reports. 




Important note: Once this feature is rolled out in your domain, some admins may lose access to VirusTotal. If so, super admins will have to re-provision access by going to Admin Privileges > View VirusTotal Reports


Who’s impacted 

Admins 


Why you’d use it 

This change will help ensure only those with proper privileges can view VirusTotal reports regarding sensitive data. The VirusTotal integration provides an added layer of investigation on top of existing alerts, empowering admins to take deeper look into threats and potential abuse, helping them better protect their organization and data. Visit the Help Center to learn more about using VirusTotal reports in the Alert Center


Additional details 

VirusTotal provides an investigation layer on top of alerts but isn’t being used directly for detection or alerting. No customer information is shared from Google to VirusTotal. 


Getting started 


Rollout pace 


Availability 

  • Available to Google Workspace Business Plus, Enterprise Standard, Enterprise Plus, Education Fundamentals and Education Plus customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Enterprise Essentials, Frontline, and Nonprofits, as well as G Suite Basic and Business customers 

Resources 

Additional one-click recommended actions in the Alert Center

Quick summary 

In the Alert Center, Admins will see new, additional one-click recommended actions for certain events: 

  • Device wipeout: for “device compromised” and “suspicious device activity” alerts. If the admin feels blocking the device is not sufficient to protect the data at risk, they can can remotely wipe out the data of the device.

  • Quarantine email: for alerts such as malware detected post delivery, user phishing reported, suspicious message reported, and more. Once in quarantine, admins can take additional actions such as delivering the message to the intended recipient or denying message delivery.

Recommended actions help Admins quickly triage, take action, and remedy various incidents without leaving the Alert Center. To learn more about recommended actions, use this article in our Help Center and see this post on the Google Workspace Updates blog


Getting started 


Rollout pace 


Availability 

  • Available to Google Workspace Enterprise Plus, Education Standard, and Education Plus customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Education Fundamentals, Frontline, and Nonprofits, as well as G Suite Basic and Business customers 

Resources 

Use context-aware access to help protect Admin console access

Quick summary 

You can now apply contextual access rules to the Admin console. This enables you to control access to the Admin console based on user and device context. For example, you can enable restrictions based on IP, minimum device operating system version, and more. This can improve your security posture and reduce the risk of incorrect access to your Admin console. 


Getting started 


Rollout pace 



Availability 

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Cloud Identity Premium customers. 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as G Suite Basic and Business customers. 


Resources 

New beta for data loss prevention helps protect sensitive data when users upload files to external Google Forms

What’s changing 

Previously, users in organizational units (OUs) or groups with active Drive Data Loss Prevention (DLP) policies couldn’t respond to external forms with File Upload questions. 


Now, we’re launching a new beta that will allow users to respond to external forms that contain File Upload questions, while also helping to prevent the leak of sensitive and confidential information. This beta will apply your domain’s existing Drive DLP policies to files that your users submit to Google Forms, without creating new rules or updating any existing ones. 


Admins of eligible customers can express interest in the beta using this form




Who’s impacted 

Admins and end users 


Why it’s important 

With this launch, end users will be unblocked from responding to Google Forms with File Upload questions across domains. At the same time, DLP gives admins control over what their users can share, and prevents unintended exposure of sensitive information such as credit card numbers or personal identifiable information. 


Getting started 

  • Admins: 
    • Use this form to express interest in the beta. 
    • Once accepted into the beta, Drive DLP rules defined for your domain will be applied to files submitted to File Upload questions in Google Forms. 
    • If you are not using DLP for Drive, you can create DLP rules at the domain, OU, or group level in the Admin console under Security > Data protection. You can apply block, warn or audit actions, consistent with DLP for Drive.Visit the Help Center to learn more about turning data loss prevention in Google Forms on for your organization
  • End users: 
    • End users can respond to forms as usual, but can now respond to forms outside their domain, including forms that have File Upload questions. 
    • If a form violates Drive DLP rules for their domain, end users may see warnings or be blocked from submitting. 


Availability 

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Standard and Education Plus customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Frontline, and Nonprofits, as well as G Suite Basic and Business customers 


Resources 

Stronger data security and privacy with Google Workspace Client-side encryption, GA support for Drive, Docs, Sheets, and Slides

 What’s changing 

Last year we announced the beta for Google Workspace Client-side encryption. Now, this feature is generally available for Google Drive, Docs, Sheets and Slides, with support for multiple file types including Office files, PDFs, and more. 
This is a step in our commitment to enable Client-side encryption across Google Workspace, including Gmail, Meet, and Calendar. Follow the Google Workspace Updates blog to be informed on our next milestones on Client-side encryption. 

Who’s impacted 

Admins 

Why it’s important 


Google Workspace already uses the latest cryptographic standards to encrypt all data by default, at rest and in transit between our facilities. Client-side encryption goes beyond this, giving you authoritative control and privacy as the sole owner of private encryption keys and the identity provider used to access those keys. 
This can help you strengthen the confidentiality of your sensitive or regulated data while addressing a broad range of data sovereignty and compliance needs. 
When using Client-side encryption, your data is indecipherable to Google. You can create a fundamentally stronger privacy posture, whether that’s to help your organization comply with regulations like ITAR and CJIS or simply to better protect the privacy of your confidential data. 
Read our announcement blog post to learn our plans for Client-side encryption across Google Workspace.

Additional details 

To enable Client-side encryption, you’ll choose a key access service partner: Flowcrypt, Fortanix, Futurex, Stormshield, Thales, or Virtru. Each of these partners have built tools in accordance with Google’s specifications and provide both key management and access control capabilities. Your partner of choice either holds the key to decode encrypted Google Workspace files or simply provides you with software that allows you to hold the keys on-premise. Either way, Google cannot decipher these files without this key, which Google never has access to. You can also decide to build your own key service implementation using our API specifications


Client side encryption



Getting started 

Rollout pace 

Availability 

  • Available to Enterprise Plus and Education Plus customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Education Fundamentals, Frontline, and Nonprofits, as well as G Suite Basic and Business customers.  

Resources 

Updated and improved audit logs experience in the Admin console

What’s changing 

We’re updating the user interface for audit logs in the Admin console to allow for richer insights and query based reporting capabilities. This will bring the experience inline with the security investigation tool and create a more unified reporting experience across the Admin console. 


Some improvements you’ll notice are: 
  • Enhanced search attribute options: We’ve introduced a new search field that will help admins quickly find and apply search attributes. For larger lists (more than 15 items), admins will be able to pin commonly used attributes. 
  • The ability to perform searches in “filter” or “condition builder” mode: 
    • In filter mode, admins can add simple parameter and value pairs, such as viewing externally shared files with sensitive data or external emails with attachments, to filter for search results. 
    • In condition builder mode, admins can view previously applied filters as conditions with AND/OR operators to further refine search results. 
  • New data sources for the investigation tool: We’re expanding our list of data sources to 31 sources — see here for a complete list of data sources.



Who’s impacted 

Admins 


Why it’s important 

We hope this updated and streamlined experience makes it easier for admins to identify, triage, and act on security issues within their organization without having to switch between multiple tools. Additionally, by providing admins with new ways to set and filter for specific search attributes and establish reporting and activity rules, this will make it easier to stay apprised of what’s happening in their organization. 


Additional details 

Admins will no longer be able to export audit log data to CSV files, they can only be exported to Google Sheets going forward. Additionally, you may notice the renaming and merging of previously existing data sources and other minor UI changes. For a complete list of what’s changing, see this article in our Help Center

Getting started 


Rollout Pace 


Availability 

  • Available to all Google Workspace customers, as well as legacy G Suite Basic and Business customers 

Resources 

View more information on email delegate activity in the Security Investigation Tool

What’s changing 

Admins can now surface post-delivery actions taken by delegated users in the Security Investigation Tool. Specifically, you can now see if a delegate: 
  • Opened, replied, or marked a message as unread. 
  • Moved a message to the trash or back to their inbox. 
  • Clicked links or attachments. 
  • Downloaded attachments. 




Who’s impacted 

Admins 


Why it’s important 

It’s important to understand the exact user performing actions related to an investigation or audit — this change will give admins greater insight into actions taken by delegated users versus the account owner. 


Getting started 


Rollout pace 


Availability 

  • Available to Google Workspace Enterprise Standard Enterprise Plus, Education Standard, and Education Plus customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as G Suite Basic and Business customers 

Resources 

Expanded Access Management Controls help support your information governance goals

What’s changing 

Google Workspace Assured Controls enables customers to meet strict regulatory information governance requirements. With Access Management, customers can limit the Google staff who can take support actions related to their data. 

Customers can now use Access Management to set policies that support compliance to the Criminal Justice Information Services (CJIS) standard and the IRS' Publication 1075 (IRS 1075) by restricting access to CJIS-authorized and IRS-1075-authorized personnel within Google. Visit the Help Center to learn more. 

We’ve also extended existing coverage so customers can now apply Access Management Controls to the following applications: 

  • Google Chat 
  • Google Meet 
  • Google Forms 
  • Google Sites 

Visit the Help Center to learn more. 

Finally, we’re adding new information to Access Transparency logs to help you better understand support actions relating to your data. Customers with Access Management policies will see a new field “Access Management Policy” that denotes the validated policy at the time of access. All Access Transparency customers will now see a new “On Behalf Of” field that describes the target user of an access. Visit the Help Center to learn more

For more information on this and other Google Workspace Security launches, see our Cloud Blog post.

Who’s impacted 

Admins 

Why you’d use it 

Some customers in regulated industries, particularly the public sector, have compliance requirements related to cloud service provider access to data. Since Assured Controls is available on Google Workspace’s native platform, you don’t need to move to a separate GovCloud environment for access to these capabilities. This can help reduce costs and complexity, while allowing your organization to benefit from the full set of advanced features that Google Workspace offers. 

Additional Details 

Note that we do not access customer data for any reason other than those necessary to provide support services and fulfill our contractual and legal obligations. 

Getting started 

  • Admins: 
    •  Once you’ve purchased the Assured Controls add-on, you can assign licenses and manage the feature at Admin Console > Access Management. Users assigned the policy will have any data owned by them restricted to designated selected personnel within our support teams. 
    • Access Management is surfaced for logging in the Access Transparency logs
    • Access Management can also be used to support CJIS and IRIS-1075 requirements. 
  • End users: There is no end user impact 

Rollout pace 

These changes will be rolling out by the end of March 

  • Existing Assured Controls customers will automatically have controls applied to the newly available products on any active Access Management policies 
  • New customers should contact your Google account representative to learn more about availability and timing 

Availability 

  • Google Workspace Assured Controls is available as an add-on to Google Workspace Enterprise Plus customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Education Fundamentals, and Education Plus, as well as G Suite Basic, Business, and Nonprofits customers 

Resources 

New intelligent, content based detection and additional regional security detectors for data loss prevention

What’s changing 

We’re adding 40+ content detectors, which expand the type of content that data loss prevention (DLP) in Drive can scan and detect. 

New intelligent, machine learning based detectors for content inspection of documents, such as: 

  • SEC filings 
  • Legal briefs and court orders 
  • Tax documents 
  • Contracts 
  • Patents 
  • Resumes 
  • Finance Forms 
  • Source codes, system logs, and more. 

These machine based learning detectors are pre-trained to automatically detect sensitive content, requiring no additional work on the part of the admin. 

Additionally, we’ve added over forty new parameters for regional security, such as: 

  • Auth token 
  • API Keys 
  • Belgium ID 
  • Global VIN
  • Germany TIN 
  • India GST and more.

Visit the Help Center for a complete list of pre-defined detectors for DLP data loss prevention in Google Drive


Adding conditions to define data that you want to scan for


Who’s impacted 

Admins 

Why it’s important 

Admins can use data loss prevention to create and apply rules to control what content your users can share in Google Drive files outside your organization, helping to prevent unintended exposure of sensitive information. 

These additional detectors, along with intelligent based scanning, help to further secure your environment and sensitive data. Administrators can enforce policies to restrict external sharing, applying classification labels, preventing uploads or warning users based on these intelligent detectors. 

Getting started 

  • Admins: This feature can be configured at the domain, OU, or group level within the DLP system at Admin console > Security > Data Protection. Use our Help Center to learn more about creating DLP for Drive rules and custom content detectors and using predefined content detectors. 
  • End users: No action required. 

Rollout pace 

Availability 

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Standard, Education Plus, the Teaching and Learning Upgrade, as well as Cloud Identity Premium customers. 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Frontline, and Nonprofits, legacy G Suite Basic and Business customers, and Cloud Identity Free customers. 

Resources 

Categorize content and enhance content protection at scale with Google Drive labels

What’s changing 

Automated classification with Google Workspace DLP and labels-driven sharing restrictions are now generally available. These features were part of a beta we announced last year for enhanced content classification, governance, and data loss prevention (DLP) with Google Drive labels. 

A new Admin console setting can now automatically apply up to 5 labels to all new files your users create, or to all newly created files owned by specific parts of your organization.