Tag Archives: Security and Compliance

Workspace data loss protection (DLP) for Gmail is now generally available

What’s changing 

A big threat organizations must prepare for is the risk of data exfiltration through unwanted and/or unauthorized means. Whether it’s small-scale, unintended sharing, or a larger breach scenario, organizations need powerful defenses to protect themselves from these risks. To that end, we’re pleased to announce that today Data Loss Prevention (DLP) is generally available in Gmail, alongside Drive and Chat.

DLP is one of the most powerful ways organizations can protect themselves from these risks. With DLP capabilities in Gmail, organizations can identify, monitor, and control the sharing of sensitive data. It works through a series of easy to apply data protection rules that can be implemented to instantly detect sensitive content in outgoing messages, including body content, attachments, headers, and subject lines. 


Additional details

How does DLP in Gmail compare to Content Compliance rules?
To prevent the exfiltration of sensitive data from Gmail, data protection rules with DLP are recommended. These rules offer a rich set of predefined detectors and the ability to build flexible conditions. 


Additionally, organizations can tailor warning messages based on their organization's data governance requirements, terminology, and processes; these messages will help educate users on their organization's specific security and data protection policies to prevent sharing sensitive content.


Other features, such as content compliance, can still be used for different purposes, like evaluating inbound messages and routing them internally to relevant departments.


For more information, please refer to our initial open beta announcement.


DLP within the Google Workspace ecosystem
As part of Google Workspace ecosystem, DLP for Gmail comes with capabilities available across other applications, such as Drive and Chat, so admins can configure, implement and investigate Data Loss Prevention incidents using unified tools, such as Security Investigation Tool, or build custom dashboards using unified audit logs or export to BigQuery. 


Taken together, DLP capabilities across Workspace provide powerful protections for organizations to reduce the risk of data breaches, comply with regulatory requirements, and protect their reputation and intellectual property.


Getting started

  • Admins: 
    • Data loss prevention rules can be configured at the domain, OU, or group level. DLP rules can be enabled in Gmail in the Admin console under Security > Access and data control > Data protection. Visit the Help Center to learn more about controlling sensitive data shared in Gmail. Note that you can modify existing DLP rules for Drive and Chat to also apply to Gmail. 
    • DLP events can be reviewed in the Security Investigation Tool or Security > Alert Center, if alerts are configured in rules.
    • With DLP for Gmail, data protection rules can be scanned synchronously or asynchronously. Visit our Help Center for more information.
    • For new rules, we recommend starting with “Audit only” mode. This allows you to thoroughly test and monitor the rule's performance and ensure it correctly identifies the intended data without interrupting email flow for users. Once you've validated the rule's behavior and are confident in its accuracy, you can then implement actions such as blocking or warning users as needed.

  • End users: Depending on your admin configuration, you’ll be notified if your message contains information that violates DLP rules.

Rollout pace


Availability

Available to Google Workspace:
  • Enterprise Standard, Enterprise Plus
  • Education Fundamentals, Standard, Plus, and the Teaching & Learning add-on
  • Frontline Standard
  • Cloud Identity Premium customers

Data classification labels in Gmail are now available on all Android and iOS devices

What’s changing 

In November 2024, we launched an open beta for data classification labels in Gmail. Beginning today, data classification labels will be available when using the Gmail app on mobile Android and iOS devices. Expanding data classification labels to mobile enables organizations to protect their data whether their users are sharing and accessing information from desktop devices or from mobile devices in the field or on-the-go.

Classification labels on mobile when composing a message, reading a message, and a message thread.



Additionally, these protections provide an automated way to enhance data security. For more information on data classification labels in Gmail, please refer to our original announcement.

Getting started

  • Admins: 
  • End users: If configured by your admin, you’ll see the “Classification” option when composing a new messaging or replying to or forwarding an existing message on mobile. When you open the menu, you can select labels relevant to your message. Visit the Help Center to learn more about adding classification labels in Gmail.

Rollout pace



Availability

The Label Manager and manual classification is available to Google Workspace:
  • Frontline Starter and Standard
  • Business Standard and Plus
  • Enterprise Standard and Plus
  • Education Standard and Education Plus
  • Essentials, Enterprise Essentials, and Enterprise Essentials Plus

Data loss prevention rules with labels as a condition or labels as an action are available to:
  • Enterprise Standard and Plus
  • Education Fundamentals, Standard, Plus, and the Teaching & Learning Upgrade
  • Frontline Standard
  • Cloud Identity Premium (in combination with a Workspace Edition eligible for Gmail)

Resources


Know who an event is shared with when using shared Google Calendars

What’s changing 

Users can have one of the following access permissions for shared Google Calendars
  • “See only free/busy (hide details)” 
  • “See all event details” 
  • “Make changes to events” 
  • “Make changes and manage sharing” 
The “Make changes to events” permission enables users to create events on shared calendars, but when those events are created, the user does not know which other users the event is shared with. 

To improve upon experience and ensure users are aware of who they are sharing content with, users with the ability to “Make changes to events” can now see the members of the shared calendar, i.e. who their events are shared with. 

users with the ability to “Make changes to events” can now see the members of the shared calendar, i.e. who their events are shared with.

Getting started 

  • Admins: As an admin, you can control how much calendar information people in your organization can share with users external to your organization. You can also set the default level of sharing for users within your organization. Visit the Help Center to learn more about setting Calendar sharing options. 
  • End users: On Calendars with “make changes to events” access permission, you will now see the members of calendars. You can control the access permission of other users for your Calendars only on Calendars with “make changes and manage sharing” access permissions. Visit the Help Center to learn more about sharing your calendar with someone. 
  • Developers: For Calendars where a user has “make changes to events” (aka “writer”) permissions, the Acl.list and Acl.get method will newly return the members of the shared calendar and Acl.watch will notify about changes to members. 

Rollout pace 


Availability 

  • Available to all Google Workspace customers, Workspace Individual Subscribers, and users with personal Google accounts 

Resources 

Know who an event is shared with when using shared Google Calendars

What’s changing 

Users can have one of the following access permissions for shared Google Calendars
  • “See only free/busy (hide details)” 
  • “See all event details” 
  • “Make changes to events” 
  • “Make changes and manage sharing” 
The “Make changes to events” permission enables users to create events on shared calendars, but when those events are created, the user does not know which other users the event is shared with. 

To improve upon experience and ensure users are aware of who they are sharing content with, users with the ability to “Make changes to events” can now see the members of the shared calendar, i.e. who their events are shared with. 

users with the ability to “Make changes to events” can now see the members of the shared calendar, i.e. who their events are shared with.

Getting started 

  • Admins: As an admin, you can control how much calendar information people in your organization can share with users external to your organization. You can also set the default level of sharing for users within your organization. Visit the Help Center to learn more about setting Calendar sharing options. 
  • End users: On Calendars with “make changes to events” access permission, you will now see the members of calendars. You can control the access permission of other users for your Calendars only on Calendars with “make changes and manage sharing” access permissions. Visit the Help Center to learn more about sharing your calendar with someone. 
  • Developers: For Calendars where a user has “make changes to events” (aka “writer”) permissions, the Acl.list and Acl.get method will newly return the members of the shared calendar and Acl.watch will notify about changes to members. 

Rollout pace 


Availability 

  • Available to all Google Workspace customers, Workspace Individual Subscribers, and users with personal Google accounts 

Resources 

Better understand app access with the new Access Evaluation log event

What’s changing 

We’re introducing a new log event, Access Evaluation, which will help admins better understand how security policies affect their users' access to OAuth apps. This includes settings and policies such as API controls, endpoint management configurations, domain wide delegation and more. The log contains information on the specific policies applied, when access was granted and the reasoning. Admins can use this information to review their security policies and revise them as needed to protect the sharing of Workspace data with users' apps.

Example of an Access Evaluation log


Getting started

  • Admins: Access Evaluation are available in the audit and investigation tool (Menu > Reporting > Audit and investigation > Access Evaluation log events), and the security investigation tool (Menu > Security > Security center > Investigation tool > Data source > Access Evaluation log events)  for specific Google Workspace editions. Visit the Help Center to learn more about Access Evaluation log events. 
  • End users: There is no end user impact or action required.

Rollout pace


Availability

  • Available in the audit and investigation tool for all Google Workspace customers.
  • Available in the security investigation tool for Google Workspace:
    • Frontline Standard
    • Enterprise Standard and Plus
    • Education Standard and Plus
    • Enterprise Essentials Plus
    • Cloud Identity Premium

Resources


Prevent the downloading, printing, or copying of files by all users with Enhanced IRM for Google Drive Data-Loss Prevention

What’s changing 

Google Drive’s Information Rights Management (IRM) capability protects documents from data exfiltration actions, specifically downloading, printing, and copying. This is useful for making sure that sensitive content is protected from data leakage. 


Historically, this feature has only been applicable to users with either the “viewer” or “commenter” role, which has left administrators unable to apply the setting to users with either “owner” or “editor” roles. To address this, we’re expanding IRM to be applicable to all users, including file editors and owners, when it is applied by a Data Loss Prevention (DLP) rule.

The new Enhanced IRM action, as seen in the DLP Rule creation flow.



Additional details

When an editor or owner is affected by IRM, they will retain the ability to copy and paste document content, but they may only do so within that document. Attempting to paste content outside of the document will not succeed. For more information, please refer to the help center content.


Getting started

  • Admins: DLP rules and CAA levels are applied per-file based on how these rules are configured.
  • End users: Only administrators can set IRM for all user roles on a file. File owners may still only set IRM for viewers and commenters. If a file has both an administrator-applied IRM setting and a file owner setting on it, the administrator setting takes priority. Once this feature is enabled, all entry points for downloading, printing, and copying will be removed from Google Drive, Docs, Sheets, and Slides on all platforms. Visit the Help Center to learn more about stopping, limiting, or changing how your files are shared.
A view of the file owner’s IRM setting when an overriding administrator setting is present.

Rollout pace


Availability

  • IRM controls are available for all Google Workspace customers
  • Data Loss Prevention Rules and Context-Aware Access conditions are available for Google Workspace:
    • Enterprise Standard and Plus
    • Education Fundamentals, Standard, Plus, and the Teaching and Learning add-on
    • Frontline Standard
    • Enterprise Essentials and Enterprise Essentials Plus

Resources


Control whether your users can add account recovery information with two new admin settings


What’s changing

We’re launching two new settings that will allow admins to control whether their users can add recovery email information and phone information to their Google Workspace account. 

By default, the ability to add a recovery email or phone number is ON for most Workspace users and K-12 super admins, but it should be noted that:

  • Adding email and phone recovery information is OFF by default for K-12 users. 
  • Phone number recovery collection is always enabled for super admins regardless of whether it’s disabled in the admin console.

Any changes admins make to these settings will overrule the existing organizational unit (OU) settings, except for super admins as stated above.

Security > Account Recovery > Recovery information


Who’s impacted

Admins and end users


Why it’s important

Adding recovery information to your account is helpful for keeping users’ accounts more secure, recovering users’ accounts as well as evaluating security related events, such as risky logins or re-authentication attempts. However, we know that there are a variety of reasons that customers would want to prevent their users from doing so. For example, turning recovery information off can help customers stay compliant with local privacy regulations, such as GDPR. Or admins can opt to add recovery information themselves. This update gives admins the control to decide which configuration makes the most sense for their users.

Getting started


Rollout pace


Availability

  • Available to all Google Workspace customers.

Resources


Available in open beta: Set up Single-Sign On with custom OpenID Connect profiles

What’s changing 

Beginning today, admins now have the option to set up a custom OpenID Connect (OIDC) profile for single sign-on (SSO) with Google as their Service Provider. OIDC is a popular method for verifying and authenticating the identities - this update gives admins more options for their end users to access cloud applications using a single set of credentials. Previously, only OIDC with pre-configured Microsoft Entra ID profile was supported in addition to SAML.

Custom OIDC profiles can be configured in the Admin console at >Security > Authentication > SSO with third party IdP



Getting started


Rollout pace


Availability

  • Available for all Google Workspace customers except Google Workspace Essentials Starter customers and Workspace Individual Subscribers.
  • Also available for Cloud Identity and Cloud Identity Premium customers

Resources


Now generally available: the Groups Editor & Groups Reader roles can now be provisioned for specific group types

What’s changing

At the beginning of the year, we launched the ability to assign the Groups Editor and Groups Reader roles for security groups or non-security groups in open beta. Beginning today, this feature is now generally available. Groups Admins have access to all groups. The new roles of Groups Editor and Groups Reader offer delegated admin permissions for groups, and can use conditions to limit access to sensitive groups as needed.

Getting started: 

Available in open beta: prevent sensitive changes by locking Groups

What’s changing

Admins can now label a Google Group as “Locked,” which will heavily restrict changes to group attributes (such as group name & email address) and memberships. This will help admins who sync their groups from an external source and want to prevent getting out of sync, or who want to restrict changes to sensitive groups. This feature will be available in open beta, which means no additional sign-up is required. 

The Group Details page in the Admin console shows a “Locked” label on the group, with the message “You can’t update this group - it might be managed by an external identity system.”


Who’s impacted

Admins

Why it’s important

If you use third-party tools, like Entra ID, to manage group synchronization, you may encounter inconsistencies when modifications are made to these groups, like adding or removing members, for example. To help address this, we’re introducing the option to “lock” a group, which will prevent modifications within Google Workspace and help maintain synchronization with the external source. 

When a group is locked, only certain admins* can modify:

  • The group name, description, email, and alias(es)
  • Group labels
  • Memberships (adding or removing members) and member restrictions
  • Membership roles
  • Delete the group
  • Set up a new membership expiry

When a group is locked, access and content moderation settings are not affected, this includes:

  • Who can post
  • Who can view members
  • Who can contact members
  • Membership removals due to an existing membership expiry
  • Access or content moderation settings

*Super Admins, Group Admins, and Group Editors with a condition that includes “Locked Groups”

Additional details

By default, the changes listed above will be restricted from end users, including group owners and managers of a locked group. If you want to also restrict some admins from making these changes in the Admin Console or APIs, you can assign them the Group Editor role with a condition that excludes locked groups. 

The ability to lock or unlock a group using the “Locked” label is available to Super Admins, Group Admins, or a custom role with the “Manage Locked Label” privilege. Lock a group using the “Locked” group label in the Admin Console, or the Cloud Identity Groups API.


Getting started

Rollout pace

Availability

Available for Google Workspace:
  • Enterprise Standard and Plus
  • Enterprise Essentials Plus
  • Education Standard and Plus
  • Also available to Cloud Identity Premium customers

Resources