Tag Archives: Security and Compliance

HIPAA and additional ISO certifications for the Gemini app on web and mobile

What's changing

We’re pleased to announce the attainment of HIPAA, ISO 27701, 27017, 27018, 9001, and 42001 certifications for the Gemini app on web and mobile. These certifications give customers the peace of mind that data (including personally identifiable, financial and medical information) submitted to or generated by the Gemini app will be handled in accordance with recognized security controls and privacy frameworks.

With these certifications, Gemini for Workspace and the Gemini app each have a comprehensive set of safety, privacy and security certifications internationally recognized by regulatory and compliance bodies.

The achievement of ISO 42001, the world's first international standard for Artificial Intelligence Management Systems (AIMS), certifies that Gemini has been developed, deployed, and maintained responsibly with appropriate ethical considerations, data governance, and transparency. To date, no other generative AI offering for productivity and collaboration has met this level of recognition, showing that Gemini is the first in the industry ready to support businesses and public sector organizations while benefiting all users.





Additional details



Getting started

Rollout pace

  • Available now

Availability

Available for Google Workspace customers with these add-ons:
  • Gemini Business
  • Gemini Enterprise
  • Gemini Education
  • Gemini Education Premium

Available for Google Workspace customers accessing the Gemini app as a core service with these editions:
  • Business Starter, Business Standard, Business Plus
  • Enterprise Starter, Enterprise Standard, Enterprise Plus
  • Frontline Starter, Frontline Standard
  • Essentials, Enterprise Essentials, Enterprise Essentials Plus
  • Google Workspace for Nonprofits
  • Education Standard, Education Plus

Adding granular control options for who can respond to Google Forms

What’s changing

Last year, we ​​introduced a beta that gives Google Forms creators more granular control over who can respond to their forms via sharing settings. 

Previously, form creators had two sharing options: restrict responses to users within their domain (and trusted domains) or make forms public (i.e. anyone with the URL can respond). 

With this new option, now generally available, form creators can limit response access to specific users, groups, or target audiences—similar to how file owners can restrict the sharing of Google Docs, Sheets, Slides or Sites in Drive. 

Adding granular control options for who can respond to Google Forms




Who’s impacted 

Admins, end users and developers 


Why you’d use it 

This feature is useful in any scenario where you’d like to control who can respond to a form. For example, business leaders can better collect feedback from specific organizational units and prevent the form from being responded to by other teams or organization units. Similarly, teachers can use this to ensure a quiz is only accessible to select students who receive the link.


Getting started 

  • Admins: There is no admin control for this feature. 
  • End users: 
    • Form creators must publish their form to enable responders to view the form or submit a response. 
    • Form creators can see who has access to the form and share response access to specific users, groups, or target audiences. 
    • Visit the Help Center to learn more about publishing & sharing your form with responders.

Rollout pace 


Availability 

  • Available to all Google Workspace customers and users with personal Google Accounts 
    • Note: The target audiences feature mentioned above is only available for the Google Drive and Docs and Google Chat services. Supported editions for this feature on Drive, Docs & Chat include: Business Plus, Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, Enterprise Essentials and Enterprise Essentials Plus. Supported editions for this feature on Drive & Docs only include: Business Standard, Nonprofits and G Suite Business. 

Resources 

Available in beta: Convert your client-side encrypted spreadsheets after a Vault or Takeout export

What’s changing

After a Vault or Data export (Takeout), admins can now convert their exported client-side encrypted spreadsheets to Excel files. This allows organizations to maintain access to and analysis of sensitive data in a portable format even after it has been exported from Google Workspace. 

Eligible Google Workspace admins can use this form to request access to the beta. We’ll share more specific instructions once you’re accepted into the beta.


Getting started

  • Admins: Client-side encryption can be enabled at the domain, OU, and Group levels (Admin console > Data > Compliance > Client-side encryption). Visit our Help Center to learn more about client-side encryption.

Rollout pace


Availability

  • Available to Google Workspace Enterprise Plus, Education Standard and Education Plus customers

Resources


Now generally available: configure third-party apps by select API scopes

What’s changing 

Earlier this year, we launched the ability to configure third-party apps by select API scopes to open beta. Beginning today, this feature is now generally available. 


This update gives admins more granular control. They can limit third-party app access to specific OAuth 2.0 scopes for Google APIs, like Drive or Gmail. This prevents apps from gaining additional access without admin consent, even if they request new API scopes in the future. This helps ensure data access is restricted to only what admins deem necessary.



Getting started


Rollout pace


Availability

  • Available to all Google Workspace customers, as well as Cloud Identity Free and Premium customers


Resources


Now generally available: Policy visualization across Google Docs, Sheets, Slides, Vids and Drive

What’s changing 

Earlier this year, we introduced a beta for policy visualization across Google Docs, Sheets, Slides, and Drive. Today, we’re excited to announce this is now generally available, and as a result, users who are interacting with policy-protected content, such as those with data loss prevention (DLP) rules or trust rules, will now be informed about what actions are prevented by those policies. 

For example, if a user is interacting with a document affected by DLP-enforced information rights management (IRM) and a trust rule, they will see a shield icon and side panel that informs them of the restricted actions. 

Policy visualization across Google Docs, Sheets, Slides, Vids and Drive



Who’s impacted

End users 


Why it matters 

With this update, users will be made aware of which actions they are taking that are disabled on a document, spreadsheet, slides or file due to data protection controls. 


Getting started

  • Admins: There is no admin control for this feature. 
  • End users: 
    • Any user will be able to see policy visualization if relevant restrictions apply to them. Security limitations can be applied by owners of a document, shared drive policies, or admin policies. 
    • A shield icon will automatically appear when security controls are present. Users can open the side panel to view all restrictions, either using the shield icon or by going to File > Security limitations. 
    • Visit the Help Center to learn more about Policy Visualization and the policies themselves: 

Rollout pace 

Availability

  • Available to all Google Workspace customers, Workspace Individual Subscribers, and users with personal Google accounts

Resources

Google Workspace Updates Weekly Recap – November 8, 2024

4 New updates

Unless otherwise indicated, the features below are available to all Google Workspace customers, and are fully launched or in the process of rolling out. Rollouts should take no more than 15 business days to complete if launching to both Rapid and Scheduled Release at the same time. If not, each stage of rollout should take no more than 15 business days to complete.




Import data into group chats using the Google Chat API 
In September, we introduced a feature through the Google Workspace Developer Preview Program that enables developers to create group chats in import mode using the spaces.create method when migrating to Google Chat from other messaging platforms. This week, we’re excited to announce that this is now generally available for Google Workspace developers. | Roll out to Rapid Release domains and Scheduled Release domains is complete. | Available to all Google Workspace customers. | Learn more about import mode. 


Search for and reuse pre-defined queries from BigQuery in Connected Sheets
Currently, users can define saved queries in BigQuery Studio and notebooks, but they cannot reuse those queries in Connected Sheets without copy/pasting them. This week, we’re excited to announce that users can now search for and reuse pre-defined queries directly from BigQuery to load Connected Sheets data. To do so, go to Connection Settings > Edit connection > Saved queries and query editor and search for your query by project. | Rolling out now to Rapid Release and Scheduled Release domains at an extended rollout pace (potentially longer than 15 days for feature visibility), with expectation completion by December 6, 2024. | Available to all Google Workspace customers, Workspace Individual Subscribers, and users with personal Google accounts. | Visit the Help Center to learn more about writing & editing a query and getting started with BigQuery data in Google Sheets

Search for and reuse pre-defined queries from BigQuery in Connected Sheets


Launching to beta: Import sensitive Microsoft Word documents as client-side encrypted Google Docs. 
Beginning this week, eligible customers can import and convert sensitive Microsoft Word files into Google Docs with client-side encryption. When collaborating with external and internal stakeholders, you may find yourself working across both Google Docs and Microsoft Word. This update keeps your work moving by layering interoperability on top of the confidentiality benefits of client-side encryption: customers are in direct control of their encryption keys and the identity service that they choose to authenticate for those keys. Eligible Google Workspace admins can use this form to request access to the beta. | Available to Google Workspace Enterprise Plus, Education Plus, and Education Standard customers. | Visit the Help Center to learn more about client-side encryption. More specific instructions will be shared once you’re accepted into the beta. 


Select Google Chat settings can now be applied at the group level 
Admins can now apply the following Google Chat settings at the group level: 
While these settings can also be configured at the Organizational Unit (OU) level, this update provides more granular control for admins. This is critical for our customers, who frequently request more flexibility in how they apply settings, giving them more flexibility on how to configure settings based on the various needs of their users. | Roll out to Rapid Release domains and Scheduled Release domains is complete. | Available to all Google Workspace customers.


Previous announcements

The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.


View in-meeting chat messages in Google Meet live streams 
Starting this week, when you’re viewing a Google Meet live stream, you will be able to see chat messages that are sent by participants who have joined via the meeting link. | Learn more about in-meeting chat messages in Meet live streams. 


Now generally available: use Gemini in the side panel of Workspace apps in seven additional languages 
Beginning this week, select users can use Gemini in the side panel of Google Docs, Google Sheets, Google Drive, and Gmail, in seven additional languages: French, German, Italian, Japanese, Korean, Portuguese and Spanish. | Learn more about additional Gemini languages. 


Announcing general availability of Google Vids: Our new AI-powered video creation app for work to help tell stories across your organization 
Earlier this year, we announced Google Vids, the newest productivity app in our suite of Google Workspace products. Vids is an AI-powered video creation app for work designed to help teams in customer service, learning and development, project ops and marketing tell more engaging stories at work through video. This week, we’re excited to announce the general availability of Google Vids for select Workspace editions. | Learn more about Vids


Google Vids is now available for Google Workspace for Education, providing easy video creation for teaching and learning 
Earlier this year, we announced Google Vids would soon empower educators and students to easily create and collaborate with video. This week, we’re excited to announce the general availability of Google Vids for Education Plus and Gemini for Workspace customers. | Learn more about Vids for EDU.


Introducing a refreshed library of high-quality Google Slides templates that elevate your presentations
We’re introducing a new collection of modern, professionally designed templates in Google Slides to help users build presentations much faster. These new templates cater to a wide range of use cases that provide users with the perfect starting point for their presentations. | Learn more about Slides templates.


Expanding access to the Gemini app for teen students in education
Google Workspace for Education admins can now turn on the Gemini app with added data protection as an additional service for their teen users (ages 13+ or the applicable age in your country) in the following languages and countries. | Learn more about the Gemini app for teen students in education.


Completed rollouts

The features below completed their rollouts to Rapid Release domains, Scheduled Release domains, or both. Please refer to the original blog posts for additional details.


Rapid Release Domains: 
Scheduled Release Domains: 
Rapid and Scheduled Release Domains: 

Paused rollouts

We have paused the rollout for this feature while we evaluate performance and quality. We will provide an update with new rollout information as soon as possible.

For a recap of announcements in the past six months, check out What’s new in Google Workspace (recent releases).  

Data classifications labels for Gmail are now available in open beta

What’s changing

In addition to Google Drive, we’re expanding data classification labels to now include Gmail. Classification labels are used to classify and audit content according to organizational guidelines (“Sensitive”, “Confidential”, etc.) and apply policies, such as data loss prevention (DLP) rules, to protect sensitive information in email messages. Classification labels will be available when using Gmail on the web – support for Gmail on mobile devices will be introduced in the coming months.

Who’s impacted

Admins and end users

Why it’s important

Data breaches are increasingly common and costly across all sectors, including enterprises, public sectors, and government institutions. To minimize data exfiltration and better understand the data being shared, organizations need to differentiate between various types of information and their sensitivity levels to apply data protection policies accordingly. By expanding data classification labels to Gmail, Google Workspace provides admins with a more flexible and robust system integrated with data protection capabilities to help organizations effectively categorize and protect sensitive information. 

Specifically, admins can create:

  • New classification labels or extend existing ones enabled in Drive labels for Gmail from the Label Manager. Labels can be used to  denote department names, document types, document status, and other custom categories. 

The Label Manager tool can be accessed in the Admin console  by going to Security > Access and data control


  • Data protection rules with classification label as a condition, to apply actions to a message based on its classification. For example, a message will be blocked if it’s classified as ‘Internal’ and is being sent to an external recipient.
Notification about delivery failure due to DLP policy, blocking messages labeled as ‘Confidential’ to be sent to recipients outside of the organization




  • Data protection rules to automatically apply classification labels to a message, based on its content. For example, a ‘Confidential’ label can be applied to a message if it contains sensitive financial information, such as credit card or bank account numbers.
Data protection rule with ‘Apply a label’ action. Classification label specified in the rule will be applied to a message, if message contains information matching conditions of the rule

  • DLP rules with Confidential Mode as a condition to prevent sending messages with sensitive information, if it is not encrypted (Confidential Mode is not enabled)
Data protection rule is set up to detect messages with sensitive information (credit card or passport numbers) and confidential mode disabled in order to enforce sending such info with enhanced protection measures





  • End users can view and apply Classification Labels when using Gmail on the web.
Users can apply classification labels to a message, according to the organization’s data governance policies



Additional details

  • When Data loss prevention (DLP) rules for Gmail using classification labels either as a condition or as an action, messages are scanned asynchronously. This means that the message is classified, blocked or quarantined after it leaves the sender's mailbox) and before being dispatched to the recipient. In a future release, we plan to provide synchronous support with instant notifications consistent with our synchronous support of instant DLP enforcement for Gmail.

Note that:
    • If the message is blocked as a result of the classification label applied to it, the sender will get a bounce back message.
    • If the message is automatically labeled by a DLP rule, the sender will not see the label reflected in the sent message. The recipient will see the automatically applied label the same way as any other classification label applied manually by the sender.

  • Only Badged options list and Multiple Options list (Single select) field types are supported in Gmail. If classification labels are enabled for usage in both Gmail and Drive, and it contains fields that are not supported in Gmail, such as date or persona, Gmail users will see the label only with fields of the supported types.

Getting started

  • Admins: 
  • End users: If configured by your admin, you’ll see the “Classification” option when composing a new messaging or replying to an existing message — when you open the menu, you can select labels relevant to your message. We'll share the end user Help Center article on Monday, November 3, 2024.

Rollout pace


Availability

  • The Label Manager and manual classification is available to Google Workspace:
    • Frontline Starter and Standard
    • Business Standard and Plus
    • Enterprise Standard and Plus
    • Education Standard and Education Plus
    • Essentials, Enterprise Essentials, and Enterprise Essentials Plus

  • Data loss prevention rules with labels as a condition or labels as an action are available to:
    • Enterprise Standard and Plus
    • Education Fundamentals, Standard, Plus, and the Teaching & Learning Upgrade
    • Frontline Standard
    • Cloud Identity Premium (in combination with a Workspace Edition eligible for Gmail)

Resources






FedRAMP High authorization for Gemini for Workspace

What’s changing

As recently announced, we submitted our package to obtain FedRAMP High authorization for Gemini for Workspace, including the Gemini app. A FedRAMP High certification assures federal agencies in the United States that a cloud service provides the highest level of protection for their most sensitive data, enabling them to confidently leverage cloud technologies for critical operations.


Additional details

  • Our current FedRAMP submission does not include Data Location. We’re targeting FedRAMP High with Data Location at a later date.
  • The package is pending review by the Joint Authorization Board (JAB), who does not provide guidance on review timelines. Refer to the FedRAMP compliance page to view a copy of our submission. 

Getting started

Availability

Available for Google Workspace customers with these add-ons:
  • Gemini Business
  • Gemini Enterprise
  • Gemini Education
  • Gemini Education Premium

Available for Google Workspace customers accessing the Gemini app as a core service with these editions:
  • Business Starter, Business Standard, Business Plus
  • Enterprise Starter, Enterprise Standard, Enterprise Plus
  • Frontline Starter, Frontline Standard
  • Essentials, Enterprise Essentials, Enterprise Essentials Plus
  • Google Workspace for Nonprofits
  • Education Standard, Education Plus

Context Aware Access insights and recommendations are now generally available

What’s changing

We’re making it easier to apply context-aware access (CAA) policies with new insights and recommendations. We’ll proactively surface potential security gaps and suggest pre-built CAA levels which admins can deploy to remediate the security gaps. These insights will be surfaced to customers, if they have not deployed any CAA policies to their users. When you deploy a recommendation, it will first be placed in Monitor Mode, so you can understand how the policy will block user access over time, and can be reviewed in the CAA audit logs

With this release, we’ve also added the ability for admins to customize the recommendations as they see fit before they’re applied broadly. Additionally, we’ll send primary admins an email on a quarterly basis with insights and actionable recommendations.




Who’s impacted

Admins

Why it’s important

Using Context-Aware Access, admins can set up different access levels based on a user’s identity and the context of the request (location, device security status, IP address). This can help provide granular access controls without the need for a VPN, and give users access to Google Workspace resources based on organizational policies. Insights and recommendations help admins improve the cybersecurity posture of their organization by proactively identifying areas that need attention, significantly reducing the need for admins to identify these risks themselves. For example, if we detect devices with outdated operating system versions  accessing corporate Workspace data, we can surface this as an Insight & pair it with a recommendation to block such devices from accessing Workspace data with a few clicks.

Getting started

  • End users: There is no end user impact or action required.

Rollout pace

Availability

Available to Google Workspace
  • Enterprise Standard and Plus
  • Education Standard and Plus
  • Enterprise Essentials Plus
  • Also available to Cloud Identity Premium customers

Resources

Audit security settings using the Policy API, now available in open beta

What’s changing

Simplifying the management of Workspace settings continues to be a priority for us. To that end, we’re introducing new tools to help streamline the process for admins. 

Launching to open beta today, we’re pleased to introduce the Policy API, which will help super admins programmatically access information regarding how their Google Workspace environment service level settings and rules are configured. With the Policy API, customers  gain a comprehensive view of all their settings, giving them a holistic view of Workspace security and compliance configurations. Admins will no longer have to navigate through numerous pages in the Admin Console.

To start, the Policy API is available as a read-only API. In future releases, admins will be able to use the API to create, update, and delete their settings, as well as data loss prevention (DLP) rules. Admins will be able to use the API to audit certain settings in the following categories:

  • Authentication controls such as account recovery, advanced protection program, login challenges, passwords.
  • Chat
  • Classroom
  • Docs and Drive 
  • Gmail 
  • Groups
  • Marketplace
  • Meet 
  • Sites
  • Takeout

The Policy API can also be used to read DLP rules, including the ability to:
  • Read all DLP rule configurations in the admin console, including: rule names and descriptions; applicable organization units (OUs) and groups; triggers and conditions; and app-specific alert actions.
  • Read existing DLP detectors available in the admin console including the detector name, description, and wordlist configurations.
  • Read admin-modified system defined alerts.

Who’s impacted

Super Admins


Why it’s important

With the increase in sophistication and scale of cyber threats, the Cybersecurity & Infrastructure Security Agency’s Secure Cloud Business Applications (SCuBA) project provides guidance to secure agencies’ cloud business application environments and protect federal information that is created, accessed, shared and stored in those environments. 


The Policy API provides access to the settings that are part of these recommendations published in CISA’s Google Workspace secure configuration baselines. Customers who wish to evaluate their Workspace policies against these baselines can start testing using the Policy API. In future releases, we plan to expand support for additional policies described in CISA’s Workspace baselines.  


Getting started

  • Admins: You must be a super admin to use the Policy API. Use our Developer Documentation to learn more about the Policy API.
  • End users: There is no end user impact or action required.

Rollout pace

  • Available now.

Availability

  • Available to all Google Workspace customers

Resources