Tag Archives: Security and Compliance

Beta update: Data Loss Prevention enforcement in Gmail is now instantaneous

What’s changing 

Today, we are announcing enhancements for the Data Loss Prevention for Gmail open beta, which are designed to improve usability without compromising sensitive data protections for Gmail. Once deployed, users will receive instant notifications on risks to applicable DLP policies prior to leaving their inbox, instead of having DLP rules evaluated after the message has already left the inbox. In addition to more timely user feedback, this capability, called synchronous DLP, helps educate users about the potential risk of leaking sensitive information. 


We’re also introducing a new action for DLP rules, “Warn”, which will notify users about potentially sensitive data while providing the option to send the message based on a user’s assessment of a risk. For added safety, the DLP service will scan messages one additional time after they leave the sender's mailbox.


Who’s impacted

Admins and end users


Why it matters 

Data breaches are one of the most common and costly security issues facing organizations. Often these breaches originate from within an organization by unintentional or intentional actions by their users. Data loss prevention capabilities help prevent this exfiltration of data and helps guide users about what information to share. To help safeguard sensitive information, organizations can create and enforce policies that not only detect and block sensitive information from being shared, but educate users on what information sharing is or is not appropriate and how to be compliant with those guidelines. Specifically, data loss prevention rules can look for sensitive text stings, custom detectors, or predefined detectors in outgoing messages sent internally or externally. 


The latest update for data loss prevention rules in Gmail brings the experience in line with Google Drive and Google Chat, which are already adopted broadly by Google Workspace customers. You can refer to our Help Center for more information about data loss prevention in Gmail.


Additional details

Customizable warning messages
DLP rules can be configured to block the message, warn users about sensitive information, or quarantine the message. When sensitive information is detected, users will be shown a dialog box notifying them of the risk. Admins can now choose to customize the information shown to end users in these dialog boxes, including why their message was flagged, what they can do to unblock themselves, and links to additional resources to educate them further.

Example of a custom warning message




Continued asynchronous scanning of messages
While messages will now be scanned synchronously, messages will go through additional scanning asynchronously (after the message leaves the inbox) for an additional layer of protection. This includes messages that are sent automatically, such as auto-forward or scheduled send, and messages sent from non-Gmail clients.


Getting started

  • Admins:
    • Data loss prevention in Gmail is available in open beta for select Google Workspace customers. These rules can be configured at the domain, OU, or group level. DLP rules can be enabled in Gmail in the Admin console under Security > Access and data control > Data protection. Note that with the new synchronous scanning, your end users will begin seeing dialog boxes related to these rules before messages leave the inbox. These will be displayed when using Gmail on the web and mobile.

    • Visit the Help Center to learn more about controlling sensitive data shared in Gmail. Note that you can modify existing DLP rules for Drive and Chat to also apply to Gmail. 

    • DLP events can be reviewed in the Security Investigation Tool or Security > Alert Center, if alerts are configured in rules.

    • We recommend selecting “Audit only” when you’re setting up a new rule in order to test and monitor its performance, or to passively monitor the environment without interrupting email flow for your users. There are no changes to the “Audit only” action with this update, they will continue to operate as usual.

  • End users: Depending on the data loss prevention rules configured by your admin, you may see a dialog letting you know that:

    • Your message is blocked: Your message contains information that cannot be shared — you’ll need to remove it in order to send your message.
Dialog in case of a blocked message
    • Your message contains sensitive information: Your message contains information that is sensitive, but can be shared — you can decide whether to send it or edit the message to exclude this information. Note that your admin will be notified about this activity.


      Dialog in case of a warning

    • Your message contains sensitive information that requires review: Your message contains information that will need to be reviewed by an admin. You’ll have the option to submit it for review, and upon review it will be released for delivery or declined. You may receive a notification about the message being declined from delivery.


      Example of a quarantine message

Rollout pace

Availability

Available for Google Workspace:
  • Enterprise Standard, Enterprise Plus
  • Education Fundamentals, Standard, Plus, and the Teaching & Learning Upgrade
  • Frontline Standard
  • Cloud Identity Premium customers

Resources


Introducing security advisor, a new set of tools and insights to help small businesses protect their organization against cyber attacks

What’s changing

The cyber threat landscape is evolving and there's been an increase in the sophistication and volume of malicious threats. Small businesses frequently lack the time, resources, and expertise that larger organizations have to implement robust security measures. As a result, threat actors often perceive these organizations as easier targets.

To help small businesses, we’re introducing security advisor, a set of new insights and tools designed to enhance security for small businesses – including threat defense, account security, and data protection capabilities. Security advisor offers tailored security insights, actionable guidance in the admin console, and simplified data protection controls — all to help businesses keep their customer data safe.

With security advisor, applying security settings is easier than before and the recommended settings can be easily adopted and customized to meet the specific needs of each organization in just a few steps. This helps organizations elevate their security posture, helps their IT team be more efficient by simplifying admin work, and helps reduce the risk of misconfigured security settings with a guided, in-app experience in the Admin console.

In addition to security insights in the Admin console, the security advisor feature set includes the following:

Admin console > Security > Security advisor


Getting started


Rollout pace


Availability

  • Available for Google Workspace Business Starter, Standard, and Plus

Resources


Expanding multi-party-approvals to domain-wide-delegation actions

What’s changing

Earlier this year, we announced multi-party approvals for sensitive actions taken in the admin console, specifically requiring one admin to approve actions taken by another. At launch, these protections applied to several settings, including 2-step verification, account recovery, and more. 


Today, we’re expanding multi-party approvals to include domain-wide-delegation. Domain-wide-delegation is a powerful feature which allows admins to grant third-party applications permission to access your Workspace users’ data. Bringing this feature under the umbrella of multi-party-approvals helps mitigate the risk of data exfiltration by internal bad actors or if admin credentials have been compromised. 


Overall, multi-party-approvals help ensure no sensitive action happens in a silo and, most importantly, helps prevent unauthorized or accidental changes from being made. This added layer of approval helps ensure actions are being taken appropriately and not too broadly or too often. For more information, see our original announcement.

When domain-wide-delegation changes are attempted, admins will be required to submit the change to a super admin for approval.

 Super admins can review and take action on these requests in the Admin console by navigating to Security > Multi-party approval. Super admins will also receive email alerts when a change is requested or any other protected action is attempted.



Getting started

  • Admins: The multi-party approvals feature is available for eligible Workspace customers with two or more super admin accounts. Multi-party approvals are OFF by default and can be turned on in the Admin console by going to Security > Multi-party approval settings. Visit the Help Center to learn more about multi-party approvals for sensitive actions.

Rollout pace


Availability

  • Available for all Google Workspace customers

Resources


SOC compliance for Gemini

What’s changing 

In the era of generative AI, building helpful, secure products that give users choice and control over their data remains Google’s core principle. When commercial customers adopt Gemini for Google Workspace they get the same robust data protection and security standards that come with all Google Workspace services, with specific protections for businesses, education, and public-sector customers.


We’re pleased to announce for Gemini for Workspace licensed users that:
  • Gemini for Google Workspace—including Gemini in the side panel of Gmail, Drive, Docs, Sheets, and Slides—is now SOC 1, SOC 2, and SOC 3 compliant.
  • Chatting with Gemini at gemini.google.com is now SOC 2 and SOC 3 compliant. We plan to achieve SOC 1 compliance later this year.

With SOC 1, 2 and 3 compliance awarded by a stringent third party (American Institute of Certified Public Accountants (AICPA)) customers can be confident that Workspace meets the industry standard for handling financial data, data security, availability, processing integrity, confidentiality and privacy. 


Getting started

Rollout pace

  • Available now.

Availability

  • Available for Gemini Business, Enterprise, Education and Education Premium add-ons

Resources


Available in open beta: configure third-party apps by select API scopes

What’s changing 

When your users sign in to third-party apps using the "Sign in with Google" option (single sign-on) or use OAuth to share their data with those apps, you can control what access those apps have to your organization’s Google data using app access controls


Admins currently can configure the third-party apps as “Trusted”, giving them access to all OAuth scopes or as “Limited”, giving them access to scopes only from Google services which are not restricted. Beginning today, we’re giving admins another layer of granular control for third-party apps. Specifically, you can now configure apps to be limited by selected OAuth 2.0 Scopes for Google APIs, such as Drive or Gmail scopes. This helps ensure that these apps do not gain additional access without admin consent based on new API scopes that they might request in the future, keeping data access limited to only what is deemed absolutely necessary by admins.




Getting started

Rollout pace


Availability

  • Available to all Google Workspace customers, as well as Cloud Identity Free and Premium customers


Resources


Prevent downloading, printing, or copying files by combining Data Loss Prevention rules with Context-Aware Access conditions

What's changing

Controlling access to sensitive content stored in Google Drive is a critical component for any company's security posture. One way admins can do this is with Data Loss Prevention (DLP) rules that enable Information Rights Management (IRM) on specific files. This allows admins to disable actions that can lead to accidental or deliberate data exfiltration, such as downloading, copying, and printing. 


Today, we’re expanding on these protections by enabling admins to combine DLP rules with Context-Aware Access conditions. When combined, admins can configure if IRM should be enforced based on context conditions, like a user’s location or IP address, are met. This gives admins the ability to configure context-aware-access conditions in a more granular fashion — previously, context-aware-access could only be used to restrict full access to an entire application. This is an important step forward in applying administrator controls at the document level.



Getting started

  • Admins: This feature will be OFF by default and can be enabled per-file by creating DLP rules with a CAA access level attached. See this help center article for more information on how to configure these rules.

  • End users: Depending on your admin configuration, you may be restricted from taking certain actions on Drive files.

Rollout pace

Availability

Available for Google Workspace:


AI Classification in Google Drive is now available for the Gemini Education Premium add-on

What’s changing

We’re expanding the availability of AI Classification in Google Drive to Google Workspace for Education customers with the Gemini Education Premium add-on. Powered by privacy-preserving AI models that can be uniquely trained on the specific needs of your organization, AI classification empowers IT teams to automatically and continuously identify, classify sensitive files. The challenge with label-based policies is that they are only effective on files that are correctly identified and labeled. Further, labeling files placed a considerable manual burden on Admins. 


This is where AI Classification can help. By training models on customer-identified examples of content that match their data classification definitions, AI Classification can evaluate files where text can be extracted to see if it should be labeled. This helps enable organizations to achieve label coverage at a scale and accuracy that is very difficult to accomplish through traditional means and manual Admin intervention. Once labeled, classified files can then be further protected with existing data loss prevention (DLP) controls, lifecycle management policies, as well as audit and reporting use cases.

AI Classification in the Admin console

AI Classification in Google Docs






Getting started



Rollout pace


Availability

  • Available for Google Workspace for Education customers with the Gemini Education Premium add-on.
This feature is already available to customers with the Gemini Enterprise add-on, and via the AI Security add-on for select Google workspace customers.

Enable Classification labels on specific Google Workspace applications

What’s changing

Admins can create classification labels for users to apply to files in Google Drive. These classification labels are useful for many common workplace scenarios, including records management, classification, structured finding, reporting, auditing, and more. 

To improve granularity in enabling & governing labels, we are replacing and improving the existing “Labels” setting within Apps > Google Workspace > Drive & Docs and adding label-level application toggles to the Label Manager tool. 

Classification labels can be applied to a Workspace application once it's selected during the setup process. A lock icon will be displayed in line with the application toggle when the label is referenced by a policy, such as a DLP rule. To remove all rules that reference a specific label, go to the Data protection section of the Admin console > Security > Access and data control. 

The active labels in your Workspace domain will continue to function and will be auto-enabled for Drive & Doc as a result of this update.
 

Getting started 

Rollout pace

  • This feature is available now 

Availability 

Available for Google Workspace: 
  • Business Standard, Plus 
  • Enterprise Standard, Plus 
  • Essentials Starter, Enterprise Essentials, Enterprise Essentials Plus 
  • Education Standard, Plus 
  • Frontline Starter, Standard

Resources 

Adding Data Loss Prevention (DLP) to form content in Google Forms

What’s changing

We’re continually investing in data protection capabilities for Google Forms. We’ve already enabled data loss prevention (DLP) for Google Drive policies that apply to files submitted in external Forms, including Forms from external organizations. To expand on this, today we’re announcing that DLP policies for form content in Google Forms is now generally available. 


With DLP, Forms with sensitive content can be blocked from being viewed or responded to by external individuals. Based on DLP rules configured by the admin, this feature checks form content including questions, form title and description and answer options provided in the form, and prevents sensitive content from being shared externally; it does not check form responses provided by end users that are submitted to external forms. 

DLP in Forms
This screenshot of a Google Form includes mentions of “Project X”. DLP rules are configured to detect and prevent sharing of Forms with responders outside the organization with any mentions of “Project X”, the sensitive content in this form.


Additional details 

If you do not want DLP rules applied to users in your domain, you can exclude certain groups or organizational units from DLP checks. You can also exclude DLP rules for forms by using nested condition operators in DLP for Drive rules. To do so, add a ‘AND NOT’ conditional operator with a custom detector for “vnd\.google\-apps\.form” as a regex. In scenarios where you only want to apply DLP for forms, add a custom detector for “vnd\.google\-apps\.form” as a regex. Visit this Help Center to learn more about using Workspace DLP to prevent data loss. 


Getting started 

  • Admins: 
    • Data loss prevention rules scoped to Drive files defined for your domain will be applied automatically to Forms.
    • If you are not using DLP for Google Drive, you can create DLP rules at the domain, OU, or group level in the Admin console under Security > Data protection. You can apply block, warn or audit actions, consistent with DLP for Drive. If you apply the block action, users external to the domain will not be able to view or respond to forms with sensitive content. 
    • Visit the Help Center to learn more about turning data loss prevention in Google Forms on for your organization. 
  • End users: End users can respond to forms as usual to forms that do not violate DLP rules, but if a form violates Drive DLP rules for their domain, form editors may see warnings and form responders external to the domain may be blocked from viewing or responding to the form. 

Rollout pace 

Availability 

Available for Google Workspace: 
  • Enterprise Standard, Plus 
  • Enterprise Essentials Plus 
  • Education Fundamentals, Standard, Plus, the Teaching & Learning Upgrade 
  • Frontline Standard 
  • Cloud Identity Premium 

Resources 

Use the Apple Volume Purchasing Program (VPP) to distribute apps for device enrollment and company owned devices

What’s changing

In November 2023, we announced the ability to purchase and distribute iOS apps to user-enrolled devices through Apple’s Volume Purchase Program. Beginning today, we’re expanding this functionality to include device enrollment and company-owned iOS devices.




Who’s impacted

Admins and end users


Why you’d use it 

Admins can use the Volume Purchasing Program to efficiently curate a suite of work-related apps—both free and paid—for their team. This streamlined process not only simplifies the deployment of essential business apps but also ensures that employees have access to the right apps they need to be productive and efficient, all within the secure perimeter of our MDM platform. To further streamline the enrollment and app distribution process, we’re automatically installing mandatory apps during enrollment for company-owned devices. This latest update makes it easier for admins to deploy apps across various device types in their organization.


Additional details

Please note that Apple ID sign-in won't be needed in the company-owned iOS devices flow after configuring apps with VPP.


The automatic installation of mandatory apps during onboarding applies to all enrollment types and devices that violate mandatory apps compliance will be immediately blocked until the required app(s) are installed. 


Getting started


Rollout pace


Availability

Available to Google Workspace
  • Business Plus
  • Enterprise Essentials and Enterprise Essentials Plus
  • Enterprise Standard and Plus
  • Education Standard and Plus, and the Endpoint Education Upgrade add-on
  • Frontline Starter and Standard
  • Cloud Identity Premium