Tag Archives: Security and Compliance

Resolve conflict accounts faster with the new Conflict Accounts Management tool

What’s changing 

We’re introducing an automated workflow to help reduce the manual effort needed to turn unmanaged accounts into managed accounts. Unmanaged accounts are users who independently created a Google account using one of your organization's domains. 




Admins can access the feature within the Admin console under Account settings > Conflicting accounts management. Here, they can specify their preferences for how to resolve unmanaged accounts when provisioning users for their domains. This preference will apply only when users are provisioned using the public Directory API with URL parameter resolveConflictAccount set to true. 

  • Automatically invite users to transfer unmanaged accounts 
    • Admins can specify how many daily follow-up messages should be sent.
    • If a user declines or does not accept the transfer invitation, admins can specify which next steps should be taken. 
    • Further, admins will have the option to take over the email address of users who decline or ignore the invite. 

  • Replace unmanaged accounts with managed ones 
    • Note that data owned by the account will not be imported.
    • The user will receive a temporary account address, which they’ll need to manually replace with a @gmail.com address of their choice. 
    • They’ll receive an email notification of this, and are informed they cannot use the original email any longer. 
    • Refer to this documentation for more information

  • Don’t create new accounts if unmanaged accounts exist.



Who’s impacted

Admins and end users


Why you’d use it 

Conflict accounts refer to personal Google accounts that get registered with a corporate email address. These accounts cannot be managed by admins, which is outside of the scope of protection admins can apply to keep work data secure. Further, reconciling conflicting accounts creates churn for admins and adds to the workload of onboarding users to Google Workspace & Google Cloud.


While admins can mitigate these accounts using the transfer tool or the “UserInvitation” API functionality, the Conflict Accounts Management tool is a scaled solution for larger customers, helping reduce time spent migrating to business accounts and accelerating adoption of Google Workspace and Google Cloud.

Getting started


  • Admins: 
    • Visit the Help Center to learn more about using the Conflict Accounts Management tool and unmanaged accounts.

  • End users: Depending on your admin configuration:
    • You’ll be invited to transfer your account — if accepted, your admin will have the ability to manage your account.
    • If you do not accept the request, your admin may replace your unmanaged account with a managed one. In that case, you’ll receive a new @gmail.com address and retain your content in this unmanaged, personal Google account.

Rollout pace



Availability

  • Available to all Google Workspace customers

Resources


Set Context Aware Access policies for 1P & 3P applications to access Workspace APIs

What’s changing 

Admins can now use context-aware access to block users' access to Workspace Applications via other Google (1st party) & non Google (3rd party) applications. With context-aware access, you can set different access levels to Workspace applications based on a user’s identity and the context of the request (location, device security status, IP address). 




Why it’s important 

Context aware access for APIs will enable customer admins to extend existing user/device CAA context access controls to end users attempting to access Google Workspace Applications via other Google & Non Google applications. Extending these policies to APIs that request Google Workspace core data gives admins another layer of control and security and helps protect against data exfiltration. 


Getting started 


Rollout pace 

  • This feature is available now.

Availability 

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Cloud Identity Premium customers 

Resources 

Updates for exporting your organization’s data

What’s changing 

We’re introducing updates around exporting user data for Google Workspace customers: 

First, all Google Workspace customers can choose to export the data of a specific user, rather than a customer’s full set of user generated content. 





Second, you’ll notice an improved user interface for the data export tool, which provides more detailed information about exports, records a longer history of exports, and offers more features (filtered takeout). 




Third, Google Workspace Enterprise Plus, Education Standard, Education Plus, and the Teaching and Learning Upgrade customers now have additional options for exporting data. If you’re using one of these editions, you can export content for a set of individual users. For example, you can choose to export all data for several specific users rather than all data for the entire domain. This option expands on the enhanced data export options that were released last year, which are: 
  • Export user generated content by organizational unit. 
  • Export user generated content by group. 

Who’s impacted 

Admins and end users 

Why it’s important 

Historically, data export has been limited to a customer’s full set of user generated content. However, customers experience many scenarios where exporting only a portion of user generated content is relevant. This provides customers with more granular controls, especially as their business and compliance needs continue to evolve. By providing more export options, customers can retrieve the specific data they need, when they need it. 

Getting started 


Rollout pace 


Availability 

  • Available to Google Workspace Business Starter, Business Standard, Business Plus, Enterprise Starter, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and the Teaching and Learning Upgrade and Assured Controls customers 

Resources 

Import and convert sensitive Excel files into client-side encrypted Google Sheets

What’s changing 

Launching in open beta, you can now import and convert sensitive Excel files into Google Sheets with client-side encryption. Your encrypted Excel file won’t be changed, even as you change the encrypted Sheets file. 


In Google Sheets, navigate to File > Import.




Additional details 

With this release: 
  • You can only import encrypted .xslx Excel file types. 
  • Additional Excel and tabular file types are not supported. 
  • During import, unsupported Excel features in Sheets will be ignored. 
  • The maximum file size is 20MB. 
  • The maximum number of cells that can be imported is 5 million. 

Getting started 


Rollout pace 


Availability 

  • Available to Google Workspace Enterprise Plus, Education Standard and Education Plus customers 

Resources 

Import sensitive external files to Google Drive with client-side encryption using the Drive API, launching in beta

What’s changing 

For select Google Workspace editions, admins can import sensitive, encrypted files from third-party storage using Client-side encryption and the Google Drive API, preserving the confidentiality of your data. Eligible admins can apply for beta access using this form


Who’s impacted 

Admins 



Why it’s important 

Currently, client-side encryption allows for additional encryption by end users within Google Workspace. However, we know it’s critical for our customers and partners to import sensitive content into Google Drive on behalf of their users. With the launch of this beta functionality, admins will be able to easily bulk import files and keep them private with client-side encryption. 


Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between our facilities. Client-side encryption helps strengthen the confidentiality of your data while helping to address a broad range of data sovereignty and compliance needs. Client-side encryption is already available for Google Drive, Google Docs, Sheets, and Slides, Google Meet, Google Calendar and Gmail. For more information, see our original announcement.


Getting started 

  • Admins: 
  • End users: There is no end user action required. 

Rollout pace 

  • We will be accepting beta applications and allowlisting customers over the next several weeks. 

Availability 

  • Available to Google Workspace Enterprise Plus, Education Standard, and Education Plus customers 

Resources 

Customize error messages for Google Chat data loss prevention rules, available in open beta

What’s changing 

For new and existing data protection rules for Google Chat, you can now customize the message shown to users when a message is blocked or intercepted. Previously, the message would be a standard warning, shared for all cases. Now, you can provide more context for users, including what they can do to unblock themselves or links to additional resources. 


This feature is available as an open beta, which means admins can use it without enrolling in a specific beta program. Note that this feature is only available on the web, mobile users will continue to see the standard warning. 


Who’s impacted 

Admins and end users 



Why it’s important 

Data loss prevention rules are built into the Workspace platform, performing checks in real time to help keep employees and their data safe as they go about their work. Beyond enforcement of these rules, creating user awareness is critical in the overall understanding and adoption of safety best practices. 


Providing a more detailed explanation for why their message has been intercepted or blocked helps users understand how to unblock themselves and more safely accomplish their task. More detailed explanations might include sharing links for more info on safety best practices, how to re-work their messages to be more secure, and more. Additionally, if you’re using data loss prevention rules to warn users against sharing certain information across Chat, you can customize the message to inform your users of the risks before they proceed. 


For more information on data loss prevention for Google Chat, refer to the Help Center, our original announcement, as well as the announcement made at Google Cloud Next 2022.


Getting started 

  • Admins: This feature will be OFF by default and can be customized per rule at the domain, Organizational Unit (OU), or group level. When creating a rule, in Step 4: Actions, under “User Message”, select “customize message”.




Visit the Help Center to learn more about preventing data leaks from Chat messages & attachments.

  • End users: There is no end user action required. Depending on your admin settings, you’ll see more detailed information if you’re trying to send a Google Chat message that meets conditions defined in a data loss prevention rule.


Rollout pace


Availability

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Standard, Education Plus, the Teaching & Learning Upgrade, and Frontline Standard customers. 
  • DLP for Chat is also available to Cloud Identity Premium users who are also licensed for Workspace editions that include Google Chat and Audit and investigation. Visit the Help Center for more information. 

Resources


Improvements for client-side encryption in Gmail

What’s changing 

We’re introducing two new features for client-side encryption in Gmail which will help you quickly identify ineligible recipients and any attachments that may be blocked: 


When you’re composing a Gmail message using client-side encryption, any recipient who is not able to receive encrypted messages will be denoted with a red chip. The email will not be able to be sent until those recipients are removed. 


Email recipients who cannot receive encrypted messages will be highlighted in red.







Gmail blocks attachments that may spread viruses, like messages that include executable files or scripts. If you receive a client-side encrypted message in Gmail, we’ll automatically check if any attachments are blocked file types. If there are blocked file types, you’ll see a warning banner and you won’t be able to download the file. 

You'll see a warning banner if you receive an email with a blocked attachment type





For more information on client-side encryption in Gmail, check out the Workspace blog and our original announcement

Getting started 

  • Admins: Visit the Help Center to learn more about setting up client-side encryption for your organization
  • End users: 
    • If enabled by your Workspace admin, to add client-side encryption to any message, click the lock icon and select additional encryption, and compose your message and add attachments as normal. 
    • If you include a recipient in the “To” or “CC” fields who cannot receive an encrypted message, their email address will appear as a red chip. 
    • Visit the Help Center to learn more about Gmail Client-side encryption and blocked file types in Gmail

Rollout pace 


Availability 

  • Available to Google Workspace Enterprise Plus, Education Plus, and Education Standard customers 

Resources 

Add or remove client-side encryption from Google Sheets and Google Slides files

What’s changing 

You can now simply add or remove client-side encryption to existing spreadsheets in Google Sheets or presentations in Google Slides. This update gives you the flexibility to control encryption as your documents and projects evolve and progress. This feature is already available for Google Docs


In Google Sheets or Slides, navigate to File > Make a copy > Add/Remove additional encryption.




Getting started 


Rollout pace 


Availability 

  • Available to Google Workspace Enterprise Plus, Education Standard and Education Plus customers 

Resources 

Use Directory Sync to replace the domain name for synced users

What’s changing 

Using Directory Sync, admins can automatically replace the domain name for synced users and groups in their Google cloud directory. This means synced Google users and groups can have a different domain name than the domain used in the external directory following a sync. 


Verified domain names within your Google Workspace account can be used to replace user and group domain names. Admins can specify whether the domain change will occur for: 
  • Newly synced users and groups 
  • New and previously synced users and groups 


Directory Sync is available as an open beta, meaning no sign-up is required. Use our Help Center to learn more about using Directory Sync and FAQs.



Getting started


Simplify and strengthen sign-in by enabling passkeys for your users, available now in open beta

What’s changing

Google Workspace is enabling the use of passkeys as a simpler and safer alternative to passwords to sign-in to Google Accounts. Additionally, Workspace admins can now allow users to use passkeys to skip passwords at sign-in for Workspace apps — this feature gives users the option to skip entering their password and sign-in with passkeys using a fingerprint, face recognition, or other screen-lock mechanism across phones, laptops, or desktop. 

This feature is available as an open beta, which means admins can use it without enrolling in a specific beta program. 
passkeys for your users, available now in open beta

Passkeys have been designed with user privacy in mind. When a user signs in with a passkey to their Workspace apps, such as a Gmail or Google Drive, the passkey can confirm that a user has access to their device and can unlock it with a fingerprint, face recognition, or other screen-lock mechanism. The user’s biometric data is never sent to Google’s servers or other websites and apps. 


Who’s impacted 

Admins and end users 


Why you’d use it 

Passkeys are a new, passwordless sign-in method that can offer a more convenient and secure authentication experience across websites and apps. Passkeys are based on an industry standard and available across popular browsers and operating systems that people use every day, including Android, ChromeOS, iOS, macOS, and Windows. Google early data (March - April 2023) shows that passkeys are 2x faster and 4x less error prone than passwords. 

Passkeys are based on the same public key cryptographic protocols that underpin physical security keys, such as Titan Security Key, and therefore can be resistant to phishing and other online attacks. In fact, Google research has shown that security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication (2FA). For a closer look at how passkeys work under the hood, check out our technical blog post

Getting started 

  • Admins: Admins can allow users in their organizations to skip passwords at sign-in using a passkey. By default, this setting is off, which means that users can’t skip passwords during sign-in, but can still create and use passkeys as a 2-Step Verification (2SV) method. To allow users to skip passwords, administrators can follow these simple steps in the Admin console
admin: passkeys for your users, available now in open beta
Admins can turn on / off the ability to use passkeys to skip passwords in the Admin console under Security > Passwordless. 
passkeys for your users, available now in open beta
If enabled by your admin, you can opt to skip password entry in your account settings.

Rollout pace

Availability 

  • Available to all Google Workspace customers and Cloud Identity customers 

Resources