Tag Archives: Security and Compliance

SOC compliance for Gemini

What’s changing 

In the era of generative AI, building helpful, secure products that give users choice and control over their data remains Google’s core principle. When commercial customers adopt Gemini for Google Workspace they get the same robust data protection and security standards that come with all Google Workspace services, with specific protections for businesses, education, and public-sector customers.


We’re pleased to announce for Gemini for Workspace licensed users that:
  • Gemini for Google Workspace—including Gemini in the side panel of Gmail, Drive, Docs, Sheets, and Slides—is now SOC 1, SOC 2, and SOC 3 compliant.
  • Chatting with Gemini at gemini.google.com is now SOC 2 and SOC 3 compliant. We plan to achieve SOC 1 compliance later this year.

With SOC 1, 2 and 3 compliance awarded by a stringent third party (American Institute of Certified Public Accountants (AICPA)) customers can be confident that Workspace meets the industry standard for handling financial data, data security, availability, processing integrity, confidentiality and privacy. 


Getting started

Rollout pace

  • Available now.

Availability

  • Available for Gemini Business, Enterprise, Education and Education Premium add-ons

Resources


Available in open beta: configure third-party apps by select API scopes

What’s changing 

When your users sign in to third-party apps using the "Sign in with Google" option (single sign-on) or use OAuth to share their data with those apps, you can control what access those apps have to your organization’s Google data using app access controls


Admins currently can configure the third-party apps as “Trusted”, giving them access to all OAuth scopes or as “Limited”, giving them access to scopes only from Google services which are not restricted. Beginning today, we’re giving admins another layer of granular control for third-party apps. Specifically, you can now configure apps to be limited by selected OAuth 2.0 Scopes for Google APIs, such as Drive or Gmail scopes. This helps ensure that these apps do not gain additional access without admin consent based on new API scopes that they might request in the future, keeping data access limited to only what is deemed absolutely necessary by admins.




Getting started

Rollout pace


Availability

  • Available to all Google Workspace customers, as well as Cloud Identity Free and Premium customers


Resources


Prevent downloading, printing, or copying files by combining Data Loss Prevention rules with Context-Aware Access conditions

What's changing

Controlling access to sensitive content stored in Google Drive is a critical component for any company's security posture. One way admins can do this is with Data Loss Prevention (DLP) rules that enable Information Rights Management (IRM) on specific files. This allows admins to disable actions that can lead to accidental or deliberate data exfiltration, such as downloading, copying, and printing. 


Today, we’re expanding on these protections by enabling admins to combine DLP rules with Context-Aware Access conditions. When combined, admins can configure if IRM should be enforced based on context conditions, like a user’s location or IP address, are met. This gives admins the ability to configure context-aware-access conditions in a more granular fashion — previously, context-aware-access could only be used to restrict full access to an entire application. This is an important step forward in applying administrator controls at the document level.



Getting started

  • Admins: This feature will be OFF by default and can be enabled per-file by creating DLP rules with a CAA access level attached. See this help center article for more information on how to configure these rules.

  • End users: Depending on your admin configuration, you may be restricted from taking certain actions on Drive files.

Rollout pace

Availability

Available for Google Workspace:


AI Classification in Google Drive is now available for the Gemini Education Premium add-on

What’s changing

We’re expanding the availability of AI Classification in Google Drive to Google Workspace for Education customers with the Gemini Education Premium add-on. Powered by privacy-preserving AI models that can be uniquely trained on the specific needs of your organization, AI classification empowers IT teams to automatically and continuously identify, classify sensitive files. The challenge with label-based policies is that they are only effective on files that are correctly identified and labeled. Further, labeling files placed a considerable manual burden on Admins. 


This is where AI Classification can help. By training models on customer-identified examples of content that match their data classification definitions, AI Classification can evaluate files where text can be extracted to see if it should be labeled. This helps enable organizations to achieve label coverage at a scale and accuracy that is very difficult to accomplish through traditional means and manual Admin intervention. Once labeled, classified files can then be further protected with existing data loss prevention (DLP) controls, lifecycle management policies, as well as audit and reporting use cases.

AI Classification in the Admin console

AI Classification in Google Docs






Getting started



Rollout pace


Availability

  • Available for Google Workspace for Education customers with the Gemini Education Premium add-on.
This feature is already available to customers with the Gemini Enterprise add-on, and via the AI Security add-on for select Google workspace customers.

Enable Classification labels on specific Google Workspace applications

What’s changing

Admins can create classification labels for users to apply to files in Google Drive. These classification labels are useful for many common workplace scenarios, including records management, classification, structured finding, reporting, auditing, and more. 

To improve granularity in enabling & governing labels, we are replacing and improving the existing “Labels” setting within Apps > Google Workspace > Drive & Docs and adding label-level application toggles to the Label Manager tool. 

Classification labels can be applied to a Workspace application once it's selected during the setup process. A lock icon will be displayed in line with the application toggle when the label is referenced by a policy, such as a DLP rule. To remove all rules that reference a specific label, go to the Data protection section of the Admin console > Security > Access and data control. 

The active labels in your Workspace domain will continue to function and will be auto-enabled for Drive & Doc as a result of this update.
 

Getting started 

Rollout pace

  • This feature is available now 

Availability 

Available for Google Workspace: 
  • Business Standard, Plus 
  • Enterprise Standard, Plus 
  • Essentials Starter, Enterprise Essentials, Enterprise Essentials Plus 
  • Education Standard, Plus 
  • Frontline Starter, Standard

Resources 

Adding Data Loss Prevention (DLP) to form content in Google Forms

What’s changing

We’re continually investing in data protection capabilities for Google Forms. We’ve already enabled data loss prevention (DLP) for Google Drive policies that apply to files submitted in external Forms, including Forms from external organizations. To expand on this, today we’re announcing that DLP policies for form content in Google Forms is now generally available. 


With DLP, Forms with sensitive content can be blocked from being viewed or responded to by external individuals. Based on DLP rules configured by the admin, this feature checks form content including questions, form title and description and answer options provided in the form, and prevents sensitive content from being shared externally; it does not check form responses provided by end users that are submitted to external forms. 

DLP in Forms
This screenshot of a Google Form includes mentions of “Project X”. DLP rules are configured to detect and prevent sharing of Forms with responders outside the organization with any mentions of “Project X”, the sensitive content in this form.


Additional details 

If you do not want DLP rules applied to users in your domain, you can exclude certain groups or organizational units from DLP checks. You can also exclude DLP rules for forms by using nested condition operators in DLP for Drive rules. To do so, add a ‘AND NOT’ conditional operator with a custom detector for “vnd\.google\-apps\.form” as a regex. In scenarios where you only want to apply DLP for forms, add a custom detector for “vnd\.google\-apps\.form” as a regex. Visit this Help Center to learn more about using Workspace DLP to prevent data loss. 


Getting started 

  • Admins: 
    • Data loss prevention rules scoped to Drive files defined for your domain will be applied automatically to Forms.
    • If you are not using DLP for Google Drive, you can create DLP rules at the domain, OU, or group level in the Admin console under Security > Data protection. You can apply block, warn or audit actions, consistent with DLP for Drive. If you apply the block action, users external to the domain will not be able to view or respond to forms with sensitive content. 
    • Visit the Help Center to learn more about turning data loss prevention in Google Forms on for your organization. 
  • End users: End users can respond to forms as usual to forms that do not violate DLP rules, but if a form violates Drive DLP rules for their domain, form editors may see warnings and form responders external to the domain may be blocked from viewing or responding to the form. 

Rollout pace 

Availability 

Available for Google Workspace: 
  • Enterprise Standard, Plus 
  • Enterprise Essentials Plus 
  • Education Fundamentals, Standard, Plus, the Teaching & Learning Upgrade 
  • Frontline Standard 
  • Cloud Identity Premium 

Resources 

Use the Apple Volume Purchasing Program (VPP) to distribute apps for device enrollment and company owned devices

What’s changing

In November 2023, we announced the ability to purchase and distribute iOS apps to user-enrolled devices through Apple’s Volume Purchase Program. Beginning today, we’re expanding this functionality to include device enrollment and company-owned iOS devices.




Who’s impacted

Admins and end users


Why you’d use it 

Admins can use the Volume Purchasing Program to efficiently curate a suite of work-related apps—both free and paid—for their team. This streamlined process not only simplifies the deployment of essential business apps but also ensures that employees have access to the right apps they need to be productive and efficient, all within the secure perimeter of our MDM platform. To further streamline the enrollment and app distribution process, we’re automatically installing mandatory apps during enrollment for company-owned devices. This latest update makes it easier for admins to deploy apps across various device types in their organization.


Additional details

Please note that Apple ID sign-in won't be needed in the company-owned iOS devices flow after configuring apps with VPP.


The automatic installation of mandatory apps during onboarding applies to all enrollment types and devices that violate mandatory apps compliance will be immediately blocked until the required app(s) are installed. 


Getting started


Rollout pace


Availability

Available to Google Workspace
  • Business Plus
  • Enterprise Essentials and Enterprise Essentials Plus
  • Enterprise Standard and Plus
  • Education Standard and Plus, and the Endpoint Education Upgrade add-on
  • Frontline Starter and Standard
  • Cloud Identity Premium

Manage your compliance and data controls from a single source in the Admin console

What’s changing 

We know that compliance and data controls are paramount for our customers, both in understanding Google Workspace’s policies and configuring compliance-relevant features according to the needs of their business sector and geographical region. To help our customers navigate these complexities, we’ve centralized some of these relevant features and information into a single location in the admin console: Data.


Within this section, admins can:
  • Find a centralized hub containing all data and compliance-related features such as data regions, access transparency, and more.
    • Access Approvals, Access Management, Access Transparency, Client Side Encryption, Data Regions can now be found under Data > Compliance. Please note that Access Transparency can still be found under Menu > Reporting.

  • Data Export, Data migration, and Google Takeout can now be found under Data > Data import & export.

  • Find a dedicated compliance node containing guides and resources to help them configure their settings within various regulations and standards such as IL4, CJIS, and FedRAMP High.
Data > Overview



Data > Compliance > Guides and Resources


Getting started

  • Admins: You can access the new Data node compliance center in the Admin console by navigating to Menu > Data. From here, you will find the Overview page, as well as the Compliance and Data Import & Export categories. 
  • End users: There is no end user impact or action required.

Rollout pace


Availability

  • Available to all Google Workspace customers

    Resources


    Access Management is now generally available in the European Union

    What’s changing 

    Access Management is now also generally available in the European Union — these controls allow customers to select the physical location from which Google support teams can access organizational data during support activities. Customers can now restrict support personnel to EU Google staff in EU locations. If necessary, non-EU Google staff may access data through virtual desktops that are located in EU locations.




    Who’s impacted

    Admins


    Why it’s important

    Google Workspace Assured Controls enables customers to meet strict regulatory information governance requirements. With Access Management, customers can limit the Google staff who can take support actions related to their data. Additionally, since Assured Controls is available on Google Workspace’s native platform, you don’t need to move to a separate GovCloud environment for access to these capabilities. This update gives our customers another way to configure how and where their data is accessed by Google staff.


    Getting started


    Rollout pace

    Availability

    • Assured controls are available as a paid-add on for Google Workspace Enterprise Plus. For more information, contact your Google account representative.

    Introducing a new experience for data regions reporting

    What’s changing 

    We’re pleased to announce several new enhancements to Google Workspace data regions: 


    For the first time, admins will be able to specify not only the region (EU or US) where their data is stored, but also the region in which it is processed, with granular controls to allow administrators to easily refine the region and level of compliance needed as appropriate for their organizational groups. Workspace customers have the flexibility to select multiple geographies to suit their needs, versus being restricted to one region mandated by billing address.


    Also, based on customer feedback, we have re-architected our reporting dashboard to both deliver new functionality and simplify the experience for administrators. These include:
    • A simplified experience that focuses on the status of your data region's posture. 
    • Streamlined reporting for Google Workspace Enterprise Plus customers.
    • Advanced reporting for Assured Controls customers.


    Who’s impacted

    Admins


    Why it’s important


    Assign data processing to the United States or Europe
    Although customers are not required to use the sovereignty offerings within Workspace in order to comply with the GDPR, we make advanced data residency controls available so that customers can proactively leverage digital sovereignty best practices and keep pace with regulatory legislation. 


    Putting the emphasis on status
    We’ve heard from our customers that it’s critical to quickly determine whether their data is being stored in the proper location. Based on this feedback, we’ve simplified the dashboard to consolidate  parameters like “application” and “data type”, which were not useful to customers into a single status indicator.  


    Also, admins can now access two new reporting cards: Versions and Policies. The Versions card will tell admins how many users have each edition of data regions, while the Policies card will tell you how many users have their storage and processing settings assigned to the US or Europe.




    It’s important to note that if you’re subject to partial domain licensing, you may see a mix of users spread across different editions. A user’s feature set may vary based on their assigned Workspace editions — we recommend using our Help Center to learn more about the difference between editions.


    Advanced reporting for Assured Controls customers
    For those Google Workspace customers using Assured Controls, you can leverage more advanced reporting which will help you determine that data is being both stored and processed properly. You can also drill down into this information on an app-by-app basis.

    Getting started

    Rollout pace

    Availability

    • Enterprise Data Regions are included with Enterprise Plus, Education Standard, Education Plus, and Enterprise Essentials Plus.
    • Fundamental Data Regions are included with Frontline Starter, Frontline Standard, Business Standard, Business Plus, Enterprise Standard, and Enterprise Essentials. Reporting is not included with fundamental data regions — you can purchase Enterprise data regions as a paid add-on with any of these editions. 
    • Assured Controls are available as a paid-add on for Google Workspace Enterprise Plus.