Tag Archives: Security and Compliance

Import and convert sensitive Excel files into client-side encrypted Google Sheets

What’s changing 

Launching in open beta, you can now import and convert sensitive Excel files into Google Sheets with client-side encryption. Your encrypted Excel file won’t be changed, even as you change the encrypted Sheets file. 


In Google Sheets, navigate to File > Import.




Additional details 

With this release: 
  • You can only import encrypted .xslx Excel file types. 
  • Additional Excel and tabular file types are not supported. 
  • During import, unsupported Excel features in Sheets will be ignored. 
  • The maximum file size is 20MB. 
  • The maximum number of cells that can be imported is 5 million. 

Getting started 


Rollout pace 


Availability 

  • Available to Google Workspace Enterprise Plus, Education Standard and Education Plus customers 

Resources 

Import sensitive external files to Google Drive with client-side encryption using the Drive API, launching in beta

What’s changing 

For select Google Workspace editions, admins can import sensitive, encrypted files from third-party storage using Client-side encryption and the Google Drive API, preserving the confidentiality of your data. Eligible admins can apply for beta access using this form


Who’s impacted 

Admins 



Why it’s important 

Currently, client-side encryption allows for additional encryption by end users within Google Workspace. However, we know it’s critical for our customers and partners to import sensitive content into Google Drive on behalf of their users. With the launch of this beta functionality, admins will be able to easily bulk import files and keep them private with client-side encryption. 


Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between our facilities. Client-side encryption helps strengthen the confidentiality of your data while helping to address a broad range of data sovereignty and compliance needs. Client-side encryption is already available for Google Drive, Google Docs, Sheets, and Slides, Google Meet, Google Calendar and Gmail. For more information, see our original announcement.


Getting started 

  • Admins: 
  • End users: There is no end user action required. 

Rollout pace 

  • We will be accepting beta applications and allowlisting customers over the next several weeks. 

Availability 

  • Available to Google Workspace Enterprise Plus, Education Standard, and Education Plus customers 

Resources 

Customize error messages for Google Chat data loss prevention rules, available in open beta

What’s changing 

For new and existing data protection rules for Google Chat, you can now customize the message shown to users when a message is blocked or intercepted. Previously, the message would be a standard warning, shared for all cases. Now, you can provide more context for users, including what they can do to unblock themselves or links to additional resources. 


This feature is available as an open beta, which means admins can use it without enrolling in a specific beta program. Note that this feature is only available on the web, mobile users will continue to see the standard warning. 


Who’s impacted 

Admins and end users 



Why it’s important 

Data loss prevention rules are built into the Workspace platform, performing checks in real time to help keep employees and their data safe as they go about their work. Beyond enforcement of these rules, creating user awareness is critical in the overall understanding and adoption of safety best practices. 


Providing a more detailed explanation for why their message has been intercepted or blocked helps users understand how to unblock themselves and more safely accomplish their task. More detailed explanations might include sharing links for more info on safety best practices, how to re-work their messages to be more secure, and more. Additionally, if you’re using data loss prevention rules to warn users against sharing certain information across Chat, you can customize the message to inform your users of the risks before they proceed. 


For more information on data loss prevention for Google Chat, refer to the Help Center, our original announcement, as well as the announcement made at Google Cloud Next 2022.


Getting started 

  • Admins: This feature will be OFF by default and can be customized per rule at the domain, Organizational Unit (OU), or group level. When creating a rule, in Step 4: Actions, under “User Message”, select “customize message”.




Visit the Help Center to learn more about preventing data leaks from Chat messages & attachments.

  • End users: There is no end user action required. Depending on your admin settings, you’ll see more detailed information if you’re trying to send a Google Chat message that meets conditions defined in a data loss prevention rule.


Rollout pace


Availability

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Standard, Education Plus, the Teaching & Learning Upgrade, and Frontline Standard customers. 
  • DLP for Chat is also available to Cloud Identity Premium users who are also licensed for Workspace editions that include Google Chat and Audit and investigation. Visit the Help Center for more information. 

Resources


Improvements for client-side encryption in Gmail

What’s changing 

We’re introducing two new features for client-side encryption in Gmail which will help you quickly identify ineligible recipients and any attachments that may be blocked: 


When you’re composing a Gmail message using client-side encryption, any recipient who is not able to receive encrypted messages will be denoted with a red chip. The email will not be able to be sent until those recipients are removed. 


Email recipients who cannot receive encrypted messages will be highlighted in red.







Gmail blocks attachments that may spread viruses, like messages that include executable files or scripts. If you receive a client-side encrypted message in Gmail, we’ll automatically check if any attachments are blocked file types. If there are blocked file types, you’ll see a warning banner and you won’t be able to download the file. 

You'll see a warning banner if you receive an email with a blocked attachment type





For more information on client-side encryption in Gmail, check out the Workspace blog and our original announcement

Getting started 

  • Admins: Visit the Help Center to learn more about setting up client-side encryption for your organization
  • End users: 
    • If enabled by your Workspace admin, to add client-side encryption to any message, click the lock icon and select additional encryption, and compose your message and add attachments as normal. 
    • If you include a recipient in the “To” or “CC” fields who cannot receive an encrypted message, their email address will appear as a red chip. 
    • Visit the Help Center to learn more about Gmail Client-side encryption and blocked file types in Gmail

Rollout pace 


Availability 

  • Available to Google Workspace Enterprise Plus, Education Plus, and Education Standard customers 

Resources 

Add or remove client-side encryption from Google Sheets and Google Slides files

What’s changing 

You can now simply add or remove client-side encryption to existing spreadsheets in Google Sheets or presentations in Google Slides. This update gives you the flexibility to control encryption as your documents and projects evolve and progress. This feature is already available for Google Docs


In Google Sheets or Slides, navigate to File > Make a copy > Add/Remove additional encryption.




Getting started 


Rollout pace 


Availability 

  • Available to Google Workspace Enterprise Plus, Education Standard and Education Plus customers 

Resources 

Use Directory Sync to replace the domain name for synced users

What’s changing 

Using Directory Sync, admins can automatically replace the domain name for synced users and groups in their Google cloud directory. This means synced Google users and groups can have a different domain name than the domain used in the external directory following a sync. 


Verified domain names within your Google Workspace account can be used to replace user and group domain names. Admins can specify whether the domain change will occur for: 
  • Newly synced users and groups 
  • New and previously synced users and groups 


Directory Sync is available as an open beta, meaning no sign-up is required. Use our Help Center to learn more about using Directory Sync and FAQs.



Getting started


Simplify and strengthen sign-in by enabling passkeys for your users, available now in open beta

What’s changing

Google Workspace is enabling the use of passkeys as a simpler and safer alternative to passwords to sign-in to Google Accounts. Additionally, Workspace admins can now allow users to use passkeys to skip passwords at sign-in for Workspace apps — this feature gives users the option to skip entering their password and sign-in with passkeys using a fingerprint, face recognition, or other screen-lock mechanism across phones, laptops, or desktop. 

This feature is available as an open beta, which means admins can use it without enrolling in a specific beta program. 
passkeys for your users, available now in open beta

Passkeys have been designed with user privacy in mind. When a user signs in with a passkey to their Workspace apps, such as a Gmail or Google Drive, the passkey can confirm that a user has access to their device and can unlock it with a fingerprint, face recognition, or other screen-lock mechanism. The user’s biometric data is never sent to Google’s servers or other websites and apps. 


Who’s impacted 

Admins and end users 


Why you’d use it 

Passkeys are a new, passwordless sign-in method that can offer a more convenient and secure authentication experience across websites and apps. Passkeys are based on an industry standard and available across popular browsers and operating systems that people use every day, including Android, ChromeOS, iOS, macOS, and Windows. Google early data (March - April 2023) shows that passkeys are 2x faster and 4x less error prone than passwords. 

Passkeys are based on the same public key cryptographic protocols that underpin physical security keys, such as Titan Security Key, and therefore can be resistant to phishing and other online attacks. In fact, Google research has shown that security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication (2FA). For a closer look at how passkeys work under the hood, check out our technical blog post

Getting started 

  • Admins: Admins can allow users in their organizations to skip passwords at sign-in using a passkey. By default, this setting is off, which means that users can’t skip passwords during sign-in, but can still create and use passkeys as a 2-Step Verification (2SV) method. To allow users to skip passwords, administrators can follow these simple steps in the Admin console
admin: passkeys for your users, available now in open beta
Admins can turn on / off the ability to use passkeys to skip passwords in the Admin console under Security > Passwordless. 
passkeys for your users, available now in open beta
If enabled by your admin, you can opt to skip password entry in your account settings.

Rollout pace

Availability 

  • Available to all Google Workspace customers and Cloud Identity customers 

Resources


Extending client-side encryption to chat messages in Google Meet

What’s changing 

If you’re using client-side encryption for Meet, in-meeting chat will now be supported. As with the audio and video content of your client-side encrypted meetings, all in-meeting chat messages will be encrypted and inaccessible by any third party, including Google. 

Meet already encrypts all of your data at rest and in transit between our facilities — client-side encryption gives users direct control of their encryption keys and the identity service that they choose to authenticate for those keys. For more information, see our original announcement.


Getting started


Rollout pace

  • Rapid Release domains:  Extended rollout (potentially longer than 15 days for feature visibility) starting on May 24, 2023
  • Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on June 26, 2023

Availability

  • Available to Google Workspace Enterprise Plus, Education Standard, and Education Plus customers hosting client-side encrypted calls 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, The Teaching and Learning Upgrade, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers 

Resources 


Monitor abuse related events in the Alert Center

What’s changing 

Admins will now receive alerts related to abuse related events in their organization. This includes events related to content that has been marked abusive or user access restrictions to apps. 


This update makes it easier for admins to stay on top of abuse within their accounts, and easily take necessary action such as suspending users or restricting access to certain services. 

Admins will be alerted via email of abuse related events and can find more information in the Alert Center



Getting started

  • Admins: 
  • End users: There is no end user action required. 

Rollout pace 


Availability 

  • Available to all Google Workspace customers

Resources

New Alert Center notifications for Apple push certificates

What’s changing 

The Apple Push Notification Service (APNS) certificate is a critical component for advanced mobile management for iOS devices. This certificate expires yearly and requires manual renewal. If you don't renew the certificate, your organization’s iOS devices will not be able to access Google Workspace applications after the certificate expires. To help you stay on top of their renewal period and take action in a timely manner, we will: 

Notify you via the Alert Center and email when: 
  • Your certificate is 30, 10, and 1 day from the date of expiration. 
  • Your certificate has expired. 








Getting started 

  • Admins: 
  • End users: There is no end user impact or action required.


Rollout pace 


Availability 

  • Google Workspace Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, The Teaching and Learning Upgrade, Education Fundamentals, Frontline, and Cloud Identity Premium customers 

Resources