Google Workspace – Empowering users and administrators to improve security and compliance

In our new series about Google Workspace security, we will discuss Google’s approach to security and compliance. As Cloud computing pioneers, Google takes their security very seriously and understands the concerns over enterprise cloud computing. Their approach comes in many parts. Last time we heard about how Google builds their products with security at their core. Today we will dive into how Google empowers users and administrators to improve security and compliance.

If you have been following this series, it should be very clear by now that Google builds security and compliance into their products. The previous post detailed the intensive security infrastructure that Google has. While all the tools are there, it’s up to the administrators and owners to decide if and how to use them. Let’s read on to find out more about the robust security settings Google offers their customers through Google Workspace.

Access and Authorization

Administrators can start by strengthening their user’s accounts with 2-step verification and security keys. 2-step verification allows administrators to mitigate the risk of compromised accounts and gives them the peace of mind that if a user’s account is attacked, they would need to lose two devices for the attackers to gain access.

The next security offer related to access and authorization is single sign-on or SSO. Google Workspace offers the ability to use your Google account to sign into different software or services. This is convenient because users don’t have to remember another password. Along with SSO, Google Workspace supports OAuth 2.0 and OpenID Connect which allows customers to configure SSO for multiple cloud solutions. This allows users to log into third-party services with their Google accounts.

In most companies, there is an information rights policy between the organization and their employees. Google helps you to permit this in Google Workspace by allowing certain users or groups to share, copy, print, or download content. Only certain users can alter these permissions.

Another important access feature in Google Workspace is restricted email delivery. For some organizations, such as schools, the administrators might want to restrict who the users can send the emails to. Google Workspace allows you to restrict emails based on user or domain. If a user tries to send an email to an unauthorized domain, the email will bounce back with the company policy referencing why it bounced. The same goes for an unauthorized domain emailing your users.

To take access and authorization one step further, Google has developed context-aware access, which determines a user's ability to access a service based on data like their device’s security state and the IP address. With Google’s BeyondCorp, users can access their systems and services from virtually any device, without a VPN.

Asset Protection

Google protects your email account against Spam, Phishing and Malware through existing machine learning models which they created. One of the key aspects of this is the malware scanner which processes over 300 billion attachments per week. The machine learning aspect is important because 63% of the attachments that they block change daily. Attachments that contain questionable data and are deemed as threats get placed in the spam folder or are quarantined. Google is continuing to try and improve this service by delaying the delivery of certain emails to perform an analysis on them. The detection models also integrate with Google Safe Browsing, to allow you to navigate the internet safely.

To deliver malware to your device, senders can sometimes forge the “from” address in an email. This is often referred to as “spoofing”. In order to prevent this, Google participates in the DMARC program, which allows domain administrators to tell email providers how to handle unauthenticated emails from their domain. Google Workspace administrators can create a DMARC record while also implementing an SPF record and DKIM keys.

If organizations empower their users to make the right decisions to protect data, it can improve the organization’s security status. In order to achieve this, Gmail sends you quick warning messages when you are about to send an email to someone outside of your company’s domain. If they are in your contact list or you have emailed them before, Google’s context-awareness will recognize the email address and allow it to go through. Thus, the context-awareness is constantly adjusting to provide the best security.

In addition to the above Gmail features, Google also provides a confidential mode with its email service. This enables users the ability to send confidential emails that receivers cannot forward, print, copy, or download (including attachments).

Data loss prevention (DLP) for Google Drive and Gmail is the icing on the cake with Google Workspace asset protection. This feature prevents sensitive information, such as credit card numbers, from leaking outside of the organization.  Administrators can audit what kind of sensitive information their users are sending via Gmail. DLP uses predefined content detectors which can come ready to use out of the box or even customized by the administrators. You can learn more about Google’s DLP here.

Data Recovery

Data recovery is an important feature for any organization, after all, nobody is perfect. Google kicks us off with the ability to restore a deleted user. Once an administrator decides that they would like to delete a user and performs the action, the administrator has 20 days to recover the user and their data from the trash. After the 20 days the user will no longer be available, even if the administrator contacts Google support.

With Gmail and Google Drive data, the administrator can restore emails or data up to 25 days after the user deleted them from their trash. After 25 days, the administrator cannot restore the data, even if they contact Google Support.

Administrators can also turn on Google Vault to allow the retention, export, hold, and search of the covered data in your geographic region.

Finally, as an administrator you can choose to store your data in a specific region, achieving residency according to the law in your area. Coverage includes Google Drive content, Gmail messages and attachments, Google Chat messages and attachments, as well as other core data.

Putting it all together

As you have probably figured out by now, the design of Google’s systems and services was largely dependent on the protection of their customer’s data. In our past three posts, we have covered various aspects of Google Workspace’s data protection including: Google’s Security and Privacy Focused Culture, Google Workspace - Technology with Security at its Core , and Empowering Users and Administrators to Improve Security and Compliance. If you have any questions about Google Workspace’s security and data protection, please feel free to reach out to us at any time.

Further Reading