Nothing Special   »   [go: up one dir, main page]

What’s changing
We’re expanding the availability of AI Classification in Google Drive to Google Workspace for Education customers with the Gemini Education Premium add-on

Even though data security is paramount in today’s digital world, organizations struggle to label their data at scale, rendering label-based data protections less useful. This problem is solved by AI classification, automatically applying labels to both new and existing files in Google Drive. 

Powered by privacy-preserving AI models that can be uniquely trained on specific customer needs, AI classification automatically identifies, classifies, and labels files in Google Drive.. This helps organizations standardize data classification and achieve labeling consistency at scale. Labels can then be used to trigger rules on files that can and cannot be shared through data loss prevention (DLP) controls, lifecycle management policies, as well as audit and reporting use cases


AI Classification in the Admin console

AI Classification in Google Docs






Getting started


Rollout pace

Availability
  • Available for Google Workspace for Education customers with the Gemini Education Premium add-on.
This feature is already available to customers with the Gemini Enterprise add-on, and via the AI Security add-on for select Google workspace customers.

Labels: , , , , ,

What’s changing
Admins can create classification labels for users to apply to files in Google Drive. These classification labels are useful for many common workplace scenarios, including records management, classification, structured finding, reporting, auditing, and more. 

To improve granularity in enabling & governing labels, we are replacing and improving the existing “Labels” setting within Apps > Google Workspace > Drive & Docs and adding label-level application toggles to the Label Manager tool. 

Classification labels can be applied to a Workspace application once it's selected during the setup process. A lock icon will be displayed in line with the application toggle when the label is referenced by a policy, such as a DLP rule. To remove all rules that reference a specific label, go to the Data protection section of the Admin console > Security > Access and data control. 

The active labels in your Workspace domain will continue to function and will be auto-enabled for Drive & Doc as a result of this update.
  Getting started 
Rollout pace
  • This feature is available now 
Availability 
Available for Google Workspace: 
  • Business Standard, Plus 
  • Enterprise Standard, Plus 
  • Essentials Starter, Enterprise Essentials, Enterprise Essentials Plus 
  • Education Standard, Plus 
  • Frontline Starter, Standard
Resources 
Labels: , , ,

What’s changing
We’re continually investing in data protection capabilities for Google Forms. We’ve already enabled data loss prevention (DLP) for Google Drive policies that apply to files submitted in external Forms, including Forms from external organizations. To expand on this, today we’re announcing that DLP policies for form content in Google Forms is now generally available. 


With DLP, Forms with sensitive content can be blocked from being viewed or responded to by external individuals. Based on DLP rules configured by the admin, this feature checks form content including questions, form title and description and answer options provided in the form, and prevents sensitive content from being shared externally; it does not check form responses provided by end users that are submitted to external forms. 

DLP in Forms
This screenshot of a Google Form includes mentions of “Project X”. DLP rules are configured to detect and prevent sharing of Forms with responders outside the organization with any mentions of “Project X”, the sensitive content in this form.


Additional details 
If you do not want DLP rules applied to users in your domain, you can exclude certain groups or organizational units from DLP checks. You can also exclude DLP rules for forms by using nested condition operators in DLP for Drive rules. To do so, add a ‘AND NOT’ conditional operator with a custom detector for “vnd\.google\-apps\.form” as a regex. In scenarios where you only want to apply DLP for forms, add a custom detector for “vnd\.google\-apps\.form” as a regex. Visit this Help Center to learn more about using Workspace DLP to prevent data loss. 


Getting started 
  • Admins: 
    • Data loss prevention rules scoped to Drive files defined for your domain will be applied automatically to Forms.
    • If you are not using DLP for Google Drive, you can create DLP rules at the domain, OU, or group level in the Admin console under Security > Data protection. You can apply block, warn or audit actions, consistent with DLP for Drive. If you apply the block action, users external to the domain will not be able to view or respond to forms with sensitive content. 
    • Visit the Help Center to learn more about turning data loss prevention in Google Forms on for your organization. 
  • End users: End users can respond to forms as usual to forms that do not violate DLP rules, but if a form violates Drive DLP rules for their domain, form editors may see warnings and form responders external to the domain may be blocked from viewing or responding to the form. 
Rollout pace 
Availability 
Available for Google Workspace: 
  • Enterprise Standard, Plus 
  • Enterprise Essentials Plus 
  • Education Fundamentals, Standard, Plus, the Teaching & Learning Upgrade 
  • Frontline Standard 
  • Cloud Identity Premium 
Resources 
Labels: , ,

What’s changing
In November 2023, we announced the ability to purchase and distribute iOS apps to user-enrolled devices through Apple’s Volume Purchase Program. Beginning today, we’re expanding this functionality to include device enrollment and company-owned iOS devices.




Who’s impacted
Admins and end users


Why you’d use it 
Admins can use the Volume Purchasing Program to efficiently curate a suite of work-related apps—both free and paid—for their team. This streamlined process not only simplifies the deployment of essential business apps but also ensures that employees have access to the right apps they need to be productive and efficient, all within the secure perimeter of our MDM platform. To further streamline the enrollment and app distribution process, we’re automatically installing mandatory apps during enrollment for company-owned devices. This latest update makes it easier for admins to deploy apps across various device types in their organization.


Additional details
Please note that Apple ID sign-in won't be needed in the company-owned iOS devices flow after configuring apps with VPP.


The automatic installation of mandatory apps during onboarding applies to all enrollment types and devices that violate mandatory apps compliance will be immediately blocked until the required app(s) are installed. 


Getting started

Rollout pace

Availability
Available to Google Workspace
  • Business Plus
  • Enterprise Essentials and Enterprise Essentials Plus
  • Enterprise Standard and Plus
  • Education Standard and Plus, and the Endpoint Education Upgrade add-on
  • Frontline Starter and Standard
  • Cloud Identity Premium

Labels: , , , , , ,

What’s changing 
We know that compliance and data controls are paramount for our customers, both in understanding Google Workspace’s policies and configuring compliance-relevant features according to the needs of their business sector and geographical region. To help our customers navigate these complexities, we’ve centralized some of these relevant features and information into a single location in the admin console: Data.


Within this section, admins can:
  • Find a centralized hub containing all data and compliance-related features such as data regions, access transparency, and more.
    • Access Approvals, Access Management, Access Transparency, Client Side Encryption, Data Regions can now be found under Data > Compliance. Please note that Access Transparency can still be found under Menu > Reporting.

  • Data Export, Data migration, and Google Takeout can now be found under Data > Data import & export.

  • Find a dedicated compliance node containing guides and resources to help them configure their settings within various regulations and standards such as IL4, CJIS, and FedRAMP High.
Data > Overview



Data > Compliance > Guides and Resources


Getting started
  • Admins: You can access the new Data node compliance center in the Admin console by navigating to Menu > Data. From here, you will find the Overview page, as well as the Compliance and Data Import & Export categories. 
  • End users: There is no end user impact or action required.
Rollout pace

Availability
  • Available to all Google Workspace customers
    Resources

    Labels: , , ,

    What’s changing 
    Access Management is now also generally available in the European Union — these controls allow customers to select the physical location from which Google support teams can access organizational data during support activities. Customers can now restrict support personnel to EU Google staff in EU locations. If necessary, non-EU Google staff may access data through virtual desktops that are located in EU locations.




    Who’s impacted
    Admins


    Why it’s important
    Google Workspace Assured Controls enables customers to meet strict regulatory information governance requirements. With Access Management, customers can limit the Google staff who can take support actions related to their data. Additionally, since Assured Controls is available on Google Workspace’s native platform, you don’t need to move to a separate GovCloud environment for access to these capabilities. This update gives our customers another way to configure how and where their data is accessed by Google staff.


    Getting started

    Rollout pace
    Availability
    • Assured controls are available as a paid-add on for Google Workspace Enterprise Plus. For more information, contact your Google account representative.

    Labels: , , ,

    What’s changing 
    We’re pleased to announce several new enhancements to Google Workspace data regions: 


    For the first time, admins will be able to specify not only the region (EU or US) where their data is stored, but also the region in which it is processed, with granular controls to allow administrators to easily refine the region and level of compliance needed as appropriate for their organizational groups. Workspace customers have the flexibility to select multiple geographies to suit their needs, versus being restricted to one region mandated by billing address.


    Also, based on customer feedback, we have re-architected our reporting dashboard to both deliver new functionality and simplify the experience for administrators. These include:
    • A simplified experience that focuses on the status of your data region's posture. 
    • Streamlined reporting for Google Workspace Enterprise Plus customers.
    • Advanced reporting for Assured Controls customers.


    Who’s impacted
    Admins


    Why it’s important

    Assign data processing to the United States or Europe
    Although customers are not required to use the sovereignty offerings within Workspace in order to comply with the GDPR, we make advanced data residency controls available so that customers can proactively leverage digital sovereignty best practices and keep pace with regulatory legislation. 


    Putting the emphasis on status
    We’ve heard from our customers that it’s critical to quickly determine whether their data is being stored in the proper location. Based on this feedback, we’ve simplified the dashboard to consolidate  parameters like “application” and “data type”, which were not useful to customers into a single status indicator.  


    Also, admins can now access two new reporting cards: Versions and Policies. The Versions card will tell admins how many users have each edition of data regions, while the Policies card will tell you how many users have their storage and processing settings assigned to the US or Europe.




    It’s important to note that if you’re subject to partial domain licensing, you may see a mix of users spread across different editions. A user’s feature set may vary based on their assigned Workspace editions — we recommend using our Help Center to learn more about the difference between editions.


    Advanced reporting for Assured Controls customers
    For those Google Workspace customers using Assured Controls, you can leverage more advanced reporting which will help you determine that data is being both stored and processed properly. You can also drill down into this information on an app-by-app basis.

    Getting started
    Rollout pace
    Availability
    • Enterprise Data Regions are included with Enterprise Plus, Education Standard, Education Plus, and Enterprise Essentials Plus.
    • Fundamental Data Regions are included with Frontline Starter, Frontline Standard, Business Standard, Business Plus, Enterprise Standard, and Enterprise Essentials. Reporting is not included with fundamental data regions — you can purchase Enterprise data regions as a paid add-on with any of these editions. 
    • Assured Controls are available as a paid-add on for Google Workspace Enterprise Plus.

    Labels: , , ,

    What’s changing
    We’re expanding visitor sharing, a feature that provides secure, pincode-based collaboration over sensitive data with people, to include client-side encrypted files. This allows users to securely collaborate with external partners on sensitive Google Drive, Docs, Sheets, and Slides files, while maintaining the confidentiality of the information with the granular control of encryption keys, identity verification and user permissions. 
    External users can now securely collaborate on client-side encrypted files


    Getting started 

    Rollout pace 

    Availability 
    Available for Google Workspace: 
    • Enterprise Plus Education Standard and Plus 
    Resources 
    Labels: , , , , , ,

    What’s changing 
    Last year, we announced in beta the ability to view and edit client-side encrypted Excel files with Google Sheets. Starting today, we’re rolling it out in general availability for select customers.



    Additional details
    With this release:
    • You can only view and edit .xslx Excel file types — additional Excel and tabular file types are not supported.
    • The maximum supported file size is 100MB.
    • The maximum number of cells that can be opened is 10 million.

    As we continue to improve Office editing in encrypted Google Sheets, you may encounter incompatibilities for certain features. Some features are not displayed and/or editable, but will be preserved in the document and viewable in Microsoft Office. Other features may be lost or altered in the latest version of the file when it is edited in Google Sheets. You will see a notification within the document if editing will cause any features to be lost or altered.


    Getting started

    Rollout pace

    Availability

    Available for Google Workspace:
    • Enterprise Plus
    • Education Standard and Plus

    Resources

    Labels: , , ,

    What’s changing 
    Using context-aware access, you now have the option to automatically block access to Google Workspace data from compromised Android and iOS devices. A device may be counted as compromised if certain unusual events are detected, including devices that are jailbroken, bypassing of security controls, modification of restricted settings, and more.

    Creating a new rule to block compromised mobile devices


    Blocking message for compromised iOS and Android devices






    Getting started

    Rollout pace
    • Block access to Google Workspace data: available immediately for both Android and iOS.
    • Remediation message: available immediately for Android, available on May 9, 2024 for iOS. 

    Availability
    Available to Google Workspace
    • Enterprise Standard and Plus
    • Education Standard and Plus
    • Frontline Standard
    • Enterprise Essentials Plus
    • Cloud Identity Premium

    Labels: , , , ,

    What’s changing

    We’re simplifying how users turn on 2-Step Verification (2SV), which will streamline the process, and make it easier for admins to enforce 2SV policies in their organizations.  

    Here are some of the important changes with this change:

    • Users may add “second step methods” (such as Google Authenticator, or a hardware security key) before turning on 2SV. This is particularly helpful for organizations using Google Authenticator (or other equivalent time-based one-time password (TOTP) apps). Previously, users had to enable 2SV with a phone number before being able to add Authenticator.

    • Users with hardware security keys will have two options to add them to their account on the “Passkeys and security keys” page:
      • ‘Use security key”: this registers a FIDO1 credential on the security key even if the key itself is FIDO2 capable.
      • ‘Create passkey and follow instructions to “use another device”: this registers a FIDO2 credential on the security key, and will require users to use the key’s PIN for local verification (this creates a passkey on the security key).
      • Note: users will continue to be asked for their password along with their passkey if the admin policy for “Allow users to skip passwords at sign-in by using passkeys” remains turned OFF (this is the default configuration).

    • If an enrolled 2SV user turns 2SV OFF from their account settings, their enrolled second steps (such as backup codes, Google Authenticator, or second factor phone) are not automatically removed from their account. Before this change all second factors would be removed when the user turned 2SV off. Note: When an administrator turns off 2SV for a user from the Admin console or via the Admin SDK, the second factors will be removed as before, to ensure user off-boarding workflows remain unaffected
    Getting started
    Rollout pace

    Availability
    • Available to all Google Workspace customers and users with personal Google accounts 

    Resources

    Labels: , , ,

    What’s changing 
    Launching first to beta, we’re introducing data loss prevention rules for Gmail. Data protection rules help admins and security experts build a stronger framework around sensitive data to prevent personal or proprietary information from ending up in the wrong hands. This functionality is already available in Google Chat and Google Drive, and in Gmail you’ll be able to create, implement, and investigate rules in the same manner. 


    Admins can create data protection rules to flag sensitive information from leaving your organization. These rules are applied to outgoing messages sent internally or externally and admins can choose whether all content (including attached files and images), the body of the email, email headers, or subject lines should be scanned. You can configure your rules to look for sensitive text strings, custom detectors, or select predefined detectors. If a message violates a rule, admins can choose to:

    • Block message — the sender will receive a notification about message delivery failure and more information about the policy they violated.
    • Quarantine message — the message will require review and approval by an admin before delivery. If the message is rejected by an admin, the user may receive a notification about it.
    • Audit only — the message is delivered, but it is captured in rule log events for further analysis. This is particularly advantageous because it allows admins to assess the impact of rules before introducing them to your end users.

    Data loss prevention for Gmail are available for select Google Workspace customers (see the “Availability” section below) — no additional sign-up is required to use the feature. 

    Create data protection policies for Gmail alongside Drive and Chat

    Build flexible conditions with selection of predefined and custom detectors of sensitive information

    Set up a rule with Audit Only action applied to messages sent outside of organization. The severity level for event logging is set up to ‘Medium’ and alerting via Alert Center is turned on 

    Detailed information about the event in the Alert Center

    Overview of DLP incidents in the Security Dashboard with further option to investigate audit logs in detail

    Who’s impacted
    Admins and end users



    Why it’s important

    In addition to detecting sensitive content, DLP in Gmail offers additional benefits such as:

    • Simplified deployment and data protection policies management with rules for Gmail, Drive and Google Chat unified into the same area and workflow.
    • Advanced detection policies with flexible conditions, wide selection of predefined detectors for global and regional information types, custom detectors (Regular Expressions and word lists), targeting on specific parts of a message (header, subject, body). 
    • Granular configuration of policies scope, defining sender audiences (at domain, OU, and group levels) and recipient audiences (internal, external, both).
    • Actions with various levels of restriction such as block delivery of message (Block), quarantine message for review (Quarantine), and log event for future audit (Audit only).
    • Tools for incident management and investigation such as the Alert Center, Security Dashboard and Security Investigation Tool.


    Additional details
    How does DLP in Gmail compare to Content Compliance rules?
    Content compliance in Gmail does offer similar functionality in that you can create rules to prevent messages that contain specific content from being sent. However, unlike DLP in Gmail, admins have no way to preview the impact of these rules before deploying them broadly.


    Further, content compliance offers a variety of features that are better suited for filtering content. For example, you can:
    • Set up a metadata match on a range of IP addresses, and quarantine messages from IP addresses outside of the range.
    • Route messages with content that matches specific text strings or patterns to a specific department, suited the best to process information.

    Getting started
    • Admins: 
      • Data loss prevention rules can be configured at the domain, OU, or group level. DLP rules can be enabled in Gmail in the Admin console under Security > Access and data control > Data protection. Visit the Help Center to learn more about controlling sensitive data shared in Gmail.
        • Note that you can modify existing DLP rules for Drive and Chat to also apply to Gmail. 
      • DLP events can be reviewed in the Security Investigation Tool or Security > Alert Center, if alerts are configured in rules.


      • We recommend selecting “Audit only” when you’re setting up a rule. When selected, messages that match the conditions of a rule will be delivered with the detection being logged. This allows you to rest new rules and monitor their performance, or to passively monitor the  environment without interrupting email flow for your users.

      • Note on asynchronous and synchronous scanning: With DLP for Gmail, data protection rules are scanned asynchronously, which means that the message is blocked or quarantined after it leaves the sender’s mailbox and before being dispatched to the recipient. We’re working on the ability to scan data protection rules synchronously when a user hits “Send” in order to notify users about sensitive content before the message leaves their mailbox. 


      • Please share your feedback on this feature with us — this will help us continue to improve the experience as we move through beta and toward general availability. You can share your feedback by selecting the “Send feedback” button located in the bottom left corner of your screen of any data protection related page in the Admin console.


    • End users: When configured by your admins, you’ll be notified if your message contains information that violates a DLP rule

    Rollout pace
    Availability
    Available to Google Workspace:
    • Enterprise Standard, Enterprise Plus
    • Education Fundamentals, Standard, Plus, and the Teaching & Learning Upgrade
    • Frontline Standard
    • Cloud Identity Premium customers

    Labels: , , , ,

    What’s changing 
    You can now use client-side encryption as a condition for a data loss prevention (DLP) rule. As with other DLP rules, you’ll be able to configure: 
    • If users are warned before sharing externally. 
    • If users are blocked from sharing externally. 
    • The ability to download, print, or copy the document are disabled for commenters and viewers. 
    • Whether these events should be sent to the Alert Center for further investigation. 

    Client-side encryption goes beyond the latest cryptographic standards used by Workspace by giving organizations authoritative control and privacy as the sole owner of private encryption keys and the identity provider of the encryption keys. Combining client-side encryption with DLP rules help our admins build an even stronger framework around sensitive data and information.


    Getting started
    Rollout pace


    Availability
    Available for Google Workspace:
    • Enterprise Plus
    • Education Standard and Plus


    Resources

    Labels: , ,

    What’s changing 
    We’re enhancing the experience for client-side encrypted Google Meet calls to include support for inviting external participants, including users without a Google account. Admins will need to turn on access for external participants and determine which identity provider the guest uses to join.




    Who’s impacted
    Admins and end users


    Why it’s important
    Meet already encrypts all of your data at rest and in transit between our facilities — client-side encryption gives users direct control of their encryption keys and the identity service that they choose to authenticate for those keys. Adding support for external participants means customers can collaborate with any of their stakeholders safe in the knowledge that only the meeting participants can decrypt the call media. This feature further extends the privacy and compliance capabilities of Google Meet and is the latest security enhancement, alongside encryption for in-meeting chat messages, co-host support, and the ability to join an encrypted meeting from a mobile device. For more information about client-side encryption for Google Meet, see our original announcement.


    Getting started
    • Admins: Admins will need to update their IdP/KACLS configurations to open up for external participants and determine which third-party Identity Providers they can use to join a client-side encrypted meeting. Visit the Help Center for more information on providing external access to client-side encrypted content.

    • End users: 
      • Organizing encrypted calls: To turn on client-side encryption for a meeting, go to a calendar event with Meet video conferencing, navigate to Settings (cog-wheel  icon) > Security and select “Add encryption”
        • Contact your administrator to learn about your organization's policies and which external identity services and guests have been configured to allow access. Visit the Help Center to learn more about inviting participants to client-side encrypted meetings.
        • Note that only directly invited participants can join client-side encrypted meetings.

      • Joining encrypted calls: External users will validate their identity using a method supported by the Identity Provider. Authentication methods vary between providers. Some common options could be to log in with an account from e.g. Google or Microsoft, or by receiving an email with a one-time password. Visit the Help Center to learn more about client-side encrypted meetings.
    Rollout pace

    Availability
    Available to Google Workspace:
    • Enterprise Plus
    • Education Standard and Plus
    Labels: , , ,

    This announcement was part of Google Cloud Next ‘24. Visit the Workspace Blog to learn more about the next wave of innovations in Workspace, including enhancements to Gemini for Google Workspace.

    What’s changing
    To protect our customers from malicious actors taking sensitive admin actions, we’re launching multi-party approvals where one admin must approve certain sensitive actions initiated by another. Multi-party approvals will be required for the following settings:
    • 2-Step verification
    • Account recovery
    • Advanced Protection 
    • Google session control
    • Login Challenges
    • Passwordless (beta)
    This feature is available for eligible Workspace customers with multiple super admin accounts — see the “Getting started” section below for more information.


    Who’s impacted
    Admins


    Why it’s important
    Multi-party approvals adds an extra layer of security for sensitive actions taken in the Admin console by ensuring no sensitive action happens in a silo and, most importantly, helps prevent unauthorized or accidental changes from being made. This added layer of approval helps ensure actions are being taken appropriately and not too broadly or too often. Additionally, this is more convenient for admins because the action is executed automatically after approval and the requester doesn’t need to take additional action. Multi-party approvals makes super admins aware of what changes are being attempted and gives them the opportunity to accept or reject these sensitive actions.


    Outlined below is an example of the feature in action, in this case there is an attempt to make a change to 2-step verification policies:

    When 2-step verification changes are attempted, admins will be required to submit the change to a super admin for approval.

    Super admins can review and take action on these requests in the Admin console by navigating to Security > Multi-party approval. Super admins will also receive email alerts when a 2-step verification change is requested or any other protected action is attempted.

    Admins can open a specific approval request to view more information including who is impacted by the change, what the configuration was before the change and what it will be after the change.

    Getting started
    • Admins: 
      • This feature is available for eligible Workspace customers with two or more super admin accounts. Multi-party approvals are OFF by default and can be turned on in the Admin console by going to Security > Multi-party approval settings. Visit the Help Center to learn more about multi-party approvals for sensitive actions.


    Rollout pace

    Availability
    • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Cloud Identity Premium customers


    Labels: , , ,

    This announcement was part of Google Cloud Next ‘24. Visit the Workspace Blog to learn more about the next wave of innovations in Workspace, including enhancements to Gemini for Google Workspace.


    What’s changing
    As we continue to expand our Gemini for Google Workspace offerings, we're excited to introduce the AI Security add-on for Google Workspace customers. 

    At launch, the AI Security add-on will give customers access to the AI Classification capability in Google Drive. AI Classification allows IT teams to automatically and continuously identify, classify, and label sensitive files across the organization. This capability is powered with privacy-preserving AI models that can be uniquely trained for the specific needs of your organization. Classified files can then be protected with existing data loss prevention (DLP) controls. 

    Who’s impacted
    Admins

    Why it matters
    Drive Labels enable Workspace Administrators to up-level their security posture by closely monitoring activity on labeled files, and using labels as a vehicle for data loss prevention and lifecycle management policies. The challenge with label-based policies is that they are only effective on files that are correctly identified and labeled. Further, labeling files placed a considerable manual burden on Admins.

    This is where AI Classification can help. By training models on customer-identified examples of content that match their data classification definitions, AI Classification can evaluate files where text can be extracted to see if it should be labeled.  This enables organizations to achieve label coverage at a scale and accuracy that is very difficult to accomplish through traditional means and manual Admin intervention. Once labeled, the organization's data can be protected by fine-grained security policies. 


    Availability
    The AI Security add-on is available for the following Google Workspace Editions:
    • Business Standard and Plus
    • Enterprise Standard and Plus
    • Enterprise Essentials and Essentials Plus
    • Frontline Starter and Standard
    • Google Workspace for Nonprofits 

    Resources

    Labels: , , ,