Google Workspace Getting Zero-Trust, Sovereignty, More Security Upgrades
Security shouldn’t be “something only the rich can afford,” per Google Cloud’s Jeanette Manfra.
![Google Workspace Google Workspace](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt46944a95b54f9d16/6523e9eab528be4a2e1527a3/Google-Workspace.jpg?width=700&auto=webp&quality=80&disable=upscale)
monticello/Shutterstock
Cyber threats show no sign of relenting, as stats from Check Point and IBM in the introduction to this article indicated.
And the threats don’t just come from social engineering attacks such as phishing; they also inadvertently arise from employees. Consider where a lot of people store their files: in Gmail and Google Drive. For security admins, this is a bit of a nightmare. Staff are keeping sensitive data in cloud-based applications, and they’re able to share that information with a single click.
With that in mind, a big part of the improvements to Google Workspace take this common capability into account. We’ll get into that shortly. First up, find out how Google is now approaching zero-trust security in Workspace.
Zero-trust remains the gold standard for security. Google Workspace already contains data loss prevention and context-aware access. But within Google Drive, specifically, expect some AI-powered upgrades.
“We’re bringing the two [DLP and CAA] together, and adding an ability to improve how you classify, using AI capabilities,” said Jeanette Manfra, director of risk and compliance at Google Cloud. “What this does is automatically and continuously classifies and labels sensitive data, and then applies appropriate risk-based controls. No one else in the market can do this.”
Furthermore, Manfra said, “we’re helping organizations train their own AI models on what data is most sensitive to their organization.”
Overall, she added, users will have the tools to “raise the bar on their security policies.”
Here are the new capabilities and tools within certain parts of Google Workspace that channel partners, and IT and security teams need to know:
• Google AI that classifies and labels data in Google Drive. This makes sure information is shared with the right people and protected. Administrators may now enforce confidentiality preservation on files. From there, safeguards such as data loss prevention and context-aware access can be applied. This is available in preview.
• Context-aware DLP enforcement controls in Drive. Workspace admins can set criteria (think device location or security status) that users must meet before they can share content. Look for availability in preview later this year.
• Enhanced DLP controls extending to Gmail: Already available in Google Chat, Drive and Chrome, expect more DLP for Gmail in preview later this year. Google says its DLP approach helps security teams rein in how sensitive information is shared, inside and outside the organization.
Next, a look at digital sovereignty controls.
Google Workspace soon will go beyond data residency and into digital sovereignty with new controls, Google said.
Why does that matter?
Here’s what Andy Wen, director of product management for Google Workspace, had to say: “Well, clearly, if you’re an international company, you have … regulations to comply with. But even if you’re a U.S.-based company, you often have an international operation that may be impacted by these regulations. Or you might have users that are serving users in those countries. And all of these situations, and data transfer and data compliance regulations, are critical for you to address.”
Go to the next slide for the new digital sovereignty additions to Google Workspace.
In terms of Google Workspace, here’s what digital sovereignty will mean:
• Prevention of third-party access. Client-side encryption will allow users to add the data protection that keeps unwanted entities — includes Google or foreign governments, per Google — from viewing information. This CSE soon will apply to the mobile app versions of Google Calendar and Gmail (it’s already available in Meet). “What this enables is our customers who are in the enterprise, in the public sector, can get the benefits of client-side encryption on the go instead of just at their desktops,” Wen said. Later this year, IT teams will be able to set CSE as the default for certain groups within the business. The same will go for guest access support in Meet, comments support in Docs, and when viewing, editing or converting Microsoft Excel files. All of that will launch in preview later this year.
• Ability to choose encryption key location. Client-side encryption customers will have the freedom to store their encryption keys with the vendor of their choice, in the country of their choice. Security providers working with Google Workspace on this capability include Thales, Stormshield and Flowcrypt.
• Ability to choose where to store, process data. Similar to the last bullet point, Google Workspace later this year will allow organizations to choose whether their data processes in the EU or the United States. (They already get to choose where to store their data at rest.) Customers also will be able to store a copy of their Workspace data in a country of their choice.
• Enforcement for regional support personnel access. Available in preview later this year, users will be able to limit access to EU-based support. They already have this choice for U.S.-based support.
Along the way, Google Workspace does seem to be pushing users toward client-side encryption. We examine that briefly on the next slide.
What are the benefits of client–side encryption? Wen tackled that question during the Aug. 22 media briefing.
“It protects your data where regionalization can be inadequate,” Wen said. “Regulated organizations need to protect data with a sole technical control. And it’s technology like client-side encryption really solves that problem. We do it by issuing an additional set of encryption keys that only the customer controls.”
There’s more to client-side encryption, too. Wen explained it this way:
“This additional key encrypts the customer data, we call it from browser-to-browser so that Google can never actually see the original content. And one thing that’s really important to recognize as well is that it’s an excellent way to add protection from potentially stolen cloud authentication keys. This actually adds an additional key that protects your customer data, in case another key is compromised. So we believe this is not only a great control for sovereignty, but can be a helpful control for security as well.”
Keeping that in mind, we examine the new security controls Google Workspace soon will feature. First, though, we look at why that’s happening.
Phishing attacks remain among the most common entry points for data breaches, according to Google.
“It’s just shocking to me to see that phishing and other social engineering attacks remain one of the most common entry points,” said Wen, who has worked in the security space for more than 10 years. “I would never have imagined that this would be such a major issue and it continues to grow. In ’22, phishing attacks grew by 61%. And so as our adversaries get more advanced, Google Workspace is elevating our ability to defend against these kinds of attacks by preventing, detecting and responding to them.”
To that point, Google Workspace soon will have (or, in one case, already has) more ways for security experts to keep hackers from taking over accounts. Go to the next slide.
New security resources in Google Workspace include:
• Mandatory two-step verification. According to Google statistics, two-factor authentication results in a 50% drop in compromised accounts. So, as of later this year, Google Workspace will require administrators including channel partners and large enterprise customers to add two-step verification to their accounts.
• Required multiparty approvals for certain administrator actions. Google Workspace admins can require that another admin complete sensitive actions. This will provide an extra layer of defense against malicious changes, Google said. This will be available in preview later this year.
• More Gmail protections. In preview now, Google Workspace features the company’s AI for email filtering, forwarding and other actions.
• Ability to export logs to Chronicle. Admins may now, as part of the preview release, export Workspace logs into Chronicle. This will help with identifying anomalies and improving threat response times.
New security resources in Google Workspace include:
• Mandatory two-step verification. According to Google statistics, two-factor authentication results in a 50% drop in compromised accounts. So, as of later this year, Google Workspace will require administrators including channel partners and large enterprise customers to add two-step verification to their accounts.
• Required multiparty approvals for certain administrator actions. Google Workspace admins can require that another admin complete sensitive actions. This will provide an extra layer of defense against malicious changes, Google said. This will be available in preview later this year.
• More Gmail protections. In preview now, Google Workspace features the company’s AI for email filtering, forwarding and other actions.
• Ability to export logs to Chronicle. Admins may now, as part of the preview release, export Workspace logs into Chronicle. This will help with identifying anomalies and improving threat response times.
Security shouldn’t be a need only the rich can afford to meet. That’s why Google Workspace is getting a series of upgrades that, for the most part, won’t cost extra.
Google Workspace sees wide adoption across small and medium businesses, as well as enterprises. And as cyber threats keep growing – in pace, number and ability to damage – organizations need more protection. Check Point Software recently found that, in 2022, cybersecurity attacks grew 38%. IBM says each data breach cost organizations an average of $4.35 million.
It’s not right or fair that security has “become something only the rich can afford,” Jeanette Manfra, director of risk and compliance at Google Cloud, said during an Aug. 22 media briefing.
Google Workspace Updates
And Google appears to be addressing that injustice through its targeted Google Workspace updates that mostly come at no extra charge. There will be some exceptions for organizations with specific kinds of client-side encryption.
But for users of everyday Google apps including Gmail, Drive, Meet and Calendar, Google channel partners can look forward to helping customers shore up their protections even more via the new rollouts.
See the slideshow above focused on Google Workspace, looking at new controls for zero trust, digital sovereignty and threats.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Kelly Teal or connect with her on LinkedIn. |
About the Author(s)
You May Also Like