Google has announced enhancements to its Workspace productivity and collaboration suite that it claims will reduce security risks for distributed workforces. The company uses Google AI to improve data loss prevention (DLP) controls in Drive, implement new zero-trust controls, classify data in Drive, and automate the protection of sensitive information in Gmail.
New data sovereignty controls will enhance client-side encryption to give Workspace customers ownership of encryption keys, more options on where to store or process data, and the ability to limit access to support personnel in the European Union. On the admin side, Google will make two-step verification mandatory on select administrator accounts and require multiparty approval on sensitive administrator actions.
Google Workspace includes popular SaaS applications such as Drive, Gmail, Meet, Calendar, Docs, and Slides. Some of the enhancements announced today will apply to both the enterprise and consumer versions of those applications. All are either in the pilot stage or will be released in beta form by the end of the year.
Data loss prevention a key focus
What makes SaaS suites like Workspace attractive to organizations with distributed workforces also increases the risk of data theft or exposure. Workspace makes it easy to share data both within the enterprise and with external parties. Employees might inadvertently or intentionally make sensitive information available to unauthorized parties or leave it accessible to threat actors.
The first step to protecting sensitive information is to accurately identify and label it as such. Then controls must be placed around who has access to it and where it can reside. Available in preview, Workspace can now automatically classify and label data stored in Google Drive using Google AI. Workspace admins can then apply their own DLP or context-aware access (CAA) controls to help implement a zero-trust model. Google will help train customers’ own AI models.
“Context-Aware Access has helped us manage our risks by not making access a binary choice but allowing for more flexibility in access policies and allowing them to be applied to the right people, applications, and data,” Tim Ehrhart, domain lead, information security at Roche, said in a statement. “Since using CAA, we’ve been able to allow our users to use more of Google Workspace for a broader set of scenarios with more confidence in the safety of that work.”
Admins can also now set context-aware controls for information stored in Drive using criteria such as device location or security status. Information that does not meet the security criteria will be blocked from Drive. This feature will be available in preview later this year, as will enhanced DLP controls for Gmail.
Navigating the complexities of digital sovereignty rules
More than 100 countries now have digital sovereignty laws that mandate organizations to store or process data on their citizens within their boundaries. This creates challenges for security and IT teams, especially when using cloud-based applications like Workspace. Google announced its Sovereign Controls for Google Workspace in May 2022 with the promise to add enhancements through this year. Among the new capabilities announced today are client-side encryption features including:
- Client-side encryption support of mobile apps in Calendar, Gmail, and Meet (available now)
- The ability to set client-side encryption as the default for organizational units (in preview later this year)
- Guest access support in Meet (in preview later this year)
- Comments support in Docs (in preview later this year)
- The ability to view, edit, or convert Microsoft Excel files (in preview)
Enterprise Workspace customers can also now select where they store their encryption keys. Google can offer this capability with the help of global partners Thales, Stormshield, and Flowcrypt. The company claims this will simplify local regulatory compliance.
Later this year in preview, Workspace customers will be able to choose whether their data is processed in the EU or US. They can already choose where data is stored at rest. Customers also now have the option of storing a copy of Workspace data in a country of their choice.
Preventing identity-based attacks
AI or any other technology isn’t much help in denying access if a threat actor has obtained credentials through social engineering or other means. Compromised admin credentials are particularly dangerous. To address this, Google has provided new access controls.
Starting later this year in a phased approach, Google will require Workspace resellers and its largest enterprise customers to implement two-step verification on enterprise admin accounts. Also, Workspace admins will be able to require additional approval by another administrator to complete sensitive actions. This feature will be available in preview later this year.
AI-enhance threat detection
Artificial intelligence is particularly good at accurately spotting anomalies in large data sets. To that end, Google is using AI to help detect threats on a couple of levels. Available in preview now is a new AI-powered Gmail feature that scans for potentially malicious actions or mishandling of sensitive data. This feature is available to both enterprise customers and consumers.
Workspace customers who also use Google Cloud’s Chronicle security operations suite can now export logs “in just a few clicks” for threat analysis. “Hundreds of Workspace customers are already using Chronicle for modern threat detection, investigation and response,” Andy Wen, director of product for Workspace Security and Compliance, Google Cloud, tells CSO. “With this new integration, our customers can sync Workspace data to Chronicle with a few clicks and leverage out-of-the-box curated Workspace detections to respond to risks with greater speed and precision.” This integration is available now in preview. Google offers APIs and BigQuery exports to enable integrations with other SIEMs.