Enterprise security controls for Google Workspace with Gemini

“Security was at the forefront of our enterprise’s most critical needs as we looked to implement a generative AI solution. During our search, we ran a platform ‘bake-off’ and found that Gemini met all our security needs. The solution inherits all our existing Workspace security settings to keep our data, prompts, and work within the tenant, giving us peace of mind to deploy generative AI across our enterprise safely.”  - JK Krug, Vice President of Digital Employee Experience, Equifax

Generative AI has woven itself into the fabric of users’ daily lives, becoming an indispensable tool for productivity, innovation, and convenience. With its rapid adoption and growing importance, organizations are rightly concerned about potential data security and privacy risks. Evaluating generative AI’s infrastructure, data governance policies, and security controls to protect sensitive data is a must.

Google Workspace with Gemini is enterprise-ready. First, Gemini keeps customer data confidential and can support compliance with different regulatory frameworks, such as HIPAA and FedRAMP High. Second, Gemini is built with a layered defense strategy for prompt injection mitigation, an emerging attack vector against AI systems. And third, Workspace comes with granular user access and data security controls, helping administrators safely and securely deploy AI tools, such as the Gemini app, Gemini in Workspace apps, and NotebookLM, across their organizations with confidence. Let’s take a closer look at these controls.

Protecting your data

Protecting sensitive data is paramount. Gemini integrates with existing data security measures in Workspace to help prevent unauthorized access and exfiltration.

• Create and manage trust rules for Drive sharing: Trust rules in Drive help restrict Gemini's access by controlling how data is shared between internal and external users. Since Gemini can only retrieve data the user has access to, these rules can limit what Gemini is able to retrieve.

• Understand Gemini’s data access with Drive inventory reporting: Admins can utilize Drive inventory reporting to gain a holistic view of how their data is classified, who can access it, and how it’s being used.

• Apply IRM controls to restrict Gemini’s access to sensitive data: Data loss prevention (DLP) policies can apply information rights management (IRM) controls to sensitive files. When IRM is applied (e.g., preventing download, printing, or copying), Gemini does not retrieve those protected files to generate a response.

• Apply client-side encryption to prevent Gemini’s access to sensitive data: For the highest level of data protection, client-side encryption (CSE) can be used. When CSE is enabled, the protected data is indecipherable to any unauthorized third-party, including Google or any generative AI assistants, such as Gemini.

Understanding AI usage

Transparency and accountability are crucial for security. Workspace provides comprehensive logging and exporting capabilities for Gemini activity.

• Review Gemini usage and data access in your organization: Admins are able to review Gemini usage and data access across their organization to understand Gemini adoption. These reports provide the overall usage level in the Gemini app and Gemini in Workspace, as well as adoption of Gemini on a per-app basis.  

• Query, investigate, and export Gemini access to files in Drive: Admins can access Gemini audit logs using the Reports API, which indicate instances when Gemini accessed a Drive file to fulfill a user query. These logs are also available in the security investigation tool, enabling Admins to query, investigate, and export Gemini access to Drive log data.

• Use Google Vault to investigate conversations in the Gemini app: For eDiscovery purposes, administrators can leverage Vault to search and export relevant prompts and responses from the Gemini app.

• Use the Data Export tool to export organizational data: Organizations retain full control over their data in Workspace. Administrators can export their Gemini app and NotebookLM data for archive or backup purposes using the Data Export tool. Admins are able to manage the duration for how long prompts and responses are saved in the Gemini app, enabling this content to be exported (this setting is not available for Gemini in Workspace apps, which does not save prompts or responses).

Deploying AI with flexibility

Workspace offers granular controls to manage user access, allowing administrators to define who can leverage these powerful and robust AI capabilities.

• Manage Gemini for your organization: Admins can enable or disable Gemini features across Workspace applications like Gmail, Google Drive, and Google Docs. This allows for precise access control based on users, groups, or organizational units.

• Manage access to the Gemini app: Admins have the flexibility to grant or restrict user access to the standalone Gemini app based on specific users, groups, or organizational units.

• Turn Workspace apps in Gemini on or off: Admins can control whether users can utilize the Workspace extension within the Gemini app, which enables the Gemini app to leverage Workspace data.

• Turn NotebookLM on or off: Similar to Gemini, admins can manage user access to NotebookLM and NotebookLM Plus across various users, groups, or organizational units.

Securing access points

Beyond user-level access, organizations can implement device-specific policies to further secure Gemini usage.

• Control access to apps based on user and device context: Administrators can assign context-aware access (CAA) policies to limit access to the Gemini app and NotebookLM on compliant devices based on factors such as user identity, device security status, IP address, and geographical location.

• Apply endpoint DLP policies to the Gemini app: Chrome Enterprise Premium enables robust data loss prevention (DLP) that extend to the Chrome browser, including the Gemini app and NotebookLM. This allows for more granular control over actions including copy and paste, printing, and uploads/downloads of sensitive data into the Chrome browser. It also offers personally identifiable information (PII) masking and screenshot protection, with all relevant activities logged for audit.

“We became the first major financial institution in Canada to empower all of our team members with Google AI in Workspace. In the pilot program, we saw that Google AI offered significant time savings and productivity gains for team members, allowing them to automate routine tasks, access information quickly, and collaborate more effectively, all while ensuring data is secure and trustworthy. Today, we’re confident this technology will help all of our team members succeed in their roles, while delivering even more exceptional experiences to our more than 820,000 clients."  - John Tarnowski, Chief Client Experience and Technology Officer, ATB Financial 

By implementing these robust security controls, organizations can confidently embrace the productivity benefits of Gemini in Workspace while helping to maintain a strong security posture and ensuring data protection.

To learn more, explore the following resources:

• White paper: Gemini for Google Workspace privacy, security, and compliance white paper

• Help center article: Generative AI in Google Workspace Privacy Hub 

• Adoption guide: Getting the most from generative AI in your organization

• Customer story: Equifax embraces secure generative AI with Gemini

• Customer story: Fullstory drives growth while securing data with Gemini

• Customer story: ATB Financial Empowers Employees with Google AI