Announcing the general availability of Google Workspace's Assured Controls, the future of digital sovereignty
Ganesh Chilakapati
Director of Product Management, Google Cloud
Google Workspace Newsletter
Keep up with the evolving future of work and collaboration with insights, trends, and product news.
SIGN UPThere are two core elements to achieving digital sovereignty: being able to control where your data is stored and processed, and ensuring that only authorized parties can access that data. With Google Workspace, organizations can address both without requiring separate cloud instances or custom software. Our cloud-only architecture and secure-by-design infrastructure can reduce security risks by eliminating dependence on data storage on user devices, desktop client apps, and on-premises servers. With sovereign capabilities, such as Access Management, Access Approvals and client side-encryption (CSE), organizations get extra layers of protection to help prevent vendor or government access to their Gmail and Workspace data.
As of today, the full suite of sovereign capabilities within Assured Controls Plus for Workspace is generally available and will begin to roll out to EU and US customers. This means that customers can select the region (EU or US) where their data should be processed and stored, with granular controls to allow administrators to easily refine the region and level of compliance appropriate to their organizational groups. Workspace customers have the flexibility to select multiple geographies to suit their needs, versus being restricted to one region mandated by billing address. It's digital sovereignty made simple, so you can focus on your business, rather than on securing your data.
Achieving digital sovereignty in the EU
We offer EU customers advanced data residency controls if they want to stay ahead of evolving regulations and ensure their data is processed in region. These controls are in part why Workspace earned the Dutch government's stamp of approval following a rigorous Data Transfer Impact Assessment (DTIA) and Data Protection Impact Assessments (DPIAs), giving our customers greater confidence that their data remains private and secure against evolving threats.
Global aerospace leader Airbus uses regionalized data processing and storage to keep pace with sovereignty regulations and help prevent their intellectual property from being exposed to foreign governments and cloud providers, while mitigating disruption to Airbus’ end users.
Regionalized data processing is central to Airbus’ compliance strategy. When data isn’t regionalized or is handled by other technology providers, it’s a risk for Europe, it’s a risk for the nation, and it’s a risk for Airbus. It’s a risk that we can’t afford. So, we have migrated approximately 270,000 users to regionalized data processing while maintaining the same functionality Workspace has always offered, with no reported impact to end-users, so we are able to be more productive and innovative. We control our most sensitive data with encryption keys owned by Airbus, which is only possible with Client-side encryption in Google Workspace
Sebastien Aubineau, IM Digital Workplace and Collaboration Product Leader at Airbus
Randstad, the world’s leading talent company, works with over 600,000 talent on a daily basis to connect specialized talent with professional opportunities across 39 markets. Randstad has implemented robust data controls such as Data Regions to help keep personal data secure and comply with data residency regulations.
Implementing Data Regions has been a transformational step in evolving our strategy for personal data processing in the EU. We conducted an extensive analysis of in-region data processing and it was a smooth process, mitigating the need for costly and complex third-party integrations. In addition, we haven't experienced any cases of malfunction or lagging; it’s another day at the office without any hiccups
Roman Spantgar, Product Owner Global Collaboration at Randstad
Comprehensive control of your data
Many organizations consider secure localized data archiving and backup to be vital to their operations’ survivability. It allows them to compliantly store business critical assets, sensitive financials, or confidential customer support data. Workspace customers can now use Local Data Storage to maintain their data in a Google Cloud Storage Bucket in any country of their choice, giving them greater control over data storage location, access, and encryption. Customers tell us that the straightforward and intuitive setup of Local Data Storage and the ability to continuously export data from Google Workspace provide peace of mind. Customers now have robust data backups stored in the geographic location of their choice.
Enhanced layers of sovereign controls
In addition to controlling where specific customer data is processed and stored, customers can now select the physical location from which Google support teams can access organizational data during support activities through Access Management - now generally available in the EU. This helps mitigate the risk of data transfers that customers otherwise grapple with when using legacy “follow the sun” support models.
Furthermore, Access Approvals enable customers to enforce customizable rules that require Google support staff to seek fine-grained approvals before any access to customer data is performed.
For companies that require additional layers of protection to safeguard highly sensitive data, client-side encryption offers a state-of-the-art level of confidentiality. Client-side encryption takes Workspace’s default encryption capabilities to the next level by ensuring that customers have sole control over their encryption keys—and thus complete control over all access to their data. It gives customers higher confidence that any third party, including Google and foreign governments, cannot access their confidential data. We continue enhancing client-side encryption to make sure that your sensitive data stays resilient even against potential “Harvest Now, Decrypt Later” quantum computing attacks. Together with our CSE partners, including Thales and Fortanix, we recently introduced experimental support for post-quantum cryptography (PQC), an industry-first among enterprise productivity and collaboration suites.
Next steps
Unlike competing solutions, Workspace can provide organizations with the confidence that their sensitive data will be protected in a constantly evolving threat landscape and comply with data transfer guidelines to satisfy industry and local regulatory requirements. We are committed to equipping organizations with the right tools to achieve the digital sovereignty posture they need, starting with a foundation of security and extending to the suite of advanced sovereign controls. All of these capabilities are now generally available to Workspace customers with Enterprise Plus licenses and the Assured Controls and Assured Controls Plus add-ons. For more information, you can watch our Cloud Next ‘24 breakout session, or contact us.