Google Workspace security whitepaper

How Google Workspace protects your data

Operational security

Security at Google isn’t an afterthought or subject of occasional initiatives, it is an integral part of our operations.

Vulnerability management

Google’s vulnerability management process actively scans for security threats using a combination of commercially available and purpose-built in-house tools, intensive automated and manual penetration efforts, quality assurance processes, software security reviews, and external audits. Once a vulnerability requiring remediation has been identified, the vulnerability team logs it, prioritizes it according to severity, and assigns it to an owner. The team tracks each issue and follows up frequently until they can verify that it has been remediated.

Google also maintains relationships and communicates frequently with members of the security research community to track reported issues in Google services and open-source tools. More information about reporting security issues can be found at Google Application Security.

Malware prevention

An effective malware attack can lead to account compromise, data theft, and possibly additional access to a network. Google takes these threats to its networks and its customers very seriously and uses a variety of methods to prevent, detect and eradicate malware.

Malware sites or email attachments install malicious software on users' machines to steal private information, perform identity theft, or attack other computers. When people visit these sites, software that takes over their computer is downloaded without their knowledge. Google's malware strategy begins with infection prevention by using manual and automated scanners to scour Google's search index for websites that may be vehicles for malware or phishing. In addition, one of our key protections is our attachment malware scanner that processes more than 300 billion attachments each week to block harmful content. 63% percent of the malicious documents we block differ from day to day. To stay ahead of this constantly evolving threat, we recently added a new generation of document scanners that rely on deep learning to improve our detection capabilities.

More than four billion devices are protected by Google's Safe Browsing technology every day. Every day Safe Browsing discovers thousands of new unsafe sites, many of which are legitimate websites that have been compromised. When we detect unsafe sites, we show warnings on Google Search and in web browsers.

In addition to our Safe Browsing solution, Google operates VirusTotal, an online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. Its mission is to help in improving the antivirus and security industry and make the Internet a safer place through the development of free tools and services.

Google makes use of multiple antivirus engines in Gmail, Drive, servers and workstations to help identify malware that may be missed by antivirus signatures.


Google’s security monitoring program is focused on information gathered from internal network traffic, employee actions on systems, and outside knowledge of vulnerabilities. Internal traffic is inspected for suspicious behavior, such as the presence of traffic that might indicate botnet connections, at many points across our global network, using a combination of open-source and commercial tools for traffic capture and parsing.

We supplement this network analysis even further through a proprietary correlation system built on Google technology, and by examining system logs to identify unusual behavior, like attempted access of customer data. Google security engineers place standing search alerts on public data repositories to look for security incidents that might affect the company’s infrastructure, and actively review inbound security reports and monitor public mailing lists, blog posts, and wikis. Automated network analysis helps determine potential unknown threats and escalates them to Google security staff, a process that is supplemented by automated analysis of system logs.

Incident management

Incident response is a key aspect of Google’s overall security and privacy program. We have a rigorous process for managing data incidents. This process specifies actions, escalations, mitigation, resolution, and notification of any potential incidents impacting the confidentiality, integrity, or availability of customer data.

Google's incident response program is managed by teams of expert incident responders across many specialized functions to ensure each response is well-tailored to the challenges presented by each incident.

Subject-matter experts from these teams are engaged in a variety of ways. For example, incident commanders assess the nature of the incident and coordinate incident response, which includes completing the triage assessment of the incident, adjusting its severity if required, and activating the required incident response team with appropriate operational/technical leads who review the facts and identify key areas that require investigation. As part of the resolution process, the digital forensics team detects ongoing attacks and performs forensic investigations. Product engineers work to limit the impact on customers and provide solutions to fix the affected product(s). The legal team works with members of the appropriate security and privacy team to implement Google’s strategy on evidence collection, engages with law enforcement and government regulators, and advises on legal issues and requirements. Support personnel manage notifications to customers and respond to customer inquiries and requests for additional information and assistance.

Following the successful remediation and resolution of a data incident, the incident response team evaluates the lessons learned from the incident. When the incident raises critical issues, the incident commander may initiate a post-mortem analysis. During this process, the incident response team reviews the cause(s) of the incident and Google’s response and identifies key areas for improvement. In some cases, this may require discussions with different product, engineering, and operations teams and product enhancement work. If follow-up work is required, the incident response team develops an action plan to complete that work and assigns project managers to spearhead the long-term effort. The incident is closed after the remediation efforts conclude.