Google Workspace security whitepaper

Customers can strengthen account security by using 2-step verification and security keys.⁴ These can help mitigate risks such as the misconfiguration of employee access controls or attackers taking advantage of compromised accounts.⁵ With the Advanced Protection Program for enterprise, we can enforce a curated set of strong account security policies for enrolled users. These include requiring security keys, blocking access to untrusted apps, and enhanced scanning for email threats.

Google Workspace offers customers a single sign-on (SSO) service that lets users access multiple services using the same sign-in page and authentication credentials. It is based on SAML 2.0, an XML standard that allows secure web domains to exchange user authentication and authorization data. For additional security, SSO accepts public keys and certificates generated with either the RSA or DSA algorithm. Customer organizations can use the SSO service to integrate single sign-on for Google Workspace into their LDAP or other SSO system.

Google Workspace supports OAuth 2.0 and OpenID Connect, an open protocol for authentication and authorization that allows customers to configure one single sign-on service (SSO) for multiple cloud solutions. Users can log on to third-party applications through Google Workspace—and vice versa—without re-entering their credentials or sharing sensitive password information.

Most organizations also have internal policies which dictate the handling of sensitive data. To help Google Workspace administrators maintain control over sensitive data, we offer information rights management in Google Drive. Administrators and users can use the access permissions in Google Drive to protect sensitive content by preventing the re-sharing, downloading, printing or copying of the file or changing of the permissions.

By default, users with Gmail accounts at your domain can send mail to and receive mail from any email address. In some cases, administrators may want to restrict the email addresses users can exchange mail with. For example, a school might want to allow its students to exchange mail with the faculty and other students, but not with people outside the school.

Using the restrict delivery setting allows administrators to specify the addresses and domains where users can send or receive email messages. When administrators add a restricted delivery setting, users can only communicate with authorized parties. Users who attempt to send mail to a domain not listed will see a message that specifies the policy prohibiting mail to that address, and confirms that the mail is unsent. Likewise, users receive only authenticated messages from listed domains. Messages sent from unlisted domains—or messages from listed domains that can’t be verified using DKIM or SPF records—are returned to the sender with a message about the policy.

To facilitate easier user access, while at the same time protecting the security of data, Google has developed context-aware access.⁶ This provides granular controls for Google Workspace apps, based on a user’s identity and context of the request (such as device security status or IP address). Based on the BeyondCorp security model developed by Google, users can access web applications and infrastructure resources from virtually any device, anywhere, without utilising remote-access VPN gateways while administrators can establish controls over the device. You can also still set access policies, such as 2-Step Verification, for all members of an organizational unit or group.