Google Workspace security whitepaper

Google has created a vibrant and inclusive security and privacy focused culture for all employees. The influence of this culture is apparent during the hiring process, employee onboarding, as part of ongoing training and in company-wide events to raise awareness.

Employee background checks

Before someone joins our staff, Google verifies their education and previous employment, and performs internal and external reference checks. Where local labor law or statutory regulations permit, Google may also conduct identity, criminal, and credit checks and confirm immigration status, depending on the position.

Security training for all employees

All Google employees undergo security training as part of the orientation process, and throughout their Google careers. During orientation, new employees also agree to our Code of Conduct, which highlights our commitment to keeping customer information safe and secure.

Depending on their role, employees participate in additional training on specific aspects of security. For example, the information security team instructs new engineers on topics like secure coding practices, product design and automated vulnerability testing tools. Engineers also attend technical presentations on security-related topics and receive a security newsletter that covers new threats, attack patterns, mitigation techniques and more.

Secure Environment

Google’s zero-trust approach enforces critical access controls based on information about a device, its state, its associated user, and their context. This approach considers both internal and external networks to be inherently untrusted, which creates our concept of borderless compliance where we dynamically assert and enforce levels of access at the application layer. This enables Google’s security and compliance teams to be as secure and effective during an emergency as they would be at any other time.

As COVID-19 has not only changed the way we work, but where we work from, creating the need for new solutions that nonetheless continue to meet industry compliance requirements. By leveraging zero trust you can offer your employees and extended workforce a secure and scalable solution for telework that is not dependent on VPN or location requirements.

Internal security and privacy events

Security and privacy is an ever-evolving area, and Google recognizes that dedicated employee engagement is a key means of raising awareness. It’s with this in mind that Google hosts regular internal conferences, open to all employees, to raise awareness and drive innovation in security and data privacy, and hosts regular “Tech Talks” that often focus on security and privacy topics. A prime example is “Privacy Week,” during which Google hosts events across our global offices to raise awareness of all facets of privacy, from software development and data handling, to policy enforcement.

Our dedicated security team

Google employs a dedicated team of full-time security and privacy professionals as part of our software engineering and operations division. This team includes some of the world’s foremost experts in information, application and network security. Tasked with maintaining our defense systems, developing security review processes, building security infrastructure and implementing the company’s security policies, the team actively scans for security threats using commercial and custom tools, penetration tests, quality assurance (QA) measures and software security reviews.

Within Google, members of the information security team provide a range of critical services. They review security plans for all networks, systems and services; provide project-specific consulting services to Google’s product and engineering teams; monitor for suspicious activity on Google’s networks; address information security threats; perform routine security evaluations and audits; and engage outside experts to conduct regular security assessments. On top of that, Google specifically built a full-time team, known as Project Zero, that aims to prevent targeted attacks by reporting bugs to software vendors and filing them in an external database.

It doesn’t end there. The security team also takes part in research and outreach activities to protect the wider community of Internet users, beyond just those who choose Google solutions. In addition, the security team publishes security research papers, which are made publicly available, as well as organizes and participates in open-source projects and academic conferences.

Our privacy teams

Google’s Privacy teams are an integral part of Google product launches. Privacy has built a set of automated monitoring tools to help ensure that services that process your personal information operate as designed and in accordance with our data protection commitments. Design documentation and code audits are also reviewed to ensure that privacy requirements are followed.

Cross-functional teams help release products that reflect strong privacy standards, including: transparent collection of user data, and providing users and administrators with meaningful privacy configuration options, while continuing to be good stewards of any information stored on our platform. After products launch, Google’s compliance and privacy programs oversee automated processes that audit data traffic to verify appropriate data usage. Google also conducts research providing thought leadership on privacy best practices for our emerging technologies.

Internal audit and compliance specialists

Data protection regulations place significant emphasis on enterprises knowing how their data is being processed, who has access to data, and how security incidents will be managed. We have dedicated teams of engineers and compliance experts who support our customers in navigating their regulatory compliance and risk management obligations. Our approach includes collaborating with customers to understand and address their specific regulatory needs. As new auditing standards are created, the team determines what controls, processes and systems are needed to meet them, while facilitating and supporting independent audits and assessments by third parties. Under certain circumstances we also allow customers to conduct audits to validate Google’s security and compliance controls.

Collaboration with the security research community

Google has long enjoyed a close relationship with the security research community, and we greatly value their help identifying vulnerabilities in Google Workspace and other Google products. Our Vulnerability Reward Program was developed to honor all the external contributions that help us keep our users safe. The Program encourages researchers to report design and implementation issues that affect the confidentiality or integrity of user data or puts customer data at risk. Rewards can reach tens of thousands of dollars.

Due to our collaboration with the research community, in 2019 we paid out over $6.5 million in rewards, doubling what we’ve ever paid in a single year. We publicly thanked these individuals and listed them as contributors to our products and services.