Google Workspace security whitepaper
How Google Workspace protects your data
How Google Workspace protects your data
Google builds security into its structure, technology, operations and approach to customer data. Our robust security infrastructure and systems become the default for each and every Google Workspace customer. Beyond these levels, users are actively empowered to enhance and customize their individual security settings to meet their business needs through dashboards and account security wizards.
Google Workspace also offers administrators full control to configure infrastructure, applications, and system integrations in a single dashboard via our Admin Console—regardless of the size of the organization—simplifying administration and configuration. Consider the deployment of DKIM (a phishing prevention feature) in an on-premise email system. Traditionally, administrators would need to patch and configure every server separately, with any misconfiguration causing a service outage. Using our Admin Console, however, DKIM can be configured in minutes across thousands, or hundreds of thousands, of accounts with peace of mind and no outage or maintenance window required.
That’s just one example. Administrators have many powerful tools at their disposal, including authentication features like 2-step verification and single sign-on, and email security policies like secure transport (TLS) enforcement, which can be configured to meet the security and system integration requirements of any organization.
Customers can strengthen account security by using 2-step verification and security keys.3 These can help mitigate risks such as the misconfiguration of employee access controls or attackers taking advantage of compromised accounts.4 With the Advanced Protection Program for enterprise, we can enforce a curated set of strong account security policies for enrolled users. These include requiring security keys, blocking access to untrusted apps, and enhanced scanning for email threats.
Google Workspace offers customers a single sign-on (SSO) service that lets users access multiple services using the same sign-in page and authentication credentials. It is based on SAML 2.0, an XML standard that allows secure web domains to exchange user authentication and authorization data. For additional security, SSO accepts public keys and certificates generated with either the RSA or DSA algorithm. Customer organizations can use the SSO service to integrate single sign-on for Google Workspace into their LDAP or other SSO system.
Google Workspace supports OAuth 2.0 and OpenID Connect, an open protocol for authentication and authorization that allows customers to configure one single sign-on service (SSO) for multiple cloud solutions. Users can log on to third-party applications through Google Workspace—and vice versa—without re-entering their credentials or sharing sensitive password information.
Most organizations also have internal policies which dictate the handling of sensitive data. To help Google Workspace administrators maintain control over sensitive data, we offer information rights management in Google Drive. Administrators and users can use the access permissions in Google Drive to protect sensitive content by preventing the re-sharing, downloading, printing or copying of the file or changing of the permissions.
By default, users with Gmail accounts at your domain can send mail to and receive mail from any email address. In some cases, administrators may want to restrict the email addresses users can exchange mail with. For example, a school might want to allow its students to exchange mail with the faculty and other students, but not with people outside the school.
Using the restrict delivery setting allows administrators to specify the addresses and domains where users can send or receive email messages. When administrators add a restrict delivery setting, users can only communicate with authorized parties. Users who attempt to send mail to a domain not listed will see a message that specifies the policy prohibiting mail to that address, and confirms that the mail is unsent. Likewise, users receive only authenticated messages from listed domains. Messages sent from unlisted domains—or messages from listed domains that can’t be verified using DKIM or SPF records—are returned to the sender with a message about the policy.
To facilitate easier user access, while at the same time protecting the security of data, Google has developed context-aware access.5 This provides granular controls for Google Workspace apps, based on a user’s identity and context of the request (such as device security status or IP address). Based on the BeyondCorp security model developed by Google, users can access web applications and infrastructure resources from virtually any device, anywhere, without utilising remote-access VPN gateways while administrators can establish controls over the device. You can also still set access policies, such as 2-Step Verification, for all members of an organizational unit or group.
Gmail protects your incoming mail against spam, phishing attempts, and malware. Our existing machine learning models are highly effective at doing this, and in conjunction with our other protections, they help block more than 99.9% of threats from reaching Gmail inboxes. One of our key protections is our malware scanner that processes more than 300 billion attachments each week to block harmful content.6 63% percent of the malicious documents we block differ from day to day.7 In addition, Gmail can scan or run attachments in a virtual environment called Security Sandbox. Attachments identified as threats can be placed in users' Spam folders or quarantined.
We’re continuing to improve spam detection accuracy with early phishing detection, a dedicated machine learning model that selectively delays messages (less than 0.05 percent of messages on average) to perform rigorous phishing analysis and further protect user data from compromise.
Our detection models integrate with Google Safe Browsing machine learning technologies for finding and flagging phishy and suspicious URLs. These new models combine a variety of techniques, such as reputation and similarity analysis on URLs, allowing us to generate new URL click-time warnings for phishing and malware links. As we find new patterns, our models get better with time, and adapt more quickly than manual systems ever could.
Spammers can sometimes forge the “From” address on an email message so that it appears to come from a reputable organization’s domain. To help prevent this email spoofing, Google participates in the DMARC program, which lets domain owners tell email providers how to handle unauthenticated messages from their domain. Google Workspace customers can implement DMARC by creating a DMARC record within their admin settings and implementing an SPF record and DKIM keys on all outbound mail streams.
When employees are empowered to make the right decisions to protect data, it can improve an enterprise’s security posture. To help with this, Gmail displays unintended external reply warnings to users to help prevent data loss. If you try to respond to someone outside of your company domain, you’ll receive a quick warning to make sure you intended to send that email. And because Gmail has contextual intelligence, it knows if the recipient is an existing contact or someone you interact with regularly, to avoid displaying warnings unnecessarily.
With Google’s hosted S/MIME solution, once an incoming encrypted email with S/MIME is received, it is stored using Google's encryption. This means that all normal processing of the email can happen, including extensive protections for spam, phishing and malware, as well as admin services (such as vault retention, auditing and email routing rules) and high-value end user features such as mail categorization, advanced search and Smart Reply. For the vast majority of emails, this is the safest solution, giving the benefit of strong authentication and encryption in transit without losing the safety and features of Google's processing.
Gmail users can help protect sensitive information from unauthorized access using Gmail confidential mode. Recipients of messages in confidential mode don't have the option to forward, copy, print, or download messages, including attachments. Users can set a message expiration date, revoke message access at any time, and require an SMS verification code to access messages.
Data loss prevention (DLP)8 adds another layer of protection designed to prevent sensitive or private information such as payment card numbers, national identification numbers, or protected health information, from leaking outside of an organization. DLP enables customers to audit how sensitive data is flowing in their enterprise or turn on warning or blocking actions, to prevent users from sending confidential data. To enable this, DLP provides predefined content detectors, including detection of global and regional identifiers, medical information and credentials. Customers can also define their own custom detectors to meet their enterprise needs. For attachments and image-based documents, DLP uses Google’s optical character recognition to increase detection coverage and quality. Learn more here about Gmail DLP. DLP can also be used to prevent users from sharing sensitive content in Google Drive or shared drive with people outside of your organization. In addition, customers can automate IRM controls and classification of Drive files advanced DLP rules.
With multiple security and privacy controls in place, organizations need a centralized location where they can prevent, detect, and remediate threats. The Google Workspace security center9 provides advanced security information and analytics, and added visibility and control into security issues affecting your domain.10 It brings together security analytics, actionable insights and best practice recommendations from Google to empower you to protect your organization, data and users.
As an administrator, you can use the security dashboard to see an overview of different security center reports. The security health page provides visibility into your Admin console settings to help you better understand and manage security risks. Furthermore, you can use the security investigation tool to identify, triage, and take action on security and privacy issues in your domain. Administrators can automate actions in the investigation tool by creating activity rules to detect and remediate such issues more quickly and efficiently. For example, you can set up a rule to send email notifications to certain administrators if Drive documents are shared outside the company.
The alert center for Google Workspace provides all Google Workspace customers with alerts and actionable security insights about activity in your domain to help protect your organization from the latest security threats, including phishing, malware, suspicious account, and suspicious device activity. You can also use the alert center API to export alerts into your existing ticketing or SIEM platforms.
Administrators can control how users in their organization share Google Drive files and folders. For example, whether users can share files with people outside of their organization or whether sharing is restricted to only trusted domains.11 Optional alerts can be established to remind users to check that files aren't confidential before they are shared outside of the organization.
Google Meet takes advantage of the same secure-by-design infrastructure, built-in protection, and global network that Google uses to secure your information and safeguard your privacy. Our array of default-on anti-abuse measures that include anti-hijacking measures for both web meetings and telephony dial-ins, keep your meetings safe.
For users on Chrome, Firefox, Safari and new Edge we don't require or ask for any plugins or software to be installed, Meet works entirely in the browser. This limits the attack surface for Meet and the need to push out frequent security patches on end-user machines. On mobile, we recommend that you install the Google Meet app from Apple App Store or the Google Play Store.
We support multiple 2 Step Verification (2SV) options for Meet that are both secure and convenient - hardware and phone-based security keys, as well as Google prompt. Meet users can enroll their account in Google’s Advanced Protection Program (APP). APP provides our strongest protections available against phishing and account hijacking and is specifically designed for the highest-risk accounts, and we’ve yet to see people successfully phished if they participate in APP, even if they are repeatedly targeted. For more information, check out this page.
The protection of information on mobile and desktop devices can be a key concern for customers. Google Workspace customers can use endpoint management12 to help protect corporate data on users’ personal devices and on an organization’s company-owned devices. By enrolling the devices for management, users get secure access to Google Workspace services and organizations can set policies to keep devices and data safe through device encryption and screen lock or password enforcement. Furthermore, if a device is lost or stolen, corporate accounts can be remotely wiped from mobile devices and users can be remotely signed out from desktop devices. IT admins can also manage and configure Windows 10 devices through the Admin console, and users can use existing Google Workspace account credentials to login to Windows 10 devices and access apps and services with single sign-on (SSO). Reports enable customers to monitor policy compliance and get information about users and devices. You can obtain further information on endpoint management here.
Enterprises storing data in the Cloud seek visibility into data access and account activity. Google Workspace audit logs help security teams maintain audit trails in Google Workspace and view detailed information about Admin activity, data access, and system events. Google Workspace admins can use the Admin Console to access these logs and can customize and export logs as required.
Google Workspace administrators have access to security reports that provide vital information on their organization’s exposure to data compromise. They can quickly discover which particular users pose security risks by not taking advantage of 2-step verification, installing external apps, or sharing documents indiscriminately. Administrators can also choose to receive alerts when suspicious login activity occurs, indicating a possible security threat.
Google Workspace admins can export audit logs and other information to BigQuery. With BigQuery, Google’s enterprise data warehouse for large-scale data analytics, customers can analyze Google Workspace logs using sophisticated, high-performing custom queries, and leverage third-party tools for deeper analysis.
An administrator can restore a deleted user account for up to twenty days after the date of deletion. After twenty days, the Admin console permanently deletes the user account, and it can’t be restored, even if you contact Google technical support. Please note that only customer administrators can delete accounts.
An administrator can restore a user’s Drive or Gmail data for up to 25 days after the data is removed from the user’s trash, subject to any retention policies set in Vault. After 25 days, the data cannot be restored, even if you contact technical support. Google will delete all customer-deleted data from its systems as soon as reasonably practicable and within a maximum period of 180 days.
An administrator can turn on Google Vault to retain, hold, search, and export data in support of your organization’s retention and eDiscovery needs. Vault supports such data as Gmail messages, files in Google Drive, and recordings in Google Meet, among others.
As an administrator, you can choose to store your covered data in a specific geographic location (the United States or Europe) by using a data region policy. Data region policies cover the primary data-at-rest (including backups) for these Google Workspace Core Services. Covered data includes Drive file content, Google Chat messages and attachments, Gmail mail subjects and messages, as well as other Core Services data.