Google Workspace security whitepaper
How Google Workspace protects your data
Empowering users and administrators to improve security and compliance
Google builds security into its structure, technology, operations and approach to customer data. Our robust security infrastructure and systems become the default for each and every Google Workspace customer. Beyond these levels, users are actively empowered to enhance and customize their individual security settings to meet their business needs through dashboards and account security wizards.
Google Workspace also offers administrators full control to configure infrastructure, applications, and system integrations in a single dashboard via our Admin Console—regardless of the size of the organization—simplifying administration and configuration. Consider the deployment of DKIM (a phishing prevention feature) in an on-premise email system. Traditionally, administrators would need to patch and configure every server separately, with any misconfiguration causing a service outage. Using our Admin Console, however, DKIM can be configured in minutes across thousands, or hundreds of thousands, of accounts with peace of mind and no outage or maintenance window required.
That’s just one example. Administrators have many powerful tools at their disposal, including authentication features like 2-step verification and single sign-on, and email security policies like secure transport (TLS) enforcement, which can be configured to meet the security and system integration requirements of any organization.
Access and Authentication
2-step verification and security keys
Customers can strengthen account security by using
Single sign-on (SAML 2.0)
Google Workspace offers customers a
OAuth 2.0 and OpenID Connect
Google Workspace supports
Information Rights Management (IRM)
Most organizations also have internal policies which dictate the handling of sensitive data. To help Google Workspace administrators maintain control over sensitive data, we offer information rights management in Google Drive. Administrators and users can use the access permissions in Google Drive to protect sensitive content by preventing the re-sharing, downloading, printing or copying of the file or changing of the permissions.
Restricted email delivery
By default, users with Gmail accounts at your domain can send mail to and receive mail from any email address. In some cases, administrators may want to restrict the email addresses users can exchange mail with. For example, a school might want to allow its students to exchange mail with the faculty and other students, but not with people outside the school.
Using the
App access based on user context
To facilitate easier user access, while at the same time protecting the security of data, Google has developed
Asset Protection
Email spam, phishing and malware protection
Gmail protects your incoming mail against spam, phishing attempts, and malware. Our existing
We’re continuing to improve spam detection accuracy with
Our detection models integrate with
Email spoofing prevention
Spammers can sometimes forge the “From” address on an email message so that it appears to come from a reputable organization’s domain. To help prevent this email spoofing, Google participates in the DMARC program, which lets domain owners tell email providers how to handle unauthenticated messages from their domain. Google Workspace customers can implement DMARC by creating a DMARC record within their admin settings and implementing an SPF record and DKIM keys on all outbound mail streams.
Warnings for employees to prevent data loss
When employees are empowered to make the right decisions to protect data, it can improve an enterprise’s security posture. To help with this, Gmail displays
Hosted S/MIME to provide enhanced security
With Google’s hosted S/MIME solution, once an incoming encrypted email with S/MIME is received, it is stored using
Gmail confidential mode
Gmail users can help protect sensitive information from unauthorized access using Gmail confidential mode. Recipients of messages in confidential mode don't have the option to forward, copy, print, or download messages, including attachments. Users can set a message expiration date, revoke message access at any time, and require an SMS verification code to access messages.
Configuring Google Workspace security settings
Security and alert management
With multiple security and privacy controls in place, organizations need a centralized location where they can prevent, detect, and remediate threats. The
As an administrator, you can use the security dashboard to see an overview of different
The
Video meetings safety
Google Meet takes advantage of the same secure-by-design infrastructure, built-in protection, and global network that Google uses to secure your information and safeguard your privacy. Our array of default-on anti-abuse measures that include anti-hijacking measures for both web meetings and telephony dial-ins, keep your meetings safe.
For users on Chrome, Firefox, Safari and new Edge we don't require or ask for any plugins or software to be installed, Meet works entirely in the
We support multiple 2 Step Verification (2SV) options for Meet that are both secure and convenient - hardware and phone-based security keys, as well as Google prompt. Meet users can enroll their account in Google’s Advanced Protection Program (APP).
Endpoint management
The protection of information on mobile and desktop devices can be a key concern for customers. Google Workspace customers can use
Reporting analytics
Google Workspace audit logs
Enterprises storing data in the Cloud seek visibility into data access and account activity.
Security reports
Google Workspace administrators have access to
Insights using BigQuery
Google Workspace admins can export audit logs and other information to
Data Recovery
Restore a recently deleted user
An administrator can
Restore a user’s Drive or Gmail data
An administrator can
Retention and eDiscovery
An administrator can turn on
Data Residency
As an administrator, you can choose to store your covered data in a specific geographic location (the United States or Europe) by using a
-
4 Further information about deploying 2-step verification can be found on
our support page . -
5 See security best practices guidance on our
security checklists page . -
6 Integrated with Cloud Identity. Using context-aware access capabilities to protect access to Google Workspace apps requires a Cloud Identity Premium or Google Workspace Enterprise license.
-
7 As of February 2020.
-
8 As of February 2020.
-
9 Included with Google Workspace Enterprise edition and Google Workspace Enterprise for Education.
-
10 You must be an administrator with a Google Workspace Enterprise, Google Workspace for Education Plus, Drive Enterprise, or Cloud Identity Premium Edition license to access the security center. With Drive Enterprise or Cloud Identity Premium Edition, you receive a subset of security center reports on the security dashboard.
-
11 Included as standard with Google Workspace.