Google Workspace security whitepaper

Customers can strengthen account security by using 2-step verification and security keys.⁴ These can help mitigate risks such as the misconfiguration of employee access controls or attackers taking advantage of compromised accounts.⁵ With the Advanced Protection Program for enterprise, we can enforce a curated set of strong account security policies for enrolled users. These include requiring security keys, blocking access to untrusted apps, and enhanced scanning for email threats.

Google Workspace offers customers a single sign-on (SSO) service that lets users access multiple services using the same sign-in page and authentication credentials. It is based on SAML 2.0, an XML standard that allows secure web domains to exchange user authentication and authorization data. For additional security, SSO accepts public keys and certificates generated with either the RSA or DSA algorithm. Customer organizations can use the SSO service to integrate single sign-on for Google Workspace into their LDAP or other SSO system.

Google Workspace supports OAuth 2.0 and OpenID Connect, an open protocol for authentication and authorization that allows customers to configure one single sign-on service (SSO) for multiple cloud solutions. Users can log on to third-party applications through Google Workspace—and vice versa—without re-entering their credentials or sharing sensitive password information.

Most organizations also have internal policies which dictate the handling of sensitive data. To help Google Workspace administrators maintain control over sensitive data, we offer information rights management in Google Drive. Administrators and users can use the access permissions in Google Drive to protect sensitive content by preventing the re-sharing, downloading, printing or copying of the file or changing of the permissions.

By default, users with Gmail accounts at your domain can send mail to and receive mail from any email address. In some cases, administrators may want to restrict the email addresses users can exchange mail with. For example, a school might want to allow its students to exchange mail with the faculty and other students, but not with people outside the school.

Using the restrict delivery setting allows administrators to specify the addresses and domains where users can send or receive email messages. When administrators add a restricted delivery setting, users can only communicate with authorized parties. Users who attempt to send mail to a domain not listed will see a message that specifies the policy prohibiting mail to that address, and confirms that the mail is unsent. Likewise, users receive only authenticated messages from listed domains. Messages sent from unlisted domains—or messages from listed domains that can’t be verified using DKIM or SPF records—are returned to the sender with a message about the policy.

To facilitate easier user access, while at the same time protecting the security of data, Google has developed context-aware access.⁶ This provides granular controls for Google Workspace apps, based on a user’s identity and context of the request (such as device security status or IP address). Based on the BeyondCorp security model developed by Google, users can access web applications and infrastructure resources from virtually any device, anywhere, without utilising remote-access VPN gateways while administrators can establish controls over the device. You can also still set access policies, such as 2-Step Verification, for all members of an organizational unit or group.

Gmail protects your incoming mail against spam, phishing attempts, and malware. Our existing machine learning models are highly effective at doing this, and in conjunction with our other protections, they help block more than 99.9% of threats from reaching Gmail inboxes. One of our key protections is our malware scanner that processes more than 300 billion attachments each week to block harmful content.⁷ 63% percent of the malicious documents we block differ from day to day.⁸ In addition, Gmail can scan or run attachments in a virtual environment called Security Sandbox. Attachments identified as threats can be placed in users' Spam folders or quarantined.

We’re continuing to improve spam detection accuracy with early phishing detection, a dedicated machine learning model that selectively delays messages (less than 0.05 percent of messages on average) to perform rigorous phishing analysis and further protect user data from compromise.

Our detection models integrate with Google Safe Browsing machine learning technologies for finding and flagging suspicious URLs. These new models combine a variety of techniques, such as reputation and similarity analysis on URLs, allowing us to generate new URL click-time warnings for phishing and malware links. As we find new patterns, our models get better with time, and adapt more quickly than manual systems ever could.

Spammers can sometimes forge the “From” address on an email message so that it appears to come from a reputable organization’s domain. To help prevent this email spoofing, Google participates in the DMARC program, which lets domain owners tell email providers how to handle unauthenticated messages from their domain. Google Workspace customers can implement DMARC by creating a DMARC record within their admin settings and implementing an SPF record and DKIM keys on all outbound mail streams.

When employees are empowered to make the right decisions to protect data, it can improve an enterprise’s security posture. To help with this, Gmail displays unintended external reply warnings to users to help prevent data loss. If you try to respond to someone outside of your company domain, you’ll receive a quick warning to make sure you intended to send that email. And because Gmail has contextual intelligence, it knows if the recipient is an existing contact or someone you interact with regularly, to avoid displaying warnings unnecessarily.

With Google’s hosted S/MIME solution, once an incoming encrypted email with S/MIME is received, it is stored using Google's encryption. This means that all normal processing of the email can happen, including extensive protections for spam, phishing and malware, as well as admin services (such as vault retention, auditing and email routing rules) and high-value end user features such as mail categorization, advanced search and Smart Reply. For the vast majority of emails, this is the safest solution, giving the benefit of strong authentication and encryption in transit without losing the safety and features of Google's processing.

Gmail users can help protect sensitive information from unauthorized access using Gmail confidential mode. Recipients of messages in confidential mode don't have the option to forward, copy, print, or download messages, including attachments. Users can set a message expiration date, revoke message access at any time, and require an SMS verification code to access messages.

With multiple security and privacy controls in place, organizations need a centralized location where they can prevent, detect, and remediate threats. The Google Workspace security center⁹ provides advanced security information and analytics, and added visibility and control into security issues affecting your domain.¹⁰ It brings together security analytics, actionable insights and best practice recommendations from Google to empower you to protect your organization, data and users.

As an administrator, you can use the security dashboard to see an overview of different security center reports. The security health page provides visibility into your Admin console settings to help you better understand and manage security risks. Furthermore, you can use the security investigation tool to identify, triage, and take action on security and privacy issues in your domain. Administrators can automate actions in the investigation tool by creating activity rules to detect and remediate such issues more quickly and efficiently. For example, you can set up a rule to send email notifications to certain administrators if Drive documents are shared outside the company.

The alert center for Google Workspace provides all Google Workspace customers with alerts and actionable security insights about activity in your domain to help protect your organization from the latest security threats, including phishing, malware, suspicious account, and suspicious device activity. You can also use the alert center API to export alerts into your existing ticketing or SIEM platforms.

Google Meet takes advantage of the same secure-by-design infrastructure, built-in protection, and global network that Google uses to secure your information and safeguard your privacy. Our array of default-on anti-abuse measures that include anti-hijacking measures for both web meetings and telephony dial-ins, keep your meetings safe.

For users on Chrome, Firefox, Safari and new Edge we don't require or ask for any plugins or software to be installed, Meet works entirely in the browser. This limits the attack surface for Meet and the need to push out frequent security patches on end-user machines. On mobile, we recommend that you install the Google Meet app from Apple App Store or the Google Play Store.

We support multiple 2 Step Verification (2SV) options for Meet that are both secure and convenient - hardware and phone-based security keys, as well as Google prompt. Meet users can enroll their account in Google’s Advanced Protection Program (APP). APP provides our strongest protections available against phishing and account hijacking and is specifically designed for the highest-risk accounts, and we’ve yet to see people successfully phished if they participate in APP, even if they are repeatedly targeted. For more information, check out this page.

The protection of information on mobile and desktop devices can be a key concern for customers. Google Workspace customers can use endpoint management¹¹ to help protect corporate data on users’ personal devices and on an organization’s company-owned devices. By enrolling the devices for management, users get secure access to Google Workspace services and organizations can set policies to keep devices and data safe through device encryption and screen lock or password enforcement. Furthermore, if a device is lost or stolen, corporate accounts can be remotely wiped from mobile devices and users can be remotely signed out from desktop devices. IT admins can also manage and configure Windows 10 devices through the Admin console, and users can use existing Google Workspace account credentials to login to Windows 10 devices and access apps and services with single sign-on (SSO). Reports enable customers to monitor policy compliance and get information about users and devices. You can obtain further information on endpoint management here.

Enterprises storing data in the Cloud seek visibility into data access and account activity. Google Workspace audit logs help security teams maintain audit trails in Google Workspace and view detailed information about Admin activity, data access, and system events. Google Workspace admins can use the Admin Console to access these logs and can customize and export logs as required.

Google Workspace administrators have access to security reports that provide vital information on their organization’s exposure to data compromise. They can quickly discover which particular users pose security risks by not taking advantage of 2-step verification, installing external apps, or sharing documents indiscriminately. Administrators can also choose to receive alerts when suspicious login activity occurs, indicating a possible security threat.

Google Workspace admins can export audit logs and other information to BigQuery. With BigQuery, Google’s enterprise data warehouse for large-scale data analytics, customers can analyze Google Workspace logs using sophisticated, high-performing custom queries, and leverage third-party tools for deeper analysis.

An administrator can restore a deleted user account for up to twenty days after the date of deletion. After twenty days, the Admin console permanently deletes the user account, and it can’t be restored, even if you contact Google technical support. Please note that only customer administrators can delete accounts.

An administrator can restore a user’s Drive or Gmail data for up to 25 days after the data is removed from the user’s trash, subject to any retention policies set in Vault. After 25 days, the data cannot be restored, even if you contact technical support. Google will delete all customer-deleted data from its systems as soon as reasonably practicable and within a maximum period of 180 days.

An administrator can turn on Google Vault to retain, hold, search, and export data in support of your organization’s retention and eDiscovery needs. Vault supports such data as Gmail messages, files in Google Drive, and recordings in Google Meet, among others.

As an administrator, you can choose to store your covered data in a specific geographic location (the United States or Europe) by using a data region policy. Data region policies cover the primary data-at-rest (including backups) for these Google Workspace Core Services. Covered data includes Drive file content, Google Chat messages and attachments, Gmail mail subjects and messages, as well as other Core Services data.

• 4 Further information about deploying 2-step verification can be found on our support page.

• 5 See security best practices guidance on our security checklists page.

• 6 Integrated with Cloud Identity. Using context-aware access capabilities to protect access to Google Workspace apps requires a Cloud Identity Premium or Google Workspace Enterprise license.

• 7 As of February 2020.

• 8 As of February 2020.

• 9 Included with Google Workspace Enterprise edition and Google Workspace Enterprise for Education.

• 10 You must be an administrator with a Google Workspace Enterprise, Google Workspace for Education Plus, Drive Enterprise, or Cloud Identity Premium Edition license to access the security center. With Drive Enterprise or Cloud Identity Premium Edition, you receive a subset of security center reports on the security dashboard.

• 11 Included as standard with Google Workspace.