Google Cloud Security and Compliance

How Google protects your data

Empowering Users and Administrators to Improve Security and Compliance

Google Workspace also offers administrators full control to configure infrastructure, applications and system integrations in a single dashboard via our Admin console — regardless of the size of the organization.

Google builds security into its structure, technology, operations and approach to customer data. Our robust security infrastructure and systems become the default for each and every Google Workspace customer. But beyond these levels, users are actively empowered to enhance and customize their individual security settings to meet their business needs through dashboards and account security wizards. Google Workspace also offers administrators full control to configure infrastructure, applications and system integrations in a single dashboard via our Admin console -regardless of the size of the organization. This approach simplifies administration and configuration. Consider deployment of DKIM (a phishing prevention feature) in an on-premise email system. Administrators would need to patch and configure every server separately, and any misconfiguration would cause a service outage. Using our Admin console, DKIM is configured in minutes across thousands or hundreds of thousands of accounts with peace of mind and no outage or maintenance window required. Administrators have many powerful tools at their disposal, such as authentication features like 2-step verification and single sign-on, and email security policies like secure transport (TLS) enforcement, which can be configured by organizations to meet security and system integration requirements. Below are some key features that can help customize Google Workspace for your security and compliance needs:

User authentication/authorization features

2-step verification

2-step verification adds an extra layer of security to Google Workspace accounts by requiring users to enter a verification code in addition to their username and password when they sign in. This can greatly reduce the risk of unauthorized access if a user’s password is compromised.Verification codes are delivered on a one-time basis to a user’s Android,BlackBerry, iPhone, or other mobile phone. Administrators can choose to turn on 2-step verification for their domain at any time.

Security Key

Security Key is an enhancement for 2-step verification. Google, working with the FIDO Alliance standards organization, developed the Security Key — an actual physical key used to access your Google Account. It sends an encrypted signature rather than a code, and helps ensure that your login cannot be phished. Google Cloud admins will be able to easily deploy, monitor and manage the Security Key at scale with new controls in the Admin console with no additional software to install. IT admins will see where and when employees last used their keys with usage tracking and reports. If Security Keys are lost, admins can easily revoke access to those keys and provide backup codes so employees can still sign-in and get work done.

Single sign-on (SAML 2.0)

Google Workspace offers customers a single sign-on (SSO) service that lets users access multiple services using the same sign-in page and authentication credentials. It is based on SAML 2.0, an XML standard that allows secure web domains to exchange user authentication and authorization data. For additional security, SSO accepts public keys and certificates generated with either the RSA or DSA algorithm. Customer organizations can use the SSO service to integrate single sign-on for Google Workspace into their LDAP or other SSO system.

OAuth 2.0 and OpenID Connect

Google Workspace supports OAuth 2.0 and OpenID Connect, an open protocol for authentication and authorization. This allows customers to configure one single sign-on service (SSO) for multiple cloud solutions. Users can log on to third-party applications through Google Workspace—and vice versa—without re-entering their credentials or sharing sensitive password information.

Data management features

Information Rights Management (IRM)

With Information Rights Management (“IRM”) you can disable downloading, printing and copying from the advanced sharing menu — perfect for when the file you’re sharing is only meant for a few select people. This new option is available for any file stored in Google Drive, including documents, spreadsheets and presentations created in Google Docs.

Drive audit log

The Drive audit log lists every time your domain’s users view, create, update, delete or share Drive content. This includes content you create in Google Docs, Sheets, Slides and other Google Apps, as well as content created elsewhere that you upload to Drive, such as PDFs and Word files.

Drive content compliance / alerting

Google Workspace has an additional feature that allows Administrators to keep track of when specific actions are taken in Drive and can set up custom Drive alerts. So if you want to know when a file containing the word “confidential” in the title is shared outside the company, now you’ll know. And there are more events coming to Drive audit, including download, print and preview alerts.

Trusted domains for Drive sharing

Google Workspace and Education administrators will allow for domain whitelisting. End users can share to those trusted domains, but can’t share to other external domains. Great for partnerships, subsidiaries or other arrangements where certain domains are trusted and users are allowed to share to them.

Email Security features

Secure transport (TLS) enforcement

Google Workspace administrators can require that email to or from specific domains or email addresses be encrypted with Transport Layer Security (TLS). For instance, a customer organization may choose to transmit all messages to its outside legal counsel via a secure connection. If TLS is not available at a specified domain, inbound mail will be rejected and outbound mail will not be transmitted.

Google Workspace administrators can require that email to or from specific domains or email addresses be encrypted with Transport Layer Security (TLS).

Phishing prevention

Spammers can sometimes forge the “From” address on an email message so that it appears to come from a reputable organization’s domain. Known as phishing, this practice is often an attempt to collect sensitive data. To help prevent phishing, Google participates in the DMARC program, which lets domain owners tell email providers how to handle unauthenticated messages from their domain. Google Workspace customers can implement DMARC by creating a DMARC record within their admin settings and implementing an SPF record and DKIM keys on all outbound mail streams.

Data Loss Prevention (DLP) for Gmail

Gmail data loss prevention (DLP) lets you scan your organization’s inbound and outbound email traffic for content, such as credit card or Social Security numbers, and set up policy-based actions when this content is detected. Available actions include sending the message to quarantine, rejecting the message, or modifying the message. If you configure a DLP policy using predefined detectors, the email subject, message body, and attachments are automatically scanned. You can create more sophisticated content compliance policies by combining one or more predefined detectors with keywords or regular expressions to construct compound detection criteria. Sensitive information does not reside exclusively in text documents, but also in scanned copies and images as well. With the new OCR enhancement, DLP policies can now analyze common image types, and extract text for policy evaluation. Admins have the option to enable OCR in the Admin console at the organizational-unit (OU) level for both the Content compliance and Objectionable content rules. Additional information is available in our DLP Whitepaper.

Email content compliance

Administrators can choose to scan Google Workspace email messages for predefined sets of words, phrases, text patterns or numerical patterns. They can create rules that either reject matching emails before they reach their intended recipients or deliver them with modifications. Customers have used this setting to monitor sensitive or restricted data, such as credit card information, internal project code names, URLs, telephone numbers, employee identification numbers, and social security numbers.

Objectionable content

The objectionable content setting enables administrators to specify what action to perform for messages based on custom word lists. With objectionable content policies, administrators choose whether messages containing certain words (such as obscenities) are rejected or delivered with modifications; for example, to notify others when the content of a message matches the rules that you set. Administrators can also configure this setting to reject outbound emails that may contain sensitive company information; for example, by setting up an outbound filter for the word confidential.

Restricted email delivery

By default, users with Gmail accounts at your domain can send mail to and receive mail from any email address. However, in some cases, administrators may want to restrict the email addresses your users can exchange mail with. For example, a school might want to allow its students to exchange mail with the faculty and other students, but not with people outside of the school. Use the Restrict delivery setting to allow the sending or receiving of email messages only from addresses or domains that administrators specify. When administrators add a Restrict delivery setting, users cannot communicate with anyone, except those authorized. Users who attempt to send mail to a domain not listed will see a message that specifies a policy prohibiting mail to that address, confirming that the mail is unsent. Users receive only authenticated messages from listed domains. Messages sent from unlisted domains-or messages from listed domains that can’t be verified using DKIM or SPF records -are returned to the sender with a message about the policy.

eDiscovery features

eDiscovery allows organizations to stay prepared in case of lawsuits and other legal matters. Google Vault is the eDiscovery solution for Google Workspace that lets customers retain, archive, search and export their business Gmail. Administrators can also search and export files stored in Google Drive.

Email retention policy

Retention rules control how long certain messages in your domain are retained before they are removed from user mailboxes and expunged from all Google systems. Google Workspace allows you to set a default retention rule for your entire domain. For more advanced implementations, Google Vault allows administrators to create custom retention rules to retain specific content. This advanced configuration allows administrators to specify the number of days to retain messages, whether to delete them permanently after their retention periods, whether to retain messages with specific labels, and whether to let users manage email deletion themselves.

Google Vault allows administrators to place legal holds on users to preserve all their emails and on-the-record chats indefinitely in order to meet legal or other retention obligations. You can place legal holds on all content in a user’s account, or target specific content based on dates and terms. If a user deletes messages that are on hold, the messages are removed from the user’s view, but they are not deleted from Google servers until the hold is removed.


Google Vault allows administrators to search Gmail and Drive accounts by user account, organizational unit, date or keyword. Search results include email, on-the-record chats, Google file types and non-Google file types such as PDF, DOCX and JPG.

Evidence export

Google Vault allows administrators to have the ability to export specific email, on-the-record chats and files to standard formats for additional processing and review in a manner that supports legal matters while respecting chain of custody guidelines.

Support for third-party email platforms

The comprehensive mail storage setting ensures that a copy of all sent or received mail in your domain—including mail sent or received by non-Gmail mailboxes—is stored in the associated users’ Gmail mailboxes. For organizations that reroute mail to non-Gmail mail servers, this setting also ensures storage of mail in Gmail mailboxes for archiving and eDiscovery purposes.

Administrators can enforce policies over mobile devices in their organization, encrypt data on devices, and perform actions like remotely wiping or locking lost or stolen devices.

Securing endpoints

Mobile device management (MDM)

Mobile device management in Google Workspace eliminates the need for on-premises device or third-party management solutions. Administrators can enforce policies over mobile devices in their organization, encrypt data on devices, and perform actions like remotely wiping or locking lost or stolen devices. This type of control helps ensure the security of business data, even if employees choose to work on their personal phones and tablets. Mobile device management in Google Workspace works with Android, iOS, Windows Phone, and smartphones and tablets using Microsoft Exchange ActiveSync, such as BlackBerry 10.

Policy-based Chrome browser security

All of the tools and features in Google Workspace are best supported by Google Chrome. Administrators can apply security and usage policies across Windows, OSX, Linux, iOS, and Android. Chrome’s standard security features include Safe Browsing, sandboxing, and managed updates that protect users from malicious sites, viruses, malware, and phishing attacks. There are also measures in place to prevent cross-site scripting, which attackers can use to steal private data. Google Workspace administrators can deploy Chrome across their organization and customize it to meet their needs. Over 280 policies help administrators control how employees use Chrome across devices. For example, administrators can enable automatic updates to get the latest security fixes, block or allow specific apps, and configure support for legacy browsers.

Chrome device management

The Google Workspace Admin Console applies policy to Chrome devices such as Chromebooks, Chromeboxes, and Chromebox for meetings, which are fast, secure, and cost-effective computers that run Chrome as an operating system. Administrators can easily manage security and other settings for their organization’s Chrome devices from a single place. They can configure Chrome features for their users, set up access to VPNs and WiFi networks, pre-install apps and extensions, restrict sign-in to certain users, and more.

Data Recovery

Restore a recently deleted user

An administrator can restore a deleted user account for up to five days after date of deletion. After five days, the Admin console permanently deletes the user account, and it can’t be restored, even if you contact Google technical support. Please note that only customer Administrators can delete accounts.

An administrator can restore a user’s Drive or Gmail data for up to 25 days after date of deletion.

Restore a user’s Drive or Gmail data

An administrator can restore a user’s Drive or Gmail data for up to 25 days after the data is removed from the user’s trash. Google will delete all Customer-deleted data from its systems as soon as reasonably practicable and within a maximum period of 180 days.

Security reports

Google Workspace administrators have access to security reports that provide vital information on their organization’s exposure to data compromise. They can quickly discover which particular users pose security risks by eschewing 2-step verification, installing external apps, or sharing documents indiscriminately. Administrators can also choose to receive alerts when suspicious login activity occurs, indicating a possible security threat.

This whitepaper applies to the following Google Workspace products:

Google Workspace, G Suite for Education, G Suite for Government, Google Workspace for Nonprofit, Drive, and G Suite Business

Download full whitepaper (PDF).