What features does Google Cloud have to provide security for cloud applications?

enhanced_encryption

Perfect forward secrecy

Google is the first major cloud provider to enable perfect forward secrecy, which encrypts content as it moves between our servers and those of other companies. With perfect forward secrecy private keys for a connection are ephemeral, which in turn prevents retroactive decryption of HTTPS sessions by an adversary or even the server operator. Many industry peers have followed suit or committed to adoption in the future.

stacked_email

100% email encryption

Every single email message you send or receive – 100% of them – is encrypted while moving between Google’s data centers. This ensures that your messages are safe not only when they move between your devices and Gmail’s servers, but also as they move internally within Google. We were also the first to let users know when their email was sent insecurely across providers with the introduction of our TLS indicator.

vpn_key

Strengthening encryption

To protect against cryptanalytic advances, in 2013 Google doubled its RSA encryption key length to 2048 bits and started changing them every few weeks, raising the bar for the rest of the industry.

The security key protects you and your Google Workspace users from phishing attacks.

Strong authentication

2-step verification greatly reduces the risk of unauthorised access by asking users for additional proof of identity when signing in. Our security key enforcement offers another layer of security for user accounts by requiring a physical key. The key sends an encrypted signature and works only with the sites that it’s supposed to, helping to guard against phishing. Google Workspace administrators can easily deploy, monitor and manage the security keys at scale from within the administration console – without installing additional software.

Suspicious login monitoring

We use our robust machine learning capabilities to help detect suspicious logins. When we discover a suspicious login, we notify administrators so that they can work to ensure that the accounts are secured.

Centralised cloud access management

With support for single sign-on (SSO), Google Workspace enables unified access to other enterprise cloud applications. Our identity and access management (IAM) service lets administrators manage all user credentials and cloud applications access in one place.

email

Enhanced email security

Google Workspace allows administrators to set customised rules requiring email messages to be signed and encrypted using Secure/Multipurpose Internet Mail Extensions (S/MIME). These rules can be configured to enforce S/MIME when specific content is detected in email messages.

Context-aware access

Based on the zero-trust security model and Google’s BeyondCorp implementation, context-aware access enables you to provide secure access for your users while maintaining their productivity. It enforces granular controls and uses a single platform for both your cloud and on-premises applications and infrastructure resources. With context-aware access, you can enforce granular access controls on Google Workspace apps, based on a user’s identity and context of the request.

security

Advanced Protection programme

Google’s Advanced Protection programme is our strongest protection for users at risk of targeted online attacks. With the Advanced Protection programme for enterprise, we’ll enforce a curated set of strong account security policies for enrolled users. These include requiring security keys, blocking access to untrusted apps, and enhanced scanning for email threats.

Data loss prevention

Google Workspace administrators can set up a Data Loss Prevention (DLP) policy to protect sensitive information within Gmail and Drive. We provide a library of predefined content detectors to make setup easy. Once the DLP policy is in place, for example, Gmail can automatically check all outgoing emails for sensitive information and automatically take action to prevent data leakage: either quarantine the email for review, tell users to modify the information or block the email from being sent and notify the sender. With easy-to-configure rules and optical character recognition (OCR) of content stored in images, DLP for Drive makes it easy for administrators to audit files containing sensitive content and configure rules that warn and prevent users from sharing confidential information externally. Learn more in our DLP white paper.

report

Spam detection

Machine learning has helped Gmail achieve 99.9% accuracy in spam detection and block sneaky spam and phishing messages – the kind that could actually pass for wanted emails. Less than 0.1% of emails in the average Gmail inbox is spam, and incorrect filtering of mail to the spam folder is even less likely (less than 0.05%).

Malware detection

To help prevent malware, Google automatically scans every attachment for viruses across multiple engines prior to a user downloading it. Gmail even checks for viruses in attachments queued for dispatch. This helps to protect everyone who uses Gmail and prevents the spread of viruses. Attachments in certain formats, such as .ADE, .ADP, .BAT, .CHM, .CMD, .COM, .CPL, .EXE, .HTA, .INS, .ISP, .JAR, .JS, .JSE, .LIB, .LNK, .MDE, .MSC, .MSI, .MSP, .MST, .NSH .PIF, .SCR, .SCT, .SHB, .SYS, .VB, .VBE, .VBS, .VXD, .WSC, .WSF and .WSH, are automatically blocked – even when they’re included as part of a compressed file.

Phishing prevention

Google Workspace uses machine learning extensively to protect users against phishing attacks. Our learning models perform similarity analyses between previously classified phishing sites and new, unrecognised URLs. As we find new patterns, we adapt more quickly than manual systems ever could. Google Workspace also allows administrators to enforce the use of security keys, making it impossible to use credentials compromised in phishing attacks.

DMARC

Brand phishing defence

To help prevent abuse of your brand in phishing attacks, Google Workspace follows the DMARC standard, which empowers domain owners to decide how Gmail and other participating email providers handle unauthenticated emails coming from your domain. By defining a policy, you can help protect both users and your organisation's reputation.

apps_policy

Integrated endpoint management

Google Workspace's fully integrated endpoint management offers continuous system monitoring and alerts you to suspicious device activity. Administrators can enforce endpoint policies, encrypt data on devices, lock lost or stolen mobile devices and remotely wipe devices.

security

Security Centre

The security centre for Google Workspace provides a single, comprehensive view into the security posture of your Google Workspace deployment. It brings together security analytics, best-practice recommendations and integrated remediation that empower you to protect your organisation’s data, devices and users.

playlist_add_check

Third-party application access controls

As part of our authentication controls, administrators get visibility and control of third-party applications leveraging OAuth for authentication and corporate data access. OAuth access can be disabled at a granular level and vetted third-party apps can be whitelisted.

https

Information rights management

To help administrators maintain control over sensitive data, we offer information rights management (IRM) in Drive. Administrators and users can disable downloading, printing and copying of files from the advanced sharing menu, and also set expiry dates on file access.

warning

Alert Centre

The Alert Centre for Google Workspace is a new way for admins to view essential notifications, alerts and actions across Google Workspace. Insights around these potential alerts can help administrators assess their organisation's exposure to security issues. Integrated remediation with the security centre offers a streamlined way to resolve these issues.

language

Data regions

Many organisations leverage the power of our distributed data centres to maximise critical benefits, such as minimal latency and robust geo-redundancy. However, for organisations with stringent control requirements, data regions for Google Workspace lets you choose where certain covered data should be stored at rest – either in the US, across Europe or distributed globally.

ISO/IEC 27001

ISO/IEC 27001 is one of the most widely recognised and accepted independent security standards. Google has earned ISO/IEC 27001 certification for the systems, technology, processes and data centres that run Google Workspace. View our ISO/IEC 27001 certificate.

ISO/IEC 27017

ISO/IEC 27017 is an international standard of practice for information security controls based on ISO/IEC 27002 specifically for cloud services. Our compliance with the international standard was certified by Ernst & Young CertifyPoint, an ISO certification body accredited by the Dutch Accreditation Council (a member of the International Accreditation Forum, or IAF). View our ISO/IEC 27017 certificate.

ISO/IEC 27018

Google Workspace's compliance with ISO/IEC 27018:2014 affirms our commitment to international privacy and data protection standards. ISO/IEC 27018 guidelines include not using your data for advertising, ensuring that your data in Google Workspace services remains yours, providing you with tools to delete and export your data, protecting your information from third-party requests and being transparent about where your data is stored. View our ISO/IEC 27018 certificate.

SOC 2/3

The American Institute of Certified Public Accountants (AICPA) SOC (Service Organisation Controls) 2 and SOC 3 audit framework relies on its trust principles and criteria for security, availability, processing integrity and confidentiality. Google has both SOC 2 and SOC 3 reports. Download our SOC 3 report.

FedRAMP

Google Workspace products are compliant with the requirements of the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP is the cloud security standard of the US government. Google Workspace is authorised for use by federal agencies for data it has classified at a "moderate" impact level, which may include PII and Controlled Unclassified Information. Google Workspace has been assessed as adequate for use with "OFFICIAL" (including "OFFICIAL SENSITIVE") information in accordance with the UK Security Principles. For details on product and services compliance, visit the FedRAMP Google Services page.

PCI DSS

Google Workspace customers who need to maintain Payment Card Industry Data Security Standard (PCI DSS) compliance can set up a data loss prevention (DLP) policy that prevents emails containing payment card information from being sent from Google Workspace. For Drive, Vault can be configured to run audits and make sure that no cardholder data is stored.

FISC compliance

FISC (Center for Financial Industry Information Systems) is a public interest incorporated foundation tasked with conducting research related to technology, utilisation, control and threat/defence related to financial information systems in Japan. One of the key documents created by the organisation is the "FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions", which describes controls related to facilities, operations and Technical Infrastructure. Google has developed a guide to help customers understand how Google's control environment aligns with the FISC guidelines. Most of the controls outlined in our guide are part of our third-party audited compliance programs, including ISO/IEC 27001, ISO/IEC 27017 and ISO/IEC 27018 certifications. View our response to the FISC controls. For further information, please contact sales.

Esquema Nacional de Seguridad (ENS) – Spain

The Esquema Nacional de Seguridad (ENS) accreditation scheme for Spain has been developed by La Entidad Nacional de Acreditación (ENAC) in close collaboration with the Ministry of Finance and Public Administration and the National Cryptologic Centre (CCN). The ENS was established as part of Royal Decree 3/2010 (amended by Decree 951/2015) and serves to establish principles and requirements for the adequate protection of information for Spanish public sector entities. Google Cloud (GCP and Google Workspace) has met the requirements to comply with ENS at the ‘High’ level.

HIPAA

Google Workspace supports customers' compliance with the US Health Insurance Portability and Accountability Act (HIPAA), which governs the safeguarding, use and disclosure of protected health information (PHI). Customers who are subject to HIPAA and wish to use Google Workspace for PHI processing or storage can sign a business associate amendment with Google. View more details about HIPAA compliance with Google Workspace.

EU standard contractual clauses

Google Workspace meets data protection recommendations from the Article 29 Working Party and maintains adherence to EU standard contractual clauses with our Data Processing Amendment, sub-processor disclosure and EU standard contractual clauses. Google also maintains compliance with Privacy Shield and allows for data portability, wherein administrators can export data in standard formats without any additional charge.

General Data Protection Regulation

At Google Workspace, we champion initiatives that prioritise and improve the security and privacy of user data. We’ve made updates to our Data Processing Amendment to ensure that Google Workspace customers can confidently use our services now that the GDPR is in effect. We’ve also implemented stringent policies, processes and controls through our Data Processing Amendment and standard contractual clauses. In those agreements we commit to comply with the obligations applicable to us under the GDPR with respect to the processing that we do on behalf of our customers, and we have worked closely with European data protection authorities to meet their expectations. Learn more.

US FERPA

Millions of students rely on G Suite for Education. G Suite for Education services comply with the US Family Educational Rights and Privacy Act (FERPA). Our commitment to this compliance is included in our agreements.

COPPA

Protecting children online is important to us. We contractually require G Suite for Education schools to obtain the parental consent that the US Children's Online Privacy Protection Act of 1998 (COPPA) requires, and our services can be used in compliance with COPPA.

South Africa's POPI Act

Google provides product capabilities and contractual commitments to facilitate customer compliance with South Africa's Protection of Personal Information (POPI) Act. Customers who are subject to POPI can define how their data is stored, processed and protected by signing a Data Processing Amendment.

Data retention and eDiscovery

Vault allows you to retain, search and export your organisation’s data from select Google Workspace apps. Vault is entirely web-based, so there's no need to install or maintain extra software.

import_export

Export evidence

Vault allows you to export select Google Workspace apps data to standard formats for additional processing and review – all in a manner that supports legal standards while respecting chain of custody guidelines.

unsubscribe

Content compliance

Google Workspace's monitoring tools allow administrators to scan email messages for alphanumeric patterns and objectionable content. Administrators can create rules to either reject matching emails before they reach their intended recipients or deliver them with modifications.

list

Easy monitoring

Easy interactive reports help you assess your organisation's exposure to security issues at a domain and user level. Extensibility with a collection of application programming interfaces (APIs) enable you to build custom security tools for your own environment. With insight into how users are sharing data, which third-party apps are installed and whether appropriate security measures such as 2-step verification are in place, you can improve your security posture.

error

Audit tracking

Google Workspace allows administrators to track user actions and set up custom alerts within Google Workspace. This tracking spans the Admin Console, Gmail, Drive, Calendar, Groups, mobile and third-party application authorisation. For example, if a marked file is downloaded or if a file containing the word "confidential" is shared outside the organisation, administrators can be notified.

Insights using BigQuery

With BigQuery, Google's enterprise data warehouse for large-scale data analytics, you can analyse Gmail logs using sophisticated, high-performing custom queries and leverage third-party tools for deeper analysis.