Official Google Cloud Blog: Security

Google for Work security: Announcing Data Loss Prevention to wrap up 2015

Wednesday, December 9, 2015

Check out the DLP whitepaper for more information including the full list of predefined content creators, and learn how to get started. Gmail DLP is the first step in a long-term investment to bring rule-based security across Google Apps. We’re working on bringing DLP to Google Drive early next year, along with other rule based security systems.

As we round out the year, let’s take a look at what we did in 2015 to enhance the security, privacy and control you have over your information.

To verify the good work we do on privacy, we were one of the first cloud providers to invite an independent auditor to show that our privacy practices for Google Apps for Work and Google Apps for Education comply with the latest ISO/IEC 27018:2014 privacy standards. These confirm for example, that we don’t use customer data for advertising.
To make security easier for all, we've expanded our security toolset:

We introduced Security Keys to make two-step verification more convenient and provide better protection against phishing. For admins, we released Google Apps identity services, which allows secure single sign on access with SAML and OIDC support and we delivered device (MDM) and app (MAM) Mobile Management across Google Apps.
We launched Postmaster tools to help Gmail users better handle large volumes of mail and report spam.
For Google Cloud developers, the Cloud Security Scanner allows you to easily scan your application for common vulnerabilities (such as cross-site scripting (XSS) and mixed content).
For those who want the power and flexibility of public cloud computing and want to bring their own encryption keys, we announced Customer-Supplied Encryption Keys for Google Cloud Platform.
To give more transparency on how email security, even beyond Gmail, is changing over the years we published the Safer Email report.

We introduced new sharing features, alerts and audit events to Google Drive for Google Apps Unlimited customers. For example, administrators can now create custom alerts and disable the downloading, printing or copying of files with Information Rights Management (IRM). New sharing settings give employees better control within their organization unit and now admins can let them reset their own passwords.
Google Groups audit settings allow better tracking of Groups memberships. For all, the launch of google.com/privacy gives better control over personal data and Android for Work makes it easier to keep personal and work data separate on employee devices.

Companies are moving to the Cloud for all kinds of reasons, but Security and Trust remain critical and predominant differentiators between providers. That’s why millions of businesses trust Google to do the daily heavy lifting in security ─ preventing, testing, monitoring, upgrading and patching, while working towards the future. Because Google was born in the cloud, we’ve built security from the ground up across our entire technology stack, from the data centers to the servers to the services and features we provide across all of your devices. No other Cloud provider can claim this degree of security investment at every single layer.

While 2015 was a great year, there’s a lot more in store for 2016. To learn more about how our technology is evolving, please join us at the Enigma conference in San Francisco on January 25th to discuss electronic crime, security and privacy ideas that matter.

Posted by Suzanne Frey, Director, Security, Trust, and Privacy, Google Apps

Every company has data that it must keep secure — whether that data is about confidential innovations, strategic plans or sensitive HR issues — keeping all of your data safe from inadvertent or purposeful leaks needs to be simple, quick and reliable. Google for Work already helps admins manage information security with tools such as encryption, sharing controls, mobile device management and two-factor authentication. However, sometimes user actions compromise the best of all of these controls; for example, a user might hit “Reply all” when meaning to send a private message with sensitive content.

Starting today, if you’re a Google Apps Unlimited customer, Data Loss Prevention (DLP) for Gmail will add another layer of protection to prevent sensitive information from being revealed to those who shouldn’t have it.

How Gmail DLP works

Organizations may have a policy that the Sales department shouldn’t share customer credit card information with vendors. And to keep information safe, admins can easily set up a DLP policy by selecting “Credit Card Numbers” from a library of predefined content detectors. Gmail DLP will automatically check all outgoing emails from the Sales department and take action based on what the admin has specified: either quarantine the email for review, tell users to modify the information or block the email from being sent and notify the sender. These checks don’t just apply to email text, but also to content inside common attachment types ― such as documents, presentations and spreadsheets. And admins can also create custom rules with keywords and regular expressions.

To verify the good work we do on privacy, we were one of the first cloud providers to invite an independent auditor to show that our privacy practices for Google Apps for Work and Google Apps for Education comply with the latest ISO/IEC 27018:2014 privacy standards. These confirm for example, that we don’t use customer data for advertising.
To make security easier for all, we've expanded our security toolset:

We introduced Security Keys to make two-step verification more convenient and provide better protection against phishing. For admins, we released Google Apps identity services, which allows secure single sign on access with SAML and OIDC support and we delivered device (MDM) and app (MAM) Mobile Management across Google Apps.
We launched Postmaster tools to help Gmail users better handle large volumes of mail and report spam.
For Google Cloud developers, the Cloud Security Scanner allows you to easily scan your application for common vulnerabilities (such as cross-site scripting (XSS) and mixed content).
For those who want the power and flexibility of public cloud computing and want to bring their own encryption keys, we announced Customer-Supplied Encryption Keys for Google Cloud Platform.
To give more transparency on how email security, even beyond Gmail, is changing over the years we published the Safer Email report.

We introduced new sharing features, alerts and audit events to Google Drive for Google Apps Unlimited customers. For example, administrators can now create custom alerts and disable the downloading, printing or copying of files with Information Rights Management (IRM). New sharing settings give employees better control within their organization unit and now admins can let them reset their own passwords.
Google Groups audit settings allow better tracking of Groups memberships. For all, the launch of google.com/privacy gives better control over personal data and Android for Work makes it easier to keep personal and work data separate on employee devices.

The Key for working smarter, faster and more securely

Tuesday, April 21, 2015

Admins can order Security Keys from online retailers or directly from a manufacturer. Multiple models are available and prices start at $6 per key. You can have a smaller model permanently in the USB slot, so it’s available at your fingertips or carry a larger removable model on your keychain or in your wallet. We hope you also take advantage of what the Security Key can do to help protect your organization. Learn more.

Posted by Eran Feigenbaum, Director of Security, Google for Work

It’s easier than ever to share ideas across the world. But as technology keeps advancing to connect us, so do the techniques of those with bad intentions. The number of records breached in 2014 was staggering; weak usernames and passwords remain the leading cause. The introduction of 2-Step Verification added a layer of security for your Google Account, but we knew more could be done.

That’s why Google, working with the FIDO Alliance standards organization, developed the Security Key — an actual physical key used to access your Google Account. It sends an encrypted signature rather than a code, and ensures that your login cannot be phished. And using this key saves you time — when you need to verify your Google Account on a Chrome browser, the key’s light will flash. Just tap it and the signature sends automatically. In fact, when we rolled the Security Key out to Googlers last year, they loved that it was so much faster than when they had to enter a code.

New Google Apps controls to manage Security Keys

Businesses like Yelp and Woolworths started piloting the Security Key at work and have been looking for ways to scale adoption. Cameron Roberts, Google Apps SME at Woolworths Limited told us, “We have a large workforce and it’s imperative that all of our accounts are secure. The Security Keys are a great step forward, as they are very practical and more secure.” Ryan de Temple, IT Engineer for Security at Yelp said, “As we roll Security Keys out to our users, we realized the importance of a management toolset to audit and revoke keys, as well as reports on key enrollment activity.”

In the coming weeks, Google Drive for Work admins will be able to easily deploy, monitor and manage the Security Key at scale with new controls in the Admin console with no additional software to install. IT admins will see where and when employees last used their keys with usage tracking and reports. If Security Keys are lost, admins can easily revoke access to those keys and provide backup codes so employees can still sign-in and get work done

Our commitment to protecting your Google Apps information

Thursday, April 9, 2015

Posted by Marc Crandall, Head of Global Compliance, Google for Work

Editor's note: Our guest blogger this week is Marc Crandall, Head of Global Compliance at Google for Work. A lawyer and long time Googler, Marc focuses on regulatory matters involving privacy and security.

We regularly hear from our customers that assessing data protection compliance in various countries around the world can be challenging. Protecting the privacy and security of our customers’ information is a top priority, and we take compliance very seriously. That’s why we've been working hard to make things a bit easier for you.

We recently launched a new legal and compliance section of the Google Admin console where Google Apps administrators can find pointers to useful information, such as security and privacy certifications, third-party audits and data center and subprocessor information. This will be helpful to everyone, from those who manage their own domain to legal, security and privacy compliance specialists.

Another important resource for Google Apps for Work customers is our data processing amendment, which we’ve offered to customers since 2012. Customers that use our products for Work and for Education are often subject to data protection and compliance regulations. To help address this, in addition to our commercial agreements, we offer a data processing amendment that describes Google’s specific data protection commitments for your Google Apps information.

If you operate in a regulated industry, having Google’s data protection obligations in writing helps demonstrate to regulators that we take significant and concrete steps to protect your information. For customers subject to laws implementing the European Union’s Data Protection Directive, our data processing amendment also contractually binds us to remain enrolled in the U.S Department of Commerce Safe Harbor Program. And we indicate that Google Apps customers may opt-in to model contract clauses with Google.

While the data processing amendment does not affect the functionality of Google Apps, we believe customers with regulatory compliance considerations will find the amendment useful. You can access the data processing amendment from within the Admin console.

Millions of organizations use Google for Work today — they come from all sectors and more than half of our customers operate outside of the United States. You rely on Google to provide strong data protection capabilities, in compliance to your specific needs. With these tools in place, we hope to make it easier for you and third parties to verify that. For more information, visit our Google for Work and Google for Education trust site.

Data security in 2014: Make it more difficult for others to attack and easier for you to protect

Thursday, December 18, 2014

Posted by Eran Feigenbaum, Director of Security, Google for Work

We know you want to be assured that your digital information is safe and available when you need it. The series of incidents that riddled 2014 showed why it is important to stay ahead of those ill-intentioned people targeting online information. We have taken clear steps to make our products more difficult to attack, and to make it easier for you to protect your data. Innovative security technology is necessary today, and making it easy to use is equally important.

At Google, we take security very seriously and it's built into everything we do, from protecting our datacenters and your devices, to our partnership with the security community to stop bad actors on the web.

This year we raised the bar even higher. We created new security teams, our engineers discovered and helped fix vulnerabilities like Heartbleed and Poodle, and we took a series of concrete steps that will increase the security of our customers’ information:

In addition to these announcements, we offer strong contractual commitments to protect our customers’ information. We do not show advertisements or scan customer information for advertising in Google Apps for Work, Education, Government or Non-Profit, and we do not use data for any other purpose than to manage and deliver our services. These commitments are regularly verified by independent auditors, and this summer we published their detailed findings in our SOC3 security audit report. We also help our customers comply with their regulatory obligations, and we renewed and extended our ISO 27001 certification and certified our Cloud Platform to the PCI standard. We were excited to participate in the development of the new ISO 27018 privacy standard for cloud computing, and look forward to opportunities to engage in similar efforts in the future.

Next year, the bad guys will keep all of us on our toes as we expect the number of threats and their sophistication to increase. We will keep raising the bar — for example we have been working to improve passwords with the new Smart Lock for Android feature, and developing identification technology that makes typing-in complex Captchas obsolete. As we enter 2015, you can expect our continued investment in security and a guarantee that we will continue to find ways to make it simple for people to use our services in a secure and transparent manner.

New security tools to help improve online security

Monday, November 24, 2014

We are also launching the security wizard for Google for Work accounts. The security wizard guides users through steps they can take to turn on or adjust security features, like providing contact info for account recovery (if the domain security policy allows it), or reviewing recent account activity and account permissions. Plus, it only takes minutes for users to update their settings. This tool prioritizes all administrator settings for security features that end users are permitted to turn on. Access the wizard at g.co/accountcheckup.

Security in the cloud is a shared responsibility and keeping your company information secure is at the core of what we do everyday. By making users more aware of their security settings and the activity on their devices, we can work together to stay a step ahead of any bad guys.

Posted by Eran Feigenbaum, Director of Security Google for Work

As an IT manager, we realize you spend a lot of time managing devices, applications and security settings for everyone at your organization. To make your job a bit easier, today we’re announcing new security tools to help Google Apps users take more control of their security online.

A new Devices and Activity dashboard gives your users additional insight over the devices accessing their Google account. The page shows a comprehensive view of all devices that have been active on an account in the last 28 days, or are currently signed in. And in case any suspicious activity is noticed, there’s a setting to immediately take steps to secure an account and change a password.

Increasing security and productivity for iOS devices

Wednesday, September 10, 2014

Manage Google Apps: Set a policy that prompts employees to enroll their device when they log into Google Apps such as Google Drive and Gmail.
Configure WiFi networks: Distribute WiFi passwords and certificates to employees so they can easily connect to trusted networks.
Support for existing policies: Manage password requirements, data encryption and camera policies, as well as actions like remotely wiping a device, activation approvals and blocking devices.

iOS Sync will be available for Google Apps for Work, Google Apps for Education and Google Apps for Government beginning next week. Administrators should go to the Admin console to enable these new functions.

Work from anywhere, safely on your favorite device while keeping your work information secure with Google’s mobile management tools.

Posted by Clayton Jones, Product Manager, Google for Work

Marvel and DC Comics, Star Wars and Star Trek, Emacs and VI—we all have our favorites. And then there’s iOS and Android, each with dedicated fans. Regardless of which you prefer, there’s no reason your device of choice should get in the way of your work.

Alongside our Android device management solution, we’re introducing iOS Sync for Google Apps giving you and your company the increased security needed to protect your files, emails, documents and more on your favorite iOS phone or tablet. iOS Sync is integrated right into the Gmail and Google Drive apps for iOS, so you don’t have to take any action to download an additional app. And iOS Sync will support iOS 7, 8 and, of course, the new iPhone 6 and 6 Plus.

As part of iOS Sync, you’ll get the following additional security measures:

Manage Google Apps: Set a policy that prompts employees to enroll their device when they log into Google Apps such as Google Drive and Gmail.
Configure WiFi networks: Distribute WiFi passwords and certificates to employees so they can easily connect to trusted networks.
Support for existing policies: Manage password requirements, data encryption and camera policies, as well as actions like remotely wiping a device, activation approvals and blocking devices.

Google's cloud is secure. But you don't have to take our word for it.

Wednesday, August 27, 2014

Posted by Eran Feigenbaum, Director of Security, Google Apps

No matter how you slice it, mobile and cloud are essential for future business growth and productivity. This is driving increases in security spending as organizations wrestle with threats and regulatory compliance — according to Gartner, the computer security industry will reach $71 billion this year, which is a 7.9 percent increase over 2013.

To help organizations spend their money wisely, it’s essential that cloud companies are transparent about their security capabilities. Since we see transparency as a crucial way to earn and maintain our customers’ confidence, we ask independent auditors to examine the controls in our systems and operations on a regular basis. The audits are rigorous, and customers can use these reports to make sure Google meets their compliance and data protection needs.

We’re proud to announce we have received an updated ISO 27001 certificate and SOC 2 and SOC 3 Type II audit report, which are the most widely recognized, internationally accepted independent security compliance reports. These audits refresh our coverage for Google Apps for Business and Education, as well Google Cloud Platform, and we’ve expanded the scope to include Google+ and Hangouts. To make it easier for everyone to verify our security, we’re now publishing our updated ISO 27001 certificate and new SOC3 audit report for the first time, on our Google Enterprise security page.

Keeping your data safe is at the core of what we do. That’s why we hire the world’s foremost experts in security—the team is now comprised of over 450 full-time engineers—to keep customers’ data secure from imminent and evolving threats. These certifications, along with our existing offerings of FISMA for Google Apps for Government, support for FERPA and COPPA compliance in Google Apps for Education, model contract clauses for Google Apps customers who operate within Europe, and HIPAA business associate agreements for organizations with protected health information, help assure our customers and their regulators that we’re committed to keeping their data and that of their users secure, private and compliant.

Advanced security for Google Drive for Work

Wednesday, July 23, 2014

Posted by Chuck Coulson, Head of Google Apps and Drive Technology Partnerships

Last month we announced Google Drive for Work, which includes advanced Drive auditing to give organizations control, security and visibility into how files are shared. This new security feature helps companies and IT managers protect confidential information and gain insights into how their employees work.

Drive audit helps IT admins view activity on documents, such as uploading and downloading files, renaming files, editing and commenting, and sharing with others. Filters make it easy to sort and find details like IP address, date range, document title and owner’s email address. To make advanced auditing reports easier to manage, admins can set up alerts for important events like files being shared outside the organization.

To help organizations derive even more value from Drive for Work, we’ve been working with partners to give you even more capabilities through the Drive Audit API:

Backupify protects your Google Apps data through secure, automatic, daily backup allowing IT users to easily search and restore ﬁles with advanced administrative features, safeguarding your business from data loss caused by user errors, malicious deletions, hackers, and app errors. (website, blog post)
BetterCloud, through their flagship cloud management and security tool, FlashPanel, has enhanced their offering through the Audit API to provide additional controls and insight. (website, blog post)
CloudLock, who provides a pure-cloud Data Loss Prevention (DLP) solution for SaaS applications, has released a new version of CloudLock for Google Drive, leveraging the new Google Drive audit APIs, to enable large organizations to extend their enterprise security controls to the cloud. (website, blog post)
SkyHigh for Google Drive delivers Data Loss Prevention (DLP), mobile-to-cloud support, application auditing, data discovery, and anomaly detection without changing the Google Drive experience users love. (website, blog post)

And this is only the beginning. We invite developers and customers alike to get started with the Audit API to provide additional advanced security solutions for Google Drive. Learn more by visiting developers.google.com.

Google is committed to enabling organizations to be successful by leveraging a large community of ISVs. One of the areas we constantly invest in is our APIs, that allow customers and ISVs to extend the functionality of the Google Apps platform. If you’d like to join our ISV community, check out developers.google.com. For a list of ISVs supporting Google Apps, please visit the Google Apps Marketplace.

New Google Apps Mobile Management features for Android amp up productivity and security

Wednesday, May 21, 2014

Bring your own device (BYOD) is no longer just a trend — it’s how business gets done. With thousands of mobile applications to choose from and an increasing number of websites optimized for mobile, today’s employees can work whenever and wherever they choose. It also means IT organizations now have the dual challenge of both helping employees be more productive and protecting corporate data.

We're adding new features to Google Apps Mobile Management for Android to help your organization meet these challenges head on:

Inactive account wipe: Set policies that will wipe an inactive account from a device if it has not been synced for a predetermined number of days, so a lost device that wasn’t reported or the old device left in a drawer does not cause a security risk.
Support for EAP-based WiFi Networks: Configure settings and distribute certificate authority (CA) based certs for EAP networks.
Compromised device detection: Set policies that will detect signals for common forms of a compromised device, such as “rooting” or installing a custom "ROM", and block that device.
Additional reporting fields: Access new reporting fields via the API and Admin console to better understand the devices that are in use and troubleshoot issues. Additional fields include: Serial number, IMEI, MEID, WiFi MAC address, baseband version, kernel version, build number, mobile operator/carrier, language settings, and account ownership/management.

To learn more about these mobile device management features visit our Help Center. You can also visit the Google Admin console at admin.google.com to enable this service to help you rest assured that your corporate data stays safe.

Posted by Clayton Jones, Product Manager, Google Enterprise

Inactive account wipe: Set policies that will wipe an inactive account from a device if it has not been synced for a predetermined number of days, so a lost device that wasn’t reported or the old device left in a drawer does not cause a security risk.
Support for EAP-based WiFi Networks: Configure settings and distribute certificate authority (CA) based certs for EAP networks.
Compromised device detection: Set policies that will detect signals for common forms of a compromised device, such as “rooting” or installing a custom "ROM", and block that device.
Additional reporting fields: Access new reporting fields via the API and Admin console to better understand the devices that are in use and troubleshoot issues. Additional fields include: Serial number, IMEI, MEID, WiFi MAC address, baseband version, kernel version, build number, mobile operator/carrier, language settings, and account ownership/management.

Protecting Google Apps customers and their businesses

Friday, May 16, 2014

Posted by Amit Singh, President of Google Enterprise

Millions of businesses trust Google to keep their data safe—a responsibility we take very seriously. We focus on protecting our customers’ data from all unauthorized access, whether from common phishing, sophisticated hacking, or state-sponsored intrusions. That’s why this spring we implemented new, mandatory HTTPS connections to secure user access to Gmail and protect email messages as they move to Gmail servers.

Our commitment to your security doesn’t stop there, which is why we’ve recently added even more business-friendly features for our Google Apps Business, Government and Education customers:

Mail routing, delivery controls and SMTP relay service—Control the flow of information to and from your company with policy-based routing to ensure that company messages are filtered, even if they are sent from third-party or other non-Gmail sources.
Attachment compliance—Protect your business by blocking or rerouting messages based on what is attached to emails, providing controls over what content is sent and received.
TLS Encryption of message content—Prevent eavesdropping and message spoofing through secure encryption and delivery.

In addition to these increased security measures, as we recently announced, we’ve now turned off ads in Google Apps services. This means administrators no longer have the option or ability to turn on ads in these services. We’ve also permanently removed all ads scanning in Gmail for Google Apps, which means Google does not collect or use data in Google Apps services for advertising purposes.

Customers who have chosen to show AdSense ads on their Google Sites will still be able to display those existing ads on their websites. However, it will no longer be possible to edit or add new AdSense ads to new or existing sites.

All this is part of our commitment to providing the best security to ensure your data is protected, while strengthening the features our Google Apps customers care about the most.

Protecting Students with Google Apps for Education

Wednesday, April 30, 2014

Posted by Bram Bout, Director, Google for Education

Today more than 30 million students, teachers and administrators globally rely on Google Apps for Education. Earning and keeping their trust drives our business forward. We know that trust is earned through protecting their privacy and providing the best security measures.

This is why, from day one, we turned off ads by default in Apps for Education services. Last year, we removed ads from Google Search for signed-in K-12 users altogether. So, if you’re a student logging in to your Apps for Education account at school or at home, when you navigate to Google.com, you will not see ads.

Of course, good privacy requires strong security. We have more than 400 full-time engineers — the world’s foremost experts in security — working to protect your information. We always use an encrypted HTTPS connection when you check or send email in Gmail, which means no one can listen in on your messages as they go back and forth between your laptop, phone or tablet and Gmail’s servers — even if you’re using public WiFi.

Today, we’re taking additional steps to enhance the educational experience for Apps for Education customers:

Users who have chosen to show AdSense ads on their Google Sites will still have the ability to display those existing ads on their websites. However, it will no longer be possible to edit or add new AdSense ads to existing sites or to new pages.

We’re also making similar changes for all our Google Apps customers, including Business, Government and for legacy users of the free version, and we’ll provide an update when the rollout is complete.

On Thursday, May 1 at 9:00 am PT, we’ll be hosting a Hangout on Air on our Google for Education G+ page with myself; Jonathan Rochelle, Director of Product Management for Docs and Drive and Hank Thiele, Chief Technology Officer for District 207 in Park Ridge, IL who uses Google Apps. We'll be discussing these changes and answering your questions. We look forward to hearing from you.

For more information about student privacy in Google Apps for Education, please visit our website.

Staying at the forefront of email security and reliability: HTTPS-only and 99.978% availability

Thursday, March 20, 2014

Posted by Nicolas Lidzborski, Gmail Security Engineering Lead

(Cross-posted on the Official Google Blog and Gmail Blog)

Editor's note: The updates below apply to both consumers and Google Apps users.

Your email is important to you, and making sure it stays safe and always available is important to us. As you go about your day reading, writing, and checking messages, there are tons of security measures running behind the scenes to keep your email safe, secure, and there whenever you need it.

Starting today, Gmail will always use an encrypted HTTPS connection when you check or send email. Gmail has supported HTTPS since the day it launched, and in 2010 we made HTTPS the default. Today's change means that no one can listen in on your messages as they go back and forth between you and Gmail’s servers—no matter if you're using public WiFi or logging in from your computer, phone or tablet.

In addition, every single email message you send or receive—100% of them—is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail's servers, but also as they move between Google's data centers—something we made a top priority after last summer’s revelations.

Of course, being able to access your email is just as important as keeping it safe and secure. In 2013, Gmail was available 99.978% of the time, which averages to less than two hours of disruption for a user for the entire year. Our engineering experts look after Google's services 24x7 and if a problem ever arises, they're on the case immediately. We keep you informed by posting updates on the Apps Status Dashboard until the issue is fixed, and we always conduct a full analysis on the problem to prevent it from happening again.

Our commitment to the security and reliability of your email is absolute, and we’re constantly working on ways to improve. You can learn about additional ways to keep yourself safe online, like creating strong passwords and enabling 2-step verification, by visiting the Security Center: https://www.google.com/help/security.

Keeping you safe in 2013

Thursday, December 19, 2013

Posted by Eran Feigenbaum, Director of Security, Google Enterprise

Most businesses these days rely on technology to get their work done. And anyone who’s responsible for that technology — or even anyone who just follows the news — knows that 2013 was a big year for internet security. Of course, security has been a top priority for Google for over a decade. Millions of businesses trust Google to keep their data safe every day -- a responsibility we take very seriously. We focus on protecting our customers’ data from all unauthorized access, whether from common phishing, sophisticated hacking, or state-sponsored intrusions.

Google employs hundreds of full-time world-class security engineers. We were the first to offer important security tools, like free two-step verification, encrypted connections between your browser and our servers, and a handful of other security innovations. As a company, Google uses the same products and services that we offer to our customers. We run on the same infrastructure, in the same data centers.

Before businesses slow down for the holidays, we wanted to highlight a few of the many investments we’ve made and features we’ve launched in 2013 to help keep our customers — and everyone on the web — safe. Of course, there’ll be much more to come next year.

Offering new security tools for Google Apps administrators:

In addition to protecting our customers, Google also makes it easier for customers to protect themselves. For domain administrators, having visibility into and control over how their users’ accounts are working is a big help.

Suspicious login alerts: A new feature in the Google Apps Admin Console allows administrators to receive email alerts when our systems detect suspicious or unusual login activity in their users’ accounts. This helps admins stay informed of what’s happening in their domain — to a degree not possible with most email systems — and, when necessary, take swift corrective action.
Android device management: Organizations can manage smartphones and tablets - including Android and iOS - right from the Google Apps Admin console. The Android device management features include the ability to selectively wipe Google Apps account data without wiping a user’s entire device and require the latest version of the Device Policy app to ensure security policies are enforced across all devices.
Account recovery: A new account recovery process for super administrators helps keep their accounts more secure by allowing each super admin to specify their own recovery email address and telephone number. And the new mobile Admin app lets administrators quickly accomplish the most critical tasks (like suspending users or resetting passwords) wherever they are, using an Android phone or tablet.

Verifying our practices through third-party certifications and regulatory compliance:

When it comes to security and helping our customers comply with specific industry regulations, you don’t just need to take our word for it. Many of our security practices have been reviewed and verified by third-parties in the form of audits.

FISMA: The Federal Information Systems Management Act includes a rigorous evaluation of the security processes and data protections, and is required by U.S. federal government customers. Google Apps was the first cloud productivity suite to receive FISMA back in 2010, and we renewed our certification again this year.
ISO 27001: ISO 27001 is one of the most widely recognized, internationally accepted independent security standards. After earning ISO 27001 for Google Apps in 2012, we renewed our certification again this year for Google Apps and received the certification for Google Cloud Platform.
SOC2, SSAE 16 & ISAE 3402: Companies use the SOC2, SSAE 16 Type II audit, and its international counterpart ISAE 3402 Type II audit, to document and verify the data protections in place for their services. We’ve successfully completed these audits for Google Apps every year since 2008 (when the audits were known by their previous incarnation, SAS 70) and we did so again this year for Google Apps and Google Cloud Platform.
HIPAA: This year, we started offering Business Associate Agreements (BAAs) to help our customers who need to comply with the Health Insurance Portability and Accountability Act (HIPAA) while using Google App.

Improving security for everyone on the web:

Our work doesn’t end with providing security for Google products or even Google customers. To keep ahead of the bad guys, we work with researchers and others in the broader security community to make sure the the web is safe for everyone.

Whether it’s creating easy-to-use tools to help organizations manage their information or keeping customer data safe from prying eyes, we’re constantly investing to ensure that Google earns and keeps your trust. Here’s to a happy, healthy, and (most of all) safe 2014.

More BYOD management features for Android devices

Thursday, June 27, 2013

Posted by Heman Khanna, Software Engineer, Google Apps for Business

More than ever, people are bringing their own mobile phones and tablets to work. This "bring your own device" (BYOD) trend appeals to companies that want their employees to be productive on the go, with devices they enjoy using. As an admin, your role in a BYOD environment is to make sure users keep their mobile devices secure.

Comprehensive mobile device management is included with Google Apps for Business, Government and Education. Organizations large and small can manage smartphones and tablets - including Android and iOS - right from the Google Apps Admin console, with no need for special hardware or software.

Today we’re adding new Android device management features based on top requests from our customers.

Selective wipe - Remove Google Apps account data without wiping a user’s entire device.
SD card wipe - During a full device wipe, wipe SD cards in addition to the internal memory.
Device Policy app - Ensure that security policies are enforced across all devices by requiring the latest version of the Device Policy app.
Wi-Fi configuration - Enter wi-fi settings in the Admin console once -- and they'll be automatically pushed out to all managed Android devices.

Android users can stay connected on the go with mobile apps like Gmail, Drive and Hangouts. Admins can manage their domain with the new mobile Admin app. And admins can let employees bring their own devices to work while keeping those devices secure and saving their employees time with Google Apps device management.

To learn more about these mobile device management features, visit our Help Center or start managing devices right away by visiting your Admin console at admin.google.com.

Safer Internet Day: How we help you stay secure online

Monday, February 4, 2013

For example, we encrypt the Gmail and Google Search traffic between your computer and Google -- this protects your Google activity from being snooped on by others. We also make this protection, known as session-wide SSL encryption, the default when you’re signed into Google Drive. Because outdated software makes your computer more vulnerable to security problems, we built the Chrome browser to auto-update to the latest version every time you start it. It gives you up-to-date security protection without making you do any extra work.

Even if you don’t use Google, we work hard to make the web safer for you. Every day we identify more than 10,000 unsafe websites — and we inform users and other web companies what we’ve found. We show warnings on up to 14 million Google Search results and 300,000 downloads, telling our users that there might be something suspicious going on behind a particular website or link. We share that data with other online companies so they can warn their users.

We know staying safe online is important to you — and it is important to us too. That's why we've had independent third parties perform inspections and audits for the data protections in Google Apps.

Please take some time today to make your passwords stronger and turn on 2-step verification to protect your Google Account. Talk with friends and family about Internet safety. And visit our new Good to Know site to find more tips and resources to help you stay safe online.

Posted by Alma Whitten, Director of Privacy, Product and Engineering(Cross-posted on the Official Google Blog.)Editor's note: Staying safe on the internet means being smart whenever you're online -- at home, at work and on your mobile device. The tips shared below are intended to help you protect yourself and your family. For more information about what Google does to protect our enterprise customers' data, check out our trust series on this blog and our security white paper. launchedGood to Know

perform inspections and auditsturn on 2-step verification

Google Apps Vault goes global

Tuesday, June 26, 2012

Posted by Jack Halprin, Head of eDiscovery, Googlelaunched"Google Apps Vault offers compelling capabilities and value for businesses around the world in preparing for litigation, investigation, and managing day-to-day business. Vault integrates seamlessly across the evolving Google platform while integrating with business and industries of all sizes. This is a key component in our forward thinking strategy to drive down costs and provide enhanced client service."

- Eric Hunter - Director of Knowledge, Innovation & Technology Strategies at Bradford & Barthel, LLPGoogle Apps Vault

Two new security features for Google Apps

Tuesday, June 19, 2012

Posted by Rishi Dhand, Product Manager, Google AppsSince we launched 2-step verification, we’ve seen millions of users enable it and thousands more do so every day. 2-step verification requires two means of identification to sign in to a Google Apps account: something you know (a password) and something you have (a verification code from your mobile phone). Even if someone has stolen your password, they'll need more than that to access your account. This additional layer of security greatly reduces the chance of unauthorized access via account hijacking or other means. Starting today, domain administrators can require the users in their domain to use 2-step verification. This new feature will help Google Apps customers accelerate their deployment of 2-step verification.

For businesses that use Microsoft Active Directory® (AD), we’ve added new capabilities to synchronize and manage passwords. Businesses can manage password policies (e.g. password strength, reset intervals, etc.) using AD and then synchronize from AD to Google Apps when passwords are changed. Passwords are transmitted hashed and encrypted during synchronization.

Learn how to configure this new 2-step verification policy in the Google Apps help center. Download the Google Apps Password Sync for Active Directory (GAPS), and learn how to configure it in the help center.

Google Apps receives ISO 27001 certification

Monday, May 28, 2012

In the early days of the cloud, security concerns were often at the top of business minds as they considered moving to Google Apps. More recently, though, security has become a major reason businesses are moving to the cloud. The reason for this shift is that businesses are beginning to realize that companies like Google can invest in security at a scale that's difficult for many businesses to achieve on their own. This investment has produced an infrastructure and a set of services with robust data protections for our customers.

Today we are proud to announce that Google Apps for Business has earned ISO 27001 certification. ISO 27001 is one of the most widely recognized, internationally accepted independent security standards and we have earned it for the systems, technology, processes and data centers serving Google Apps for Business. Our compliance with the ISO standard was certified by Ernst & Young CertifyPoint, an ISO certification body accredited by the Dutch Accreditation Council, a member of the International Accreditation Forum (IAF). Certificates issued by Ernst & Young CertifyPoint are recognized as valid certificates in all countries with an IAF member.

“As a multi-billion dollar, global provider of packaging and packaging solutions, MWV understands the value of international standards. Many of our own processes are ISO certified. So, I am thrilled that Google Apps, our core communications platform, is also now ISO certified with its recent ISO 27001 certification. This certification validates what I already knew, through due diligence, about Google Apps - that the technology, process and infrastructure offers good security and protection for the data that I store in Google Apps. I think it's important, find it assuring and am very pleased that Google Apps will be audited and certified to this Information Security Management System ISO standard on an ongoing basis”

- Chet Loveland, CISO and Global Compliance Officer, MWV

This new certification, along with our existing SSAE 16 / ISAE 3402 audits and FISMA certification for Google Apps for Government, help assure our customers that Google is committed to ongoing development and maintenance of a robust Information Security Management System (ISMS) that an independent, third-party auditor will regularly audit and certify. For more information on the security audits and certifications for Google Apps, please review our certification 1-pager.

Posted by Eran Feigenbaum, Director of Security, Google Enterprise

Google Appsdata protectionsISO 27001 certification“As a multi-billion dollar, global provider of packaging and packaging solutions, MWV understands the value of international standards. Many of our own processes are ISO certified. So, I am thrilled that Google Apps, our core communications platform, is also now ISO certified with its recent ISO 27001 certification. This certification validates what I already knew, through due diligence, about Google Apps - that the technology, process and infrastructure offers good security and protection for the data that I store in Google Apps. I think it's important, find it assuring and am very pleased that Google Apps will be audited and certified to this Information Security Management System ISO standard on an ongoing basis”

- Chet Loveland, CISO and Global Compliance Officer, MWVSSAE 16 / ISAE 3402FISMA certificationcertification 1-pager

Keeping our environmental management and workplace safety standards high

Thursday, January 19, 2012

Posted by Joe Kava, Senior Director, data center construction and operations(Cross-posted from the Official Google Blog and the Google Green Blog.)ISO 14001OHSAS 18001environmentally responsible choice

The Dalles, Ore.

Council Bluffs, Iowa

Mayes County, Okla.

Lenoir, N.C.

Monck’s Corner, S.C.

Douglas County, Ga.

Adding business class management features to Gmail

Tuesday, January 17, 2012

Posted by Adam Dawes, Gmail Product Manager

Last year, we started integrating Postini’s business-class email security and management capabilities into Gmail and today we’re excited to be rolling out the latest round of integrated features. Google Apps administrators can now take advantage of improved email compliance footers, approved/blocked sender lists and file attachment policies. These capabilities help our customers address compliance requirements and effectively manage email traffic. Previously, Google Apps customers used Google Message Security, powered by Postini, to provide these capabilities.

With this new release, we’ve improved these features and designed them specifically to meet the needs of our Apps customers. Admins will manage the features natively in the Google Apps control panel (localized in 28 languages), leverage our granular policy framework to customize settings for different types of users, and join multiple rules together to address very targeted use cases.

These new features are available globally for Google Apps for Business, Google Apps for Government and Google Apps for Education editions.

Dominie Liang, IT Director at New Media Group in Hong Kong, was able to use the new features to quickly address his company’s compliance requirements:

"Our legal team wanted us to add a compliance note to all of our outbound email. Thanks to Google's new email feature set, we could easily add the rich text format disclaimer with Chinese characters to the email footer, and solved the issue within a minute."

George Krieger, Technical Services Manager, Mazda Raceway Laguna Seca, adds:

"The new message footers in Gmail have made it easy for us to standardize our email signatures and more effectively promote our race schedules. And I love the ability to delegate control of these to our Media department so they can change them when they want without having to call me. This is a major improvement for us."

With the addition of these features to Gmail, there is no longer a need to use Google Message Security (GMS) with Google Apps so we will no longer offer GMS to Google Apps customers. We’ll work with those customers currently using GMS to migrate their settings to these new features. For more information on these features and how customers can migrate to them please refer to this Google Apps Help Center article and the Transition Guide.

Official Blog