As companies move to the cloud, keeping data secure is always front of mind. While Google is quick to point out that it has never had an exploit in Google Workspace, it doesn’t mean it isn’t working to continually stay ahead of security issues.
Today, the company announced a number of security-related enhancements to Google Workspace products including GMail and Drive, some of which will take advantage of AI to automate certain tasks. It’s important to understand that these tools are still in development or various stages of testing, but Google plans to add these updates later this year and in early 2024.
For starters, Google wants to enhance its zero trust model, a concept the company helped develop. Google defines zero trust as, “a cloud security model designed to secure modern organizations by removing implicit trust and enforcing strict identity authentication and authorization. Under zero trust, every user, device, and component is considered untrusted at all times, regardless of whether they are inside or outside of an organization’s network.”
As part of that approach, Jeanette Manfra, senior director of global risk and compliance at Google, says the company is announcing a couple of new capabilities that combine the idea of zero trust with the notion of data loss prevention (DLP). “We’re bringing the two together, and adding an ability to improve how you classify using AI capabilities within Drive. And so what this does is it automatically and continuously classifies and labels sensitive data, and then applies appropriate risk-based controls,” Manfra said at a press event this week.
In addition she said that they are adding enhanced DLP controls to Gmail to enable administrators to prevent users from inadvertently attaching sensitive data, especially when it shows up especially in unexpected places. “So say a customer inadvertently sends sensitive data in a customer support email. This allows a Gmail customer to take the controls and sort of raise the bar on their security policies,” she said. For instance, admins could disable download or prevent copy and paste on those documents.
Another big area of focus with these new tools is being sensitive to location and what can be shared, so Google is also adding some context-aware controls in Drive so that admins can set criteria such as a device location that must be met in order for users to share sensitive data.
Andy Wen, director of Product Management for Google Workspace, says that the company is also putting AI to work to help admins peruse log data for data breaches and behavioral anomalies, and to look for suspicious actions in Gmail that could indicate a hacker has gained access to the account.
Data sovereignty in particular is a big problem for companies, who need to ensure that certain information remains within their control. As part of that, the company currently offers client-side encryption on the desktop, but it plans to add it to mobile versions of Gmail, Calendar and Meet and other Workspace tools.
Weir says that central to this is that customers control the encryption keys, meaning that Google can’t see this data, and if law enforcement were to ask, there would be no way for Google to share this information.
“Keep in mind that the key benefit of client-side encryption is it protects your data where regionalization can be inadequate,” he said. “We do it by issuing an additional set of encryption keys that only the customer controls. This additional key encrypts the customer data – we call it from browser to browser – so that Google can never actually see the original content,” he said.
While the company has let customers choose a data residency location when the data is rest in the past, it will now add the capability to choose where to process that data. For starters, that will only include the EU or the United States.
These and other new features are in development and will be released in the coming months. Google was fuzzy on the pricing details, but it will probably depend on the type of account you have, and the particular feature, whether they are included or you have to pay extra.