Google has announced several new security tools for G Suite admins and users, as well as a new 2FA option: one-time security codes based on security keys.
Email security enhancements
The security sandbox and advanced phishing and malware protection options are for G Suite administrators to switch on via then Admin console.
The former will allow Gmail to detect the presence of previously unknown malware in attachments by virtually “executing” them in a secure sandbox environment, and analyzing the side effects on the operating system to determine malicious behavior.
“This is done in a matter of minutes prior to the delivery of the email, and provides users with an extra layer of security,” Google explained. “If turned on, users may notice a delay of a few minutes in the delivery of affected mail due to scanning time.”
(The feature is available only for G Suite Enterprise and G Suite Enterprise for Education customers for now.)
The latter allows admins to:
- Direct emails that match phishing and malware controls to a new or existing quarantine
- Pinpoint emails with unusal attachment types and either warn the user to be extra careful, send them directly to the spam folder or send them to quarantine.
- The options mentioned in the point above can also be implemented for inbound emails spoofing the organization’s domain.
As noted before, Gmail users can choose to send “confidential” emails: emails that have an expiration date, that require a passcode to be viewed, and can’t be forwarded, copied, downloaded or printed.
This should reduce the risk of confidential information being accidentally shared with the wrong people, but does not prevent them from making a screenshot of the message or taking a photo of it.
Last month, Google announced that, if no action is taken beforehand, Gmail confidential mode will be turned on by default when the time comes for a wider introduction of the feature (i.e. now). Admins can, of course, turn the feature off.
If they choose to keep it on, users can take advantage of the “confidential email” option by clicking the “lock and clock” icon at the bottom of the window of a newly started email.
One-time security codes
And, finally, Google has decided to tweak its 2-factor authentication/verification offerings by providing a one-time use code option for situation where security keys won’t work.
“Security keys often don’t work with Internet Explorer and Safari, iOS apps, remote desktops, and legacy applications that don’t support FIDO protocols. With this launch, users can now generate a security code with their security key, which can then be used to authenticate their login attempt where the security key itself won’t work,” the company noted.
“For example, a user may need to access a web application that federates their Google identity, but only works on Internet Explorer 11. While the browser can’t communicate with a security key directly, the user can open a Chrome browser and generate a security code, which can then be entered in Internet Explorer to gain access to the application.”
The option must be enabled by the organization’s G Suite admin, and certain users will get it by default. (Check out how to use it here.)
Google warns admins to carefully evaluate if their organization needs security codes before enabling this new policy.
“Using security keys without security codes helps to provide maximum protection against phishing. However if your organization has important workflows where security keys can’t be used directly, enabling security codes for those situations may help improve your security posture overall.”