Google introduces new G Suite security options

Google has introduced new security options for G Suite customers, including Advanced Protection for enterprise users and access control for apps accessing G Suite data.

Advanced Protection for high-risk users

The Advanced Protection option was in beta since August 2019, and is now generally available to all G Suite editions and on by default.

It allows admins to enforce a specific set of high-security policies for employees in their organization that are most at risk for targeted attacks by highly motivated professional or government backed groups – employees such as IT admins, executives, and employees in regulated or high-risk verticals such as finance or government.

They high-security policies include:

• Authentication with security keys
• G Suite account data access restrictions for untrusted third-party apps
• Enhanced email scanning for threats
• A stricter account recovery process
• Download protections from Google Safe Browsing for certain file types (when signed into Google Chrome with the same identity).

By default, all users will be able to enroll in the Advanced Protection program, and it’s on admins to turn off the option for specific users.

More information is available here.

App access control

“G Suite has a robust developer ecosystem, with thousands of apps available via the G Suite Marketplace and directly to customers, and a rich API framework enabling customers to develop custom apps. Not all apps, however, will conform to every enterprise customer’s security policy, so our customers and partners value controls to manage third-party apps accessing G Suite data,” Google explained.

The new app access control feature is aimed at reducing the risk of data loss by limiting access to G Suite APIs only to third-party apps admins trust.

App access control will allow admins to identify apps being used and see which have been verified to access restricted OAuth2 scopes, understand which apps are being used and get support information about them, and manage what data each app can access and which users are empowered to use it.

This feature will be on by default for all G Suite domains.

New Google Cloud services and features

Google has either announced the imminent introduction or beta or alpha roll-out of several other security services, namely:

• External Key Manager, which will provide customers with the option of storing and manage encryption keys outside of Google Cloud (in a third-party key management system)
• Key Access Justifications, which will allow customers to automatically approve or deny Google the ability to decrypt their data based on the provided detailed justification
• Packet Mirroring service for collecting and inspecting network traffic for Compute Engine and GKE (Google Kubernetes Engine)
• Event Threat Detection for detecting threats targeting customers’ cloud resources using logs.

External Key Manager and Key Access Justifications are especially aimed at meeting regulatory compliance for European organizations.

More information about those services is available here.