Google Workspace: New account security, DLP capabilities announced

New capabilities in Google Workspace will help enterprises improve account and data security, by making unauthorized takeover of admin and user accounts and exfiltration of sensitive data more difficult.

Some of these options are already available in preview and others will by the end of the year.

Google Workspace account security enhancements

Google Workspace (formerly G Suite), is a cloud-based suite of productivity and collaboration tools and services. It has a number of features available only to business and enterprise audiences, such as advanced settings, administrative tools, work insights, data retention and eDiscovery, and more.

In this latest announcement, the Google Workspace team said that:

• 2-Step verification (2SV) will soon be mandatory for enterprise administrators of Google’s largest enterprise customers and resellers
• Workspace administrators will be able to require that sensitive actions (e.g., changing 2SV settings for a user) must be approved by two administrators
• Google’s AI-powered defenses will provide automated protection for sensitive actions in Gmail such as setting email filtering or forwarding (actions that are often exploited by attackers to delete/intercept email)
• Workspace administrators will be able to easily export Workspace logs into Chronicle (Alphabet’s cybersecurity subsidiary that offers cloud-based analytics of enterprise security-related data)

A multi-party approval request in Google Workspace Admin console (Source: Google)

To increase account security, Google recently also started supporting passkeys for Google Workspace accounts.

New DLP and digital sovereignty controls

New capabilities that enhance enterprise data loss prevention (DLP) have also been outlined, and they will allow security teams more control over the sharing of sensitive information via Gmail, and who can share sensitive content in Drive (e.g., depending on security status).

Administrators will also be able to use Google AI “to automatically and continuously classify and label data in Google Drive to help ensure data is appropriately shared and protected from exfiltration.”

Finally, a new way to keep enterprise data safe from third-parties will be made available, and it involves client-side encryption and storing encryption keys with trusted providers.

Organizations will also be able to choose whether their data is processed in the EU or the US, to store a copy of their Workspace data in a country of their choice, and to make sure that only specific regional support personnel can access it.