7 security improvements in G Suite

1. New alert management and collaboration features in the alert center beta

What’s changing 

We’re launching a beta for the alert center for G Suite which will enhance the existing alert center and make it easier for admins to manage and collaborate on alerts. Specifically, the beta will mean you’ll be able to:

• Set status, assignee, and severity of alerts: Add key information to help your team take ownership of, assess, and collaborate as you work through security investigations. 
• Use a more powerful search: Find alerts more easily by searching for alerts that contain a specific email address. 
• See related alerts: The alert detail view will show other alerts related to the same actor or user to help discover possible related security incidents. \
• See alert change history: See the history of metadata or content updates to that alert. This includes when status, assignee, or severities have changed.

How to get started 

• Admins: Find out more and sign up for the alert center beta here. 
• End users: No action needed. 

Helpful links 

• Help Center: About the alert center 
• Sign up page for alert center beta 
• Google Cloud Blog: Increasing trust in Google Cloud: visibility, control and automation

2. Increase email security with the security sandbox for Gmail beta

What’s changing 

Security sandbox for Gmail (beta) detects the presence of previously unknown malware in attachments by virtually “executing” them in a private, secure sandbox environment, and analyzing the side effects on the operating system to determine malicious behavior.

Email attachments are detonated within a sandbox in the exact same way as they would if an actual user had clicked on it. This is done in a matter of minutes prior to the delivery of the email, and provides users with an extra layer of security. Security sandbox has been developed with a focus to provide coverage against malware propagated through malicious embedded scripts and zero day threats. The security sandbox for Gmail beta will provide:

• Granular admin controls for rules to trigger pre-delivery deep scanning and quarantine behavior for potentially malicious emails 
• Reporting through the G Suite security center 

How to get started 

• Admins: Find and turn on the beta security sandbox feature at Admin console > Menu > Apps > G Suite > Gmail > Advanced settings. Use our Help Center to find more information on how to detect harmful attachments. 
• End users: No action needed 

Additional details 

Granular admin controls 
If desired, admins will be able to set up custom rules to control which messages are tested in the security sandbox. If custom rules are not applied, all messages with attachments sent to the OU will be checked in the sandbox. Rules can be customized for each organizational unit (OU). Admins can also decide what to do with messages that have malware. Malware detected by Security Sandbox is put in the spam folder by default. You can quarantine malware attachments detected by Security Sandbox instead. Create a content compliance rule using the spam metadata attribute.

Availability 

Rollout details 

• Rapid Release domains: Full rollout (1-3 days for feature visibility) starting on April 10, 2019 
• Scheduled Release domains: Full rollout (1-3 days for feature visibility) starting on April 10, 2019 

G Suite editions 

• Available to G Suite Enterprise and G Suite Enterprise for Education 
• Not available to G Suite Basic, G Suite Business, G Suite for Education, and G Suite for Nonprofits 

On/off by default? 
This feature will be OFF by default and can be customized at an OU level.

3. Advanced phishing and malware protection for Gmail beta

We’re launching a beta program to provide admins with even more controls for advanced anti-phishing and malware protections via the advanced safety settings in Gmail. These build on the advanced protections we announced in 2018. Admins who are part of the beta will have new controls to:

• Place emails into a quarantine – Route emails that match phishing and malware controls to a new or existing quarantine. This will be available for new and existing controls. 
• Protect against anomalous attachment types in emails – Identify emails with unusual attachment types and choose to automatically display a warning banner, send them to spam, or quarantine the messages. 
• Protect your Google Groups from inbound emails spoofing your domain – Identify unauthenticated emails potentially spoofing your domain and choose to automatically display a warning banner, send them to spam, or quarantine the messages. 

In addition to the new controls, we’ll also update the interface to make it easier to see what settings you have applied and understand what actions you’re taking as a result of each control.

How to get started 

• Admins: Find and turn on the beta features at Admin console > Menu > Apps > G Suite > Gmail > Safety. You’ll find new options to turn on anomalous attachment and groups spoofing protections, and see the quarantine option available for all controls. Use our Help Center to learn more about how to enhance phishing and malware protection. 
• End users: No action needed 

Additional details 

Place emails into a quarantine 

All the advanced safety settings for Gmail now let you quarantine emails more easily. Choose to move any email that meets certain criteria to a pre-existing quarantine, or create a new quarantine for such messages. Use our Help Center to find out more about email quarantines.

Protect against anomalous attachment types in emails 

Less common file types as email attachments are often used to spread malware. However, different domains might have legitimate uses for uncommon file types. Therefore we’re giving admins more control over how to handle emails with these files attached.

What is identified as an anomalous attachment will be automatically customized for each domain. An intelligent algorithm determines which file types your domain commonly receives and will model the detection based on that. For example, a specific file type may be commonly used on Domain A, but not on Domain B. If both domains had the “Anomalous Attachment” setting enabled, an email with this file type attached would be flagged for Domain B, but not Domain A.

You can see which file types are filtered for your domain by going to the security center’s suspicious attachments chart, filtering by “Anomalous Attachments” and then looking at “Attachment Extensions” (available to G Suite Enterprise and Enterprise for Education domains only).

Admins will be able to:

• Turn the uncommon attachment type detection on or off. 
• If turned on, choose whether to keep relevant emails in the user’s inbox with a warning banner displayed, send emails to spam automatically, or move emails to quarantine. 
• While we expect the anomalous attachment customization described above to work well, if needed admins can whitelist specific uncommon file types they don’t want identified. 

Protect your Groups from inbound emails spoofing your domain

External senders can spoof emails to appear as if they come from your domain, using the same protocols that enable many legitimate systems to send email. This setting extends your options to control potential spoofing emails by preventing spoofed messages from posting to Google Groups on your domain. Use our Help Center to find out more about spoofing. Admins in the beta will be able to:

• Turn the Groups spoofing protection on or off. 
• If turned on, choose whether to keep relevant emails in the user’s inbox with a warning banner displayed, send emails to spam automatically, or move emails to quarantine (if available). 
• Choose whether to apply the settings only to Private Groups (groups with specifically limited membership or intended for organization members only) or All Groups (Private Groups + ones without restricted membership) 

Availability 

Rollout details 

• Rapid Release domains: Full rollout (1-3 days for feature visibility) starting on April 10, 2019 
• Scheduled Release domains: Full rollout (1-3 days for feature visibility) starting on April 10, 2019 

G Suite editions
Controls are available to all G Suite editions. Chart to view affected emails available is part of the security center and so is available to G Suite Enterprise edition only.

On/off by default?
This feature will be OFF by default.

4. Use an Android phone as a security key for 2-Step Verification

What’s changing

We’re adding an option to use your Android phone’s built-in security key for multi-factor authentication in G Suite. All phones running Android 7.0+ (Nougat) have a built-in key which can be activated. This means your users can use existing phones as a primary 2-Step Verification method to protect against phishing. Using a phone as a security key is currently offered in beta.

Why you’d use it 

2-Step Verification greatly improves the security of your account by adding another layer to your account security and making it more resistant to phishing attacks. By adding the additional option of using your Android phone’s built-in security key, we’re expanding access to phishing-resistant 2-Step Verification method in a convenient form – your phone. This can make it faster for you to implement 2-Step Verification in your organization while keeping user training and overall costs to a minimum. 

Previously, in order to protect your users against password phishing, the only option was to use a security key fob. With this beta, their mobile phone can be that security key.

How to get started 

• Admins: See how to enforce the use of security keys in your organization. 
• End users: See how to activate the security key on your phone. 

Additional details 

• Available to G Suite, Cloud Identity, GCP customers, and personal Google Accounts. 
• Available on phones running Android 7.0+ (Nougat) with Google Play Services. 
• Compatible with Bluetooth-enabled Chrome OS, macOS X, or Windows 10 devices with a Chrome browser. 

Helpful links 

• Help Center (Admin): Enforce the use of security keys to help prevent phishing 
• Help Center (End Users): Use your Android phone’s built-in security key
• Google Cloud Blog: Increasing trust in Google Cloud: visibility, control and automation 

Availability 

Rollout details

• Rapid Release domains: Full rollout (1-3 days for feature visibility) starting on April 10, 2019. 
• Scheduled Release domains: Full rollout (1-3 days for feature visibility) starting on April 10, 2019. 

G Suite editions 

• Available to all G Suite editions in beta. 

On/off by default? 

• If 2-Step Verification or Security Key Enforcement is turned on for an organization, Android phone will be available as an option for security keys by default.

5. Dynamically control G Suite access with context-aware access beta

What’s changing 

We’re launching a beta program that enables G Suite admins to dynamically control access to G Suite apps based on a user’s identity and the context of their request (device security status, IP address, etc.). Members of the beta will be able to:

• Set up different access levels based on a user’s identity and context of the request., 
• Use granular controls for different organizational units (OU) 
• Control access to several G Suite apps by setting different policies for the different access level profiles that have been set up 

Why you’d use it 

Currently G Suite admins can turn access to apps and services on or off for specific OUs or groups of users. This beta will provide more dynamic controls, so you can take into account contextual signals, such as device security status or IP address, to control access to those apps and services. Examples of access controls that can be set up through the context-aware access beta include:

• Only users from corporate-owned device and a corporate IP address can access Google Drive. 
• Only a “High Trust” group can access Google Drive when not on a corporate IP address. 
• Only users from an encrypted device with a screen lock enabled can access Gmail. 

How to get started 

• Admins: This is an opt-in beta. Admins can opt-in by changing their security settings Admin console> Security> Context-Aware Access
• End users: No action needed

Additional details 

In the beta, context-aware access will only be configurable for Gmail, Calendar, Drive, Docs, Sheets, Slides, Forms, Sites, and Keep. You’ll be able to use the following contextual signals to control access:

• IP Subnet (specific IPv4 or IPv6 address) 
• Device policies as reported through the Endpoint Verification extension, including whether a device password is active, device encryption status, minimum OS versions, and company-owned devices. 

You can apply policies by OU or to the whole domain, and all admin activity is logged in audit logs in the Admin console > Reports > Admin view.

Availability 

G Suite editions 

• Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium 
• Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and Cloud Identity Free.

Stay up to date with G Suite launches

• Get G Suite product update alerts by email
• See the G Suite launch release calendar
• Subscribe to the RSS feed of these updates

6. Increase trust in cloud data security with Access Transparency

What’s changing 

We’re making Access Transparency for G Suite generally available. Access Transparency enables you to get more visibility into actions taken by Google staff related to your data. You can view the reason for each access, including references to specific support tickets where relevant, which may help you support your audit requirements.

Access Transparency is available to G Suite Enterprise and G Suite Enterprise for Education customers only.

How to get started 

• Admins: Admins with the Reports privilege can go to Admin Console > Reports > Access Transparency. Use our Help Center to learn more about Access Transparency. 
• End users: No action required 

Additional details 

Access Transparency will allow admins to:

• View the reason for data access, including references to specific support tickets where relevant. 
• Verify why Google staff is accessing your data, such as fixing a fault or attending to your requests. 
• View and download logs to help you support your regulatory audits or data archival needs, showing extensive information such as accessor location, access justification, and the action taken on a specific resource. 

Helpful links 

• Help Center: About Access Transparency 
• Google Cloud Blog: Increasing trust in Google Cloud: visibility, control and automation 

G Suite editions 

• Available to G Suite Enterprise and G Suite Enterprise for Education edition only. 
• Not available to G Suite Basic, G Suite Business, G Suite for Education, and G Suite for Nonprofits 

On/off by default?

This feature will be ON by default.

7. New email alerts and location for easier alert center management

What’s changing

We’re making some improvements to the alert center for G Suite. Specifically we’re:

• Moving the location of alert management for predefined admin alerts in the Admin console to the system defined rules section.
• Adding optional email notifications for more alerts.

We hope that this will help you identify and take action to resolve potential issues affecting your domain. To get the most out of the alert center, you could also sign up for our recently announced beta, which will help you collaborate and track the status of alerts within your domain, as well as triage faster with insights from related alerts.

How to get started

• Admins: 
  • To see predefined admin alerts, go to Admin console > Security > Alert center > Settings (gear icon), or directly access the new System defined rules section. 
  • Use our Help Center to find out how to set up and configure administrator email alerts.
• End users: No action needed.

Additional details

Moving alert management location

• The alert management controls for predefined alerts could previously be found at Admin console > Reporting > Alerts. They will now be at Admin console > Security > Alert center > Settings (gear icon). 
• These predefined admin alerts include: 
  • User granted Admin privilege 
  • New user added 
  • Email settings changed 
  • And other administrator email alerts
• There will be no change to any settings (whether email alerts are on or off, or the email subscriber list for any alerts) or the content of the alerts. We’re just moving where you should go to manage them. There will also be no change to the location of custom alerts. For the moment, they will still be at Admin console > Reporting > Alerts. 

Email notification options for more alerts 

• We’re adding an option to get email notifications for several existing alerts that previously didn’t have the option to receive emails. 
• These alerts include: 
  • Domain data export initiated 
  • Phishing message detected post-delivery 
  • Spike in user-reported spam, and others 
• For each alert, you can choose whether to turn them on or off, and to specify which email address the alerts should go to. 
• The email alerts will be on by default. To change or turn off email alerts, they can be adjusted at Admin console > Security > Alert center (gear icon), or directly access the new System defined rules section.

Helpful links 

• Help Center: About the Alert Center 
• Help Center: Turn Alert Center alerts on or off 
• Help Center: Configure Alert Center email configurations 
• Admin console: Access System defined rules section 
• Sign up page for Alert Center beta 

G Suite editions 
Available to all G Suite editions.

On/off by default?
These features will be ON by default.