hello everyone thank you for joining us today for our session on Google workspace security my name is Lauren and I'm the content manager for the Google Cloud community and I'm thrilled to be here today with Kevin solution engineer and our Google workspace expert who will be taking us through the content today and answering your questions so with that questions are encouraged so please feel free to add them into the YouTube chat box and we'll be sure to get to them either in the chat or near the
end of the presentation and for any questions that we don't get to we encourage you to ask those into the workspace q a forums in the Google workspace community and you can find a link to that in the YouTube description all right with that I will hand it over to you Kevin to jump right into our content today great thanks Lauren Hey everybody my name is Kevin like Lauren said I'm kind of a product specialist on Google workspace so I'll be taking us through a deep dive into the security side of th
e product and mostly what you're going to see here is a couple of slides about a particular feature I'll explain what that is we'll jump into a demo kind of show around what the admin side of it looks like for some of them we'll show what the end user will experience but this is mostly geared towards admins who are in control of the admin console what they can configure when they would use it so with that being said we can just go ahead and get started so just to recap um Google workspace is kin
d of this one and all platform for a flexible Innovative and secure work environment and we're kind of going to take a look into that third one as a deep dive so we're looking at the red piece down at the bottom how do we do data leak protection how do we do zero trust how do we do context aware and risk management that's generally what we're going to tackle here and we'll start with data protection so what we're talking about here is a couple of numbers we block on average over 15 billion types
of spam messages from reaching our users on Gmail itself blocks over 99.9 percent of phishing malware and spam related messages um and so just kind of some numbers here to throw out before we actually jump in Okay so feature number one that we're going to talk about we call it DLP it stands for data loss prevention and the scenario here is to help the admins the users prevent accidental or um purposeful data leakage and the idea with this is if you try to share content outside of your organizat
ion that contains sensitive information whether it's sensitive to the company or it's sensitive According to some other standard a credit card number a social security number we provide those controls so that you can prevent that from actually happening and we'll take a look at that demo in just a sec so with this we can enforce actions such as warn the user that a particular item contains sensitive info before they share it out allow it but log it or block that incident from happening and you c
an do this with a couple of different ways we can use word lists regular expressions or we could even use our own templates that Google provides to prevent users having to configure those themselves to add on to that we are also able to leverage Drive labels to kind of increase that security posture and so the idea with this being you can go into a document Mark that document as sensitive top secret internal only and have that trigger the protection of whether a document should be shared out or
should not be allowed to be shared out and so where can we target this with DLP and Google workspace we're able to Target any document within Google Drive Gmail Google Chat messages and then Chrome we'll talk about Chrome uh because it's kind of a special scenario but anything that lives within Drive whether it's a PDF an Excel document a native Google document uh we can prevent that type of information for being shared through those mediums including chat and Gmail as well last feature that we'
re going to talk about before we start one piece of the demo is what we call Trust rules and so the the scenario with this is previously when we talked about DLP this was generally meant for hey there is sensitive information in this particular document we don't want that to be shared because it's sensitive what trust rules allows you to do is tackle the concept of sharing as a as a whole and the reason why admins would want to do this is if you're working cross-functionally with vendors or cont
ractors a subset of your users might need to collaborate with that third party but nobody else should be able to share documents between each other for the same risk of data leakage sensitive information being shared out and so trust rules tackles that piece of it uh it controls who can share and who can receive with which other entities whether they're internal or external and we'll take a look at that in just a second as well uh but generally the idea for this one is if you work with different
organizations some orgs should be able to collaborate others there's no reason for them to so from a security perspective we want to prevent that from happening all right so with that being said let's actually take a look at some of the demo pieces and we'll go in order we'll start with DLP we'll take a look at what that looks like and then we'll switch over to trust rules okay so you're now seeing my admin console so as an admin I want to configure a policy to prevent sensitive information fro
m being shared externally and so what I'm going to do is from the security page I will head into access and data Control Data protection and I'm going to manage a rule so in order to actually trigger this I need to have content to look through so what specifically should be blocked I have a couple of options here I could use a regular expression or I could use a word list if I already know specifically what content to protect for example reference to a specific internal project or a specific wor
d a phrase an email address I can set that information here or I could leverage the templates as I mentioned earlier and that's what we're going to do here so I'm going to create a rule and the scenario that I want is prevent any financial information from being shared externally and financial information could include credit card numbers it could include Social Security numbers any other types of pii that could generally be found in the finance industry so I'm going to select that as my templat
e because Google will provide all of the content types that will match it and so that takes the illness away from me as the admin having to write all these different policies myself so I'm going to select that and then I have to figure out where should this target who should be affected by this policy some of these maybe some of our our users do need to be able to share this information for valid reasons but not everybody else so we have the granularity to tackle specific ous or specific groups
from this rule and here's where we can select um where what's the scope of these different policies as I mentioned everything in Google Drive is covered whether it's a native document or not same thing with Google Chat and then Chrome is a bit of a special case that we'll look at a little bit later but just know we can do this at the Chrome level it just requires an add-on as well so let's tackle that example let's do Google Drive and Google Chat nobody should be able to send out this informatio
n through either of these mediums so we'll hit continue and here's what we can select all of our different types of data and this is coming from Google's template system so we have things like credit card numbers we have bank account numbers domains email addresses a bunch of stuff that we can use here that we can play around and mix and match from either our own content or templates so let's hit continue here and now we're taken to the actions page so what happens if I actually want um or what
should happen if something happens to this data if somebody tries to share it out what should be the action the result and we have a couple of options here for Google Chat so if I send a message to somebody that contains this information I can block that message I can warn the user and let them know that this contains sensitive information and you must say yes I'm okay with that send it anyway or I can choose to keep it in audit only just for monitoring reasons as well as scoping where we should
monitor this activity and we can choose to now in beta provide a custom message telling the user exactly why this message was not able to be sent or why they receive that warning and you can optionally include a link to maybe your internal policies on how to safely communicate data or something external with Google Drive we have a couple of different options we can block whole the external sharing we could warn but we could also disable the ability to download print and copy that file so even i
f we do share that document we don't want people to make copies of it and put them into their own local devices and we could also apply Drive labels so that we could automatically classify these documents as internal NDA only restricted flexibility here is kind of a key and we can choose to allow the user to make changes to this if we need to and then of course the last piece is out how do we actually get this information as admins as security teams we can set alerting policies here for who shou
ld be alerted based on this criteria now as a user I have this example credit card data it's just mock data there's nothing real here but it will trigger these different policies and so what I as a user can see is on the top right hand corner I have this warning symbol that tells me that this particular document contains sensitive content so visually I know that something else is happening here and if I try to share this out and I try to share this with an external domain so this is somebody out
side of my company could be a Gmail it could be somebody else and if I try to send that out we're going to contain the the error message that this is blocked because it contains restricted content and therefore we cannot share that and that's just all based on the policy that I set previously let's go back over here so the next thing we're going to talk about is the drive sharing the trust rules as we call them so for that we're going to go into the rules page of the admin console and we can cre
ate a new trust rule and so with this you can have policies that say for example if you are in engineering you can share to engineering but you should not be able to share documents to the marketing team for example there's no reason at least in this scenario or why those two teams should be able to provide documents to each other so we can say engineering to marketing then we can specify the scope so I could include my engineering team so that only they are affected by this policy and I can tog
gle whether this should affect on the receiving side or the sharing side so if I share filed to somebody or if somebody tries to share that to me what should happen so I'm going to tackle sharing files first and then I'll add my condition and here's where I can Target exactly who is going to be in scope for whether I should block this or not and the options are kind of plentiful here I can Target a specific user so if for some reason I have a need to block your user from sharing any documents I
can choose that here I can tackle this by the organizational units so in our example this would be marketing but I could also use Google Groups and the really neat thing here is you could also leverage external organizations so going back to the earlier example of if you're working with a third party a vendor we want to pick out just those people that we're working with rather than the entire company to be able to have this permission same thing with domains and even anybody with a Google accoun
t so preventing for example Gmail sharing specifically hit continue and the actions are pretty straightforward here we could either allow that sharing to happen we could allow it with a warning or we could block that from happening and so if I'm a user and I'm working on my engineering design document internally which has internal only information I should not be able to share that document to people in marketing or anybody with a Google account that should only remain available to the engineeri
ng team as a whole we'll talk about the reporting the visibility all that kind of stuff in just a second um but from a future perspective this is what an admin would look to create and what the end user would experience so with that we're going to switch back over to the presentation talk about a couple more features and then we'll switch back to a demo okay so here's what we're going to spend a couple of minutes here Google workspace provides the security Center and this is kind of a three-piec
e tool if you will the security health on the far left hand side that is a way that Google is going to check your policies what your admin has configured against Google's best practices and optionally provide recommendations for what you could do to increase that posture and so this will check for example do you have X enabled in the Gmail settings have you enabled two-factor authentication should you here's the reason why provide you that recommendation as well as a checkbox if you've done so t
ool in the middle of the security dashboards this is for the admins who want to get a holistic view of what security looks like at the Domain level so for example how many emails are coming in that are bouncing back or how many are being encrypted how many are going to spam how many files have been shared externally scenarios like that where you have a question and it just makes the most sense to visually see it with numbers so you can then track it down later and in order to actually track it d
own later you leverage the investigation tool and so this is kind of that Discovery tool that's available for admins so they can look through specific data logs Gmail Drive Google voice user action so on and so forth and they can look for specific attributes that they're interested in was an email deleted was something forwarded was something downloaded did a user fail a login those types of scenarios is where you can use the investigation tool to kind of understand so these three tools make up
the security Center and this is where admins tend to spend a lot of time to understand what security is looking like in their environment and as well as being able to create some policies around it so let's take a look at it we're going to share the demo environment again and this time we're going to go into admin security security sensor and we're looking at these three tools here security health is the easiest to kind of explain it just Compares a bunch of the policies that you may or may not
have enabled the status of them as well as recommendations for why you might might want to do or do not make these available as well as a support article where you can learn how to actually Implement that particular thing and if you do we provide this checkbox that tells you that you've enabled this thing you're good to go this is secure we can move on and you can see a couple of examples here some of our disabled so that we can provide recommendations some of them are enabled and they have that
green check box but this tells me as an admin where could security be lacking what can I improve where are the Potential Threat vectors one sec will I drink some water okay so now we're seeing the dashboard so this is the second feature from the slide deck this like I said is more for admins to provide holistic overall security view of their environment so here we can see for example how many messages were encrypted with TLS in this case we have some specific numbers that we can back that up an
d if we need to we can view that report to drill deeper into who where when what was that message a couple of other examples here are where are the incoming messages going to are they being sent over to the uh spam are they being sent over somewhere else What's Happening Here suspicious attachments is a regular uh common used one and then one that I forgot to explain here is this one external file sharing so this will help answer the question of how many documents are out there in the world who
has access to this document what can they see what permissions do they have how do we get that visibility this is a dashboard that shows you overall what that looks like okay and now we're going to look at the investigation tool this is generally the most powerful tool that you have access to as an admin because you could do plenty of different things with it including some stuff that should require an extra bit of justification so we'll examine what that looks like but this is really your your
super powered search across everything security everything logs in your admin console so if you have a question of hey I know that this email in particular was sent but it should not have been sent out people received it that should never have gotten it so how do we take that information back how do we delete that email without informing everybody that this happened so as an admin I can look through a different data source in this case Gmail and I can add some conditions about what I'm particula
rly searching for in my case I know that that email contained this particular subject and it was sent this user I'm going to hit search we'll wait for those results to come back and now what I have is a clear understanding of that email so I can pull it up and I can see the ID the headers who it was sent to where it came from when it was delivered a whole bunch of information that I might need for this and optionally I can choose to employ some of these policies that say if we're going to do som
ething particularly sensitive we should be able to provide justification for why we're doing it so from a logging perspective we can see that information here and here I have the original message so if they contained an image for example I can recover that if I need to download it for further analysis see the entire thread but I could also take actions on this email so if I need to delete the email I can do that without having the user do it themselves I can bulk delete these emails from the inb
ox or restore them if they had previously been deleted and it's been past the 30 days for an admin to recover I can use this to do that as well as being able to take some administrative action to send something elsewhere put it as phishing put it as spam send it to quarantine or if it was already there put it into the Inbox and I can do this in bulk with a bunch of different emails so another scenario that's useful here is to find those documents that are externally shared and figure out who has
access to it so I can look at any documents that are shared externally that are owned by this particular user and maybe the document type we just care about Google docs for this case so I'm going to hit search here so we'll give it just a second and this will search for the past six months of information so 180 days give or take from when something happened you will be able to find that information in here so here's a couple of those documents and I could hear choose an action again to audit th
e file permissions and understand exactly who has access to that document whether it's a Gmail user some different company anybody with a link I can figure that out and revoke the permissions if I need to I can remove the users as well disable the ability for this file to be downloaded change the owner as well as do a couple of other things and so this is really kind of a powerful tool there's a lot of different stuff these actions will be different based on what logs you're querying through so
for users for example this could be a scenario where you find all the users who failed their login three times and maybe you choose to reset their password from here another thing that this lets you do is actually build custom dashboards so if the dashboards that are pre-integrated by Google don't meet your needs or you have additional ones that are particular for your environment you can create your own custom chart based on the investigation that you craft in here provide a description provide
a title and now you have yourself a dashboard in here to Monitor and take action if you need to now the last thing that's worth calling out here is the activity rules so this actually lets you do a little bit of automation a little bit of pre- preemptive measures so I can choose to say every time that this happens I need you to do this other thing in here so an example could be if you find that somebody deleted particular email that contained some type of keyword maybe something from HR and som
ebody deleted that I want you to automatically restore that message we shouldn't have to worry about that use case we want those messages to be just put right back into the inbox or the opposite if you have something that triggers some policies within your company and it finds its way the email does into one of your employees delete that email automatically as well as the alerting and the severity for this so a lot of stuff that we can do in here this is all being recorded so it should be useful
if you want to go back and see the different options in here won't spend too much more time in here let me go back to the slide deck here just did that demo okay so these next two things are more for compliance reasons there's a couple of questions that came in about how do we do compliance how do we ensure that you meet things like gdpr Etc these are two of the ways that we do that I'll start with data regions the idea with this is some companies have needs to store their data elsewhere some o
f them have to be able to control that this particular group of users their data has to live in Europe for gdpr this other group of people their data has to live in the US this third group maybe we don't care where it is so we have that ability to kind of fine tune where that data resides now going back over here this is more for the highly regulated Industries who have a need to encrypt their own documents in a way that they can manage the encryption mechanisms they are in control of the encryp
tion Keys as well as the identity service to make everything actually work together and so that feature client-side encryption it actually takes the encrypting mechanism away from Google and puts it in the hands of the customer so they can host the encryption Keys wherever they choose they can control exactly who has access to it for regulator Industries usually is the case and they can either do it themselves or they could do it with a third party Partners such as the ones listed in that third
bullet point there but the idea with this is we need to be able to collaborate in Google Docs in Gmail still have meetings still have calendar but we need to be in charge of the controlling mechanism that encrypts and decrypts that information and security sandbox the problem here is with attachments attachments are a good Threat Vector to kind of deploy malicious scripts zero day exploits other types of embedded threads into something you can just double click and a PDF for example and so what
the security sandbox does is it essentially provides a virtual environment if you will virtual machine where you take that document and you could double click it essentially to figure out what it's doing what calls is it making what processes is it spinning up analyzing it if it contains any of these Potential Threat vectors and then as an admin you can choose to put that into spam and disable the users from actually downloading it or clicking on that link or anything that could result in them u
se them actually triggering that vector and so you can use this in conjunction with the DLP features that we talked about earlier so if an email comes in to your c-suite for example and it contains specific keywords and an attachment you might choose to deploy the security sandbox for that attachment for those users instead of for every attachment for everybody so you have that granularity to kind of fine tune when should you use this when should you not all right access control and Beyond Corp
Enterprise so access control is really more about how do we ensure that the people that need access to something are meeting the correct requirements for it and so it's going to speak to beyondcorp which is a an add-on product under Google workspace but the way that this used to be done was through a VPN so a user would set their computer click on their VPN enter their credentials and at that point once they're connected to the network they see all of their resources they can click they can log
in Etc but with this new way of working now that we have this hybrid work a lot of people are remote some people have company devices and then their own device the next day some people are traveling and they all need access to this same Services the VPN solution starts to kind of show its show some security gaps there as well as some control gaps and so the way that we tackle this with Google and with Google workspace is with a couple of different components one of these is Titan keys for added
verification it's a two-step authentication and we'll talk about how that relates to what we're just talking about here but context the word access is kind of the important one here the idea with this is whereas a VPN is about network-based access if you're in the network you're trusted if you're outside you're a threat this takes that and kind of decouples it so that each application provides its own mechanism for when you should have access when should you not so each application dictates the
controls for that user and so we do this based off of what we know about the user what do we know about their device what do we know about what other potential services are reporting about that user or that device and then we put that information together to either Grant or block access to that service so I'll give you an example here we're going to find this under security access and data control context to our access so just give me a second to log back in and we'll be back in just a sec all r
ight so access levels this is where I actually Define what is the policy so you can see a couple of examples in here you're a chrome user you can select a policy that says for this particular application maybe whatever is considered a a corporate resource an internal resource that must be accessed from Google Chrome for other applications maybe we don't really care about if you're accessing it from chrome or Edge or Safari or anything else so we'll create an access level here access to Gmail and
we can have a couple of options here if I want to do a basic rule I can choose based on the IP so if I only want people to be working on this if they're in the office and we know what the office is Network looks like we can choose that as well as the location so if we only want access for a particular application if you're in the US we can select that in here if you don't have any users in some other country you can just block any access coming from that country and device and device OS level t
here was a question that came in about how do we ensure that users aren't using their personal devices to access corporate resource this would be an approach to that so if your device is admin approved or if it's company owned maybe then we'll allow access but if it's not so if it does not meet either of these attributes we're going to project that and so a user is not going to be able to get access to those resources until they meet these policies and you can of course combine these with others
as well so that was basic you could also do Advanced so if these needs are a little bit too basic as an implies for your needs you can choose to use Advanced and actually create your own policies in a pseudo scripting language so for example you could have requirements that say if you're going to get into a particular application you must have two-factor authentication and that second Factor has to be a Hardware Key if you're going to do it from a company device maybe it's two-factor but it cou
ld be a passcode it could be something else a text message but if it's coming from an uh personal device that has to be a hardware key so you can write these types of policies for your needs it's again at the application Level and even at the user group and OU level because they're going to have different needs contractors might have different needs and different information about the device and different apps that they need access to then your full-time employees marketing is going to work on d
ifferent applications then engineering so we should be able to uh trigger each of these depending on that app and where that user lives so for example if I want marketing to use calendar I want them to only use that with Google Chrome and they have to be on a company device so I can assign those two policies there and if they don't meet them I can choose to block and I can also choose to block the application itself so not just the web access but also the mobile app if they have it on their phon
e as well as apis go ahead and cancel out here alrighty so we're almost done uh the last thing that we're gonna have to touch on here is I'm sorry I can't demo this to you I don't have a separate device in here but you can do this for first party applications as well as third party applications so if you have Samoa applications things like Salesforce or slack or Asana or any of these other types of applications you can apply those same policies here it's not just Google's native tools and now to
kind of Hit the point home we just talked about secure access the idea and the lead up to beyondcorp is we want to be able to protect your corporate data while users work securely and effectively on the web from anywhere with any device it doesn't matter if it's a company owned device a bring your own device scenario if they're in the office one day at home the next all those different pieces that move as long as we are able to evaluate the user itself and their device at the time of access tha
t's when we should apply these policies instead of assuming that just because you connected fine yesterday you should be able to connect again today for the same application and so that leads us into what we call Beyond Corp this is kind of that next step of zero trust briefly what this is is Google's implementation of the zero trust architecture the trust nothing verify everything type of model and you already saw some of that functionality leading up to this with context store access so this i
s something that's built on Chrome so there is no kind of extra agent that has to be run on every computer on every device on every endpoint this is all coming straight through Chrome as that agent that is going to allow or block or apply policy and so obviously this requires no extra overhead from managing applications and software and the users don't have to worry about making sure that they're turning on that particular tool every single day and that they log out at the end of the day making
sure that it's up to date Etc this is just the same way that they can access any applications through the web now you're doing it with the protection and backing of chrome and Beyond Corp so what does it actually do like what does it actually do from a practical perspective it ensures zero trust to not just Google's applications and Google workspace applications which is what we just saw with context to our access Beyond Corp lets you take this to the next level and protect the applications that
live for example on the web or sorry on the cloud or on Prem even so applications that normally are outside of the scope of Google workspace if you have something running on gcp rcloud or AWS or azure or something else or even if you have something running on-prem locally in some servers somewhere beyond group can help secure access to all those different applications so you can still administer and secure that properly so you could apply those same policies and say if you're gonna if you want
to get access to that web application that's hosted on whatever Cloud you must be in the US with two-factor on a company device otherwise you're going to have to meet these other requirements or maybe just block access completely the next thing that's going to do and this is where we can Circle back to the Chrome piece that we saw earlier at the beginning of this presentation in DLP Beyond group is what allows you to extend those protections to anything at the Chrome level so we'll take a look a
t that in just a sec but with standard vanilla Google workspace you can protect workspace applications Drive Gmail chat but you have sensitive information that lives elsewhere in other resources in your crn tool in your HR tool for example that is information that still needs to be protected and we don't want in some scenarios users downloading that into their own personal device or uploading something from their device over to those services for maybe compliance reasons or even just general sec
urity and so what Beyond Corp allows you to do is actually kind of extend that protection and apply the same policies to anything happening on the browser so let me show you a quick example uh but we'll finish it up here third thing that it does is malware and fishing protection because we're using Chrome as the entry point Chrome provides that safe browsing API that lets you do content analysis prevent um particularly malicious files from making their way in or out to a user's device or your co
rporate systems and then it provides you that visibility and those insights to identify who are the high risk users where is data transfer happening where are these leaks so provides you those logs and that visibility as well as the ability to kind of put that into a Sim Chronicle for example so you can evaluate this with a whole bunch of other logs and you start to build yourself a better Narrative of security for your entire organization so let me switch over here we're going to go back to dat
a protection and just a sec Security Access Control Data protection manage rules so similar scenario this time we don't want any health information maybe we're a Healthcare Company and we need to protect any information from making their way into a system where it should not live or making its way out of a system to again where it should not be so in my case I'm going to apply this to everybody in the policy everybody has to be affected by this and with Beyond Corp this allows me to Target Chrom
e for this information so I can see that in addition to protecting my workspace applications I can protect any file that is being uploaded into Google Chrome any file that's being downloaded if we are copying and pasting for example or if we're printing a document or even if we're visiting URLs that are considered you know um either dangerous suspicious or even if you as an admin have a need to disallow sensitive information in social media websites gambling websites any of those types of scenar
ios all we need to do is just toggle these in here choose what type of content we want to scan so maybe in my case I'll scope this down a little bit I care about file upload file download I can click on content here and I can analyze the file size the file type so maybe a particular category right so text applications images multimedia so on and so forth I can Target specific mine types if I know what those are so these could be Json credentials PDFs scripts so on and so forth a bunch of informa
tion that you have access to here but you could Target exactly what you need to make sure that it doesn't make its way out or up into those resources or out of them so let me choose an example here we're going to block this in here and then in Chrome we can just block that file outright from being uploaded or we could allow with a warning or even just audit if we need to and then if I'm an admin after I've set up these policies I want to understand what the visibility looks like has this trigger
ed any policies what domains what applications which users I can Leverage The dashboards and Beyond Corp will provide these new information around my thread vectors on Chrome the high risk users the ones that are uploading and downloading the ones that are clicking around copying information what domains are the most risky all this type of data protection summaries I can view these and in my case thankfully I don't have anything to show but this is generally where you're going to collect those l
ogs and understand what is happening outside of just Google workspace what's happening with those other applications that people are getting to through the web let me go back in here I think we're almost done with slides uh it looks like we're doing good on time we are all right so it looks like we have about eight or so minutes um to kind of talk about some stuff every one of these of course could be their own hour-long session if not more DLP security investigation tool in particular has a lot
of things that you can do activity rules and automations a bunch of stuff that we can generally tackle but really the purpose here is to kind of provide that exposure what it would look like what can it do when would you use this or that as well as some of the extensions of where else you can go with this in particular with Beyond Corp with those security keys to manage access instead of relying on for example avpn or no control at all and so of course the theme of the topic is security these a
re different ways in which different companies will choose to secure that environment for different reasons maybe some of them work in highly regulated Industries or they themselves are a government entity everybody stands to benefit something out of these different types of controls if not all of them so we have about uh five or so minutes six or so minutes or so Lauren I guess I'll hand it over to you do we want to talk about resources answer some questions yes thank you so much for that prese
ntation uh information and the demos and thank you everyone for sticking with us here and for all of your questions so we will actually take it through to the hour and go through briefly just a few additional resources and then jump into your your questions so um hang tight and we'll be sure to get through those so first uh just a few resources for you at the top is that workspace community so if there are any questions we're not able to get to today that is where you can ask them and also searc
h for answers um because it may already exist and be answered there um you can also stay up to date on future events like this one there and the link is in the YouTube description that second link is uh our Google workspace security white paper so you can check that out and get more information about what we covered today thirdly is the feedback forum for this event which we'll drop into the chat box in just a moment but it'll just take 30 seconds to a minute and we'd love to hear your feedback
on this session and any ideas or topics you have for future sessions and then lastly are just highlighting a few of those that are coming up focused on workspace um particularly with some product updates next week and Diving more into security with Microsoft ad and Azure active directory on the 28th and then lastly diving into Apps scripts on October 6th all right well moving along we'll jump right into your q a so we did receive a few pre-submitted questions which we believe will cover some tha
t you have as well but then we'll jump right into the the chat so let's let's Dive In our first question is uh around data encryption so what encryption standards does Google workspace adhere to yeah good question so this is the advanced encryption standard so AES 256 um we'll use 21 and 128 bit and above this and more information about how specifically do we encrypt it at rest in transit where the processes happening what locations who can access this is all information that is covered in our s
ecurity white paper so that is easily accessible online Lauren pointed it out just a slide ago that's something you can go in and read for yourself exactly how we handle encryption but in standard is AES 256. great thank you and just drop that link into the chat as well so you can have quick access to it okay so around compliance and regulations how does Google workspace help organizations meet industry specific compliance requirements like gdpr and HIPAA are there tools or features to assist wi
th compliance reporting yeah uh thanks for the question so with all things generally regulated Google is not the Arbiter if you will so Google's not the authority on whether you as a company are compliant it tends to be a shared responsibility where as the company as a software provider we will ensure that we meet XYZ requirements and we provide we provide those reports but as you saw in the presentation here we provide the tools so that you have access to the right tooling to ensure that you ar
e meeting those requirements according to whatever your Auditors are looking for so for example DLP is a tool that we provide as a way to prevent external sharing now you as the as the company can choose to use that and provide justification that you will have some controls around this and you can show those features to those Auditors so we provide the tooling we provide our compliance status and we provide some in the case of HIPAA we provide an implementation guide about some of the watch poin
ts some of the things that you should or should not configure or disable but it's generally a shared responsibility so the answer is we do provide the tools we provide the features but we don't provide the the check box if you will we do have service partners that can help with that though great makes sense okay I do want to make sure we get to your live questions so we can come back to any of the pre-submitted ones if we have time uh but let's dive in so uh can I use trust rules to prohibit use
rs in a particular organizational unit in our org from being able to discover files that are shared and searchable to the rest of the org yeah so trust rules are generally about the concept of sharing and receiving files so the action of me clicking share on a file putting your name or anybody from that OU and trying to send it that's what trust Rose is going to allow or disallow it's not so much about the searchability of those documents makes sense okay our next question is what if I have set
up multiple domains and I am sharing with our domain shared in Google workspace why is it still triggering for internal sharing and how to avoid not to apply on internal sharing uh so Muhammad I think this might be talking about uh trust rules I'm not entirely too sure uh this is going to depend on a couple of different things when you say multiple domains is it a secondary domain an alias domain inside of the same workspace tenant or if they're different instances that exist uh in which case we
might consider some of those as internal some of them are external but a good way that you can start is actually using the investigation tool to search for the rules themselves and see what events triggered it that'll hopefully get a little bit of a better perspective of why could it be happening but generally this is something that we would want to investigate at a deeper level unfortunately makes sense and yep if you have any additional context too you can add that into the chat or into the c
ommunity so we did get a couple of questions around uh you know which features are available for which skews so um you know Kevin if you have any additional context on that including any of the features that you shared today and at the same time I'm going to drop a link to our support article about comparing the different workspace editions so you can have that on hand yep so the environment that I was using was Enterprise Plus which is the highest tier of Google workspace so a lot of the featur
es that you saw in there are only available on that SKU client-side encryption is one of them the Gmail logs themselves in the investigation tool and a couple of others but things like DLP things like the security Center things like context or access those are available generally um on any Enterprise SKU and some of them are available on business but uh the holistic picture of everything that you saw today is available in Enterprise Plus and that breakdown that Lauren will send will tell you exa
ctly which features are in one versus the other great thank you yep and that resources in the chat now okay from Stephen it seems entries are only logged in the drive log events data source if an event has been logged against a specific document ID what if we are outside the six month retention window Drive API yeah so this is a good point the investigation tool is meant for it searches across logs generally meaning something had to have happened to a file to a user to an app and then that gener
ates that log which is valid for six months we are talking internally and we're trying to do some work around being able to search and query through static data such as broad searches broad information that doesn't require a particular event but it's not something that we have uh finalized yet so Drive API would be that resource that you would need for that type of information now one thing that I forgot to mention is this only the investigations tool only keeps logs for six months but you do ha
ve the option to export all of these logs into bigquery for example which is our kind of data warehouse and so that will retain document logs for as long as you need them for and then you can use SQL or SQL like queries to build a lot of those investigations on that side of the house if you need them for longer great how to deal when we need to share a file with a partner with edit permission and we don't want the file to be downloaded yeah so part of this is going to be a combination of this fi
le um label type so with dop for example you can say doesn't I don't really care about the content itself but if it has this particular label I want you to allow it but don't let people download that file so DLP is probably the answer that you're looking for here you can just Target any type of content or not really much content at all you can use the label and you can do it that way you could also set up some additional policies around just drive sharing in general so you are ensuring that only
the right people are getting that file and they're not taking action beyond that it's great from Chris you mentioned a rule to only allow access if using the Chrome browser I couldn't find docs on this is it possible and I believe that's the context aware yeah so I can actually show you that really quickly here so we're going to go in here into Access Control context or access and this is something you're gonna have to write as part of the advanced um access control so this here but I've writte
n that policy here and we'll wait for that just a sec to load okay so here's an example of that policy we can say that the device Chrome has to be at least this version so that's an example of how you would write that particular policy so that if you're coming from anywhere that's not that device with that configuration you will be reject it and so in general you're going to find a lot of this information in the access context manager documentation so this is where we can talk about every differ
ent attribute that you can Target so here's where Chrome is for example you can choose to see if it's managed unmanaged uh if this particular policy is enabled or not but a lot of information you'll find it in the access context manager documentation great thank you okay we'll move on is the bigquery integration also only available for Enterprise Plus um if you know off offhand we can answer it here or we can also look back into the the documentation that we shared for clarification I believe yo
u don't need Enterprise Plus um and actually yes that is correct so you can do exports to bigquery and Frontline and a price standard and Enterprise Plus as well as a couple of our education skus so it's not an Enterprise Plus feature thank you since a lot of critical updates have come out on Chrome browser what's the best way to ensure everyone's browser is updated automatically yeah so Google actually provides a for free um the cbcm the Chrome browser Cloud management which is a an add-on that
you can get in the admin console it's free like I mentioned you can assign that to every user and that allows you to actually manage the browser itself so you can set What policies are enabled on it what extensions can be allowed um how to manage updates to ensure that it's forced update or users can toggle it on their own so Chrome browser Cloud management is the tool that you're looking for to manage All Things Chrome as an admin great can we control the Google drive to be open from a specifi
c IP but not to be opened from mobile or other IPS you can yes so that would be a part of the context aware access policy so again I will quickly share this over here so Access Control contact store access you will create your policy first so if you have a specific IP subnet so an internal IP so I am not too worried about sharing this but um you set your policies or your ranges with cider notation and then what you can do is you can go into Google Drive assign it and then toggle that particular
IP policy that you just created and so anybody coming in from that IP they're valid they can get in there if you're outside of that range you will be blocked got it and thank you for your question around where can we get a synopsis of this session so the recording will be available as soon as we end today and you can watch it from the same YouTube link that you're using right now um but we'll also be planning on doing a recap summary uh in the Google workspace Community itself so that we can pul
l away the the key takeaways from here so stay tuned there and we'll be sure to do that um and then we did just see a follow-up um from Jeff regarding the um bigquery access and you know I'll I'll mention if if you have any additional context to Kevin if you you can reach out to your account rep to get additional contacts or information and also uh contact support if needed but uh any troubleshooting tips Kevin I know we have a limited information but any advice you might have yeah so generally
what happens is bigquery is managed on the Google Cloud platform side so all the access controls there's a lot of controls there that could be conflicting from the workspace side of it though um all we really need to verify here is under reports bigquery export you have to enable it first and you have to provide that particular ID for wherever bigquery is and then a data set within it and that's really the only controls that are available that you need to worry about in workspace if there's acce
ss controls that could be part of um IAP or sorry IAM on the gcp side which would be unfortunately outside of the scope of workspace but it is something that we can definitely help with uh it's generally more of getting in contact with the rep for your account and we can take a look great thank you okay I think we have time just for a couple more so here's one is there is a new integration announced with OCTA and chrome managed browser will I be able to have a separate uh context aware access po
licies for each OCTA application I believe the answer to this one is yes I'm not too aware of what octa's Integrations could be doing but with workspace and with beyondcorp you can Target applications that are saml and even cloud-based so if those applications are saml applications and OCTA is being used as the identity provider for example um I don't foresee any issues with applying those policies to them got it okay I think we'll just take two more is it possible to create a rule if an email g
oes to quarantine and it's from a specific recipient and gets and if it's from a specific recipient gets automatically allowed yes so this would be part of the activity rules which those are in Enterprise Plus feature for Gmail so you can create an investigation in there to Target where did that email go spam phishing Etc and then you target that specific user the activity rule the action that would be set there is to put that message into the inbox great all right last one and thank you again a
ll as a final reminder if you do have any questions that we weren't able to get to uh please drop them into the community and our team will be monitoring them and your peers enabled to help you out as well what if I have set up multiple domains oh we actually already asked this one um sorry about that I think we have one more from this person there we go DLP rules if we set up for external sharing on drive or email it will trigger for if we are sharing the document or email internally between th
e domains we configured in Google workspace how to fix this yeah so DLP is meant for if the content itself is sensitive and is trying to leave the organization that's when dop is is a valid use case if that data is going to be leaving the organization for internal sharing whether something should be allowed should not be allowed that's generally when we leverage uh trust rules as a concept and that's generally because the needs are different and it's not really sensitive information in the sense
of its company information but it's should not be shared externally that's a different type of sensitive than between teams and I believe there's a question around earlier or I guess a point about recent updates with chrome uh so kind of sideways related Google workspace is constantly releasing new features every week sometimes every day so the Google workspace updates blog is one of those resources that's valuable to keep track of that's where we post everything that's changed who's affected w
hat versions is it available on what does it do how to use it so the workspace update blogs as well as the Chrome releases update blog are valuable tools to kind of have in your tool belt for keeping up to date with everything we're doing great point I'm going to drop a link to the workspace updates blog as well amazing thank you so much Kevin thank you everyone for joining us uh we will be keeping an eye in the community for your future questions um if you do have a moment we'd love to hear you
r feedback um or any ideas or topics that you suggest for future sessions um with that Kevin any final thoughts or recommendations before we close out today uh no other than the resources that we've provided if you have anything about could we potentially use this how do we get the conversation going around potential upgrades or seeing what we have access to that's something that the sales Specialists for your account are happy to get that conversation going so please reach out to them for these
types fantastic thank you everyone and we hope to see you next time
Comments
thanks very much for information... much apriciated
content is great but you should consider uploading in 1080 instead of 720
❤❤❤️❤️👍
I appreciate the time and effort you invest in your videos. You're making a difference!