Google introduces 11 new security features for Workspace (some AI-powered)

Google announces a large set of cybersecurity improvements to its Workspace offerings. Some may even be for you and your company.
Written by David Gewirtz, Senior Contributing Editor
mollypix/Getty Images

Google Workspace, your most secure choice in productivity suites, will be getting even more secure. That's the message driving Google's announcement today of 11 new features and capabilities for its Workspace service. 

Citing a 38% year-over-year rise in cybersecurity attacks in 2023, coupled with an average cost per data breach of $4.3M, Google revealed a variety of new security enhancements, some now in preview, others coming later in the year. 

Also: Ransomware attacks broke records in July, mainly driven by this one group

It's unclear which Workspace plans will gain these new features. Google did mention that some are intended for their biggest customers, but whether the rest of these filter down to SMB services is unclear at this time. 

And with that, let's run down the full list of new capabilities:

Zero-trust and DLP 

The idea behind zero trust is that security extends beyond the first password login. Never trust. Always verify. For example, if someone manages to break into your network, they're still blocked from getting to internal resources on the network.

DLP, aka data loss prevention, refers to services that prevent the theft of data from a network.

Also: The best VPN services right now: Expert tested and reviewed

In that context, Google is introducing new zero trust controls and DLP capabilities for Workspace.

AI-powered classification and labeling for Google Drive: As in Gmail, labels can be applied to documents in Google Drive. With this new feature, some labels will be applied automatically, based on conditions specified by admins. Automatic labeling sets up the documents for further controls within Workplace. This feature is now available in preview.

Context-aware DLP controls in Drive: Some to-do list managers can be set to deliver pop-up notifications for specific to-do items at specific locations. For example, if you have a to-do item to get rockfish while at the grocery store, as soon as you walk into the store, the notification fires. The new context-aware controls for Drive work like that. Admins can set different levels of security based on context. These might include device location, device type, security status, user role, and more. This feature will be available for preview later this year.

Extended DLP controls in Gmail: While Google was unclear about exactly what controls these might be, they are intended to prevent the sharing of sensitive information. Perhaps these will include controls for forwarding messages, or reading messages in certain contexts. (For example, some messages can only be read at work.) That's speculation on my part, though, since Google hasn't elaborated at all on this capability. This will be available for preview later this year.

New digital sovereignty controls

Digital sovereignty describes the idea of geographic location for data governance. For example, does your data live on servers in the US or in Europe? Where do the keys live? This is important when it comes to data security laws, and the laws of various governments about what can be shared or subpoenaed by entities outside the original corporate owner.

Also: Check your SSDs: What to know about the SanDisk/Western Digital data loss disaster

Google says it's going beyond data residency with digital sovereignty controls. Here are the four capabilities they're introducing.

Client-side encryption enhancements: Client-side encryption (CSE) is exactly what it says: encryption on the local device before it goes to the server. The idea is that if the data is locked down before reaching the network, it's secured. Google is introducing a wide range of CSE enhancements, including support for mobile apps like Calendar, Gmail, and Meet, setting CSE defaults based on organizational units, and more. Because this is a laundry list of enhancements, some are available now, while others will show up over time.

Specify the location of encryption keys: New partnerships with Thales, Stormshield, and FlowCrypt enable Workspace customers to choose which country's servers house their encryption (and decryption) keys.

Choose where your data is processed: Currently, Google supports your ability to choose where your data is stored -- in the EU or US -- when it's just being stored. Now, Google says you'll also be able to choose where your data is processed (that is, where the CPUs that chunk your data live). This is expected to be previewed later this year.

Choose which region supplies Google support techs: Admins can currently specify that Google customer support access be limited only to US-based personnel. Later this year, Google will preview a feature that allows customers to limit Google customer support access to technicians based in the EU instead. 

Cyberthreat prevention

Google is introducing a series of capabilities designed to get out in front of cyber threats. 

Mandatory 2-step verification: Here's a fascinating stat from Google's blog: Two-step verification results in a 50% decrease in accounts being compromised. That's a huge upside benefit for a relatively simple security tactic. In this set of announcements, Google has stated that "select administrator accounts" of resellers and large enterprise customers will be required to add two-step verification to their accounts. Look for that to begin later this year.

Multi-party approval for sensitive administrative actions: 

Google has realized that it's probably not good to put unchecked, godlike powers in the hands of any single system administrator. As such, Google, later this year, will be adding the requirement that a second admin approve certain sensitive actions. This not only protects against mistakes, but against actions by a single compromised admin.

Also: This AI-generated crypto invoice scam almost got me, and I'm a security pro

Protecting sensitive actions in Gmail: Although Google is very reticent about providing details at this time, the company has stated that it's beginning to preview the use of AI-powered defenses to block sensitive actions such as email filtering or forwarding. (Whether that will prevent George in accounting from being able to send "I'm hungry, I'm going to lunch" to the entire company for the fifth time this month remains to be seen.)

Exporting logs to Chronicle in a few clicks: Chronicle is Google's security operations suite. Google is making it easier to send Workspace logs to Chronicle for more in-depth analysis. The feature is available to preview now.

Some Google security stats

Google also provided some statistics to showcase the benefits of its services:

That last stat is interesting. While the report does show a 50% savings, it's a 50% savings compared to the worst-ranked alternative solutions. There are other solutions with similar insurance cost estimates to Google's.

Also: The other shoe finally dropped on my Google Enterprise cloud storage plan

And there you are: Eleven new features from Google, available sometime this year or next. They'll be available to enterprise customers, and possibly smaller business customers. Better security is in the offing, and it will get here when it gets here, but it will get here.

You can follow my day-to-day project updates on social media. Be sure to subscribe to my weekly update newsletter on Substack, and follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

Editorial standards