Security & Trust

Protecting your data is our top priority

Google Workspace security : Empowering users and administrators to improve security and compliance

Table Of Contents

  1. Secure by Design

  2. Product Security Innovation

  3. Cloud Identity Premium

  4. Compliance, eDiscovery, and Analytics

  5. Transparency

Secure By Design

Cutting-edge cloud security

Top-notch data center security Security and data protection are central to the design of Google’s data centers. Our physical security model includes safeguards like custom electronic access cards, perimeter fencing, and metal detectors. We also use cutting-edge tools like biometrics and laser-based intrusion detection to make physical breaches a “Mission: Impossible” scenario for would-be attackers.

Staying ahead of the security curve

Security has always been a top priority for Google. Here are a few ways we’ve set the bar higher

Perfect forward secrecy

Google is the first major cloud provider to enable perfect forward secrecy, which encrypts content as it moves between our servers and those of other companies. With perfect forward secrecy, private keys for a connection are ephemeral, which in turn prevents retroactive decryption of HTTPS sessions by an adversary or even the server operator. Many industry peers have followed suit or committed to adoption in the future.

100% email encryption

Every single email message you send or receive is encrypted while moving between Google’s data centers. This ensures that your messages are safe not only when they move between your devices and Gmail’s servers, but also as they move internally within Google. We were also the first to let users know when their email was sent insecurely across providers with the introduction of our TLS indicator

Product Security Innovation

Strong Authentication

step verification greatly reduces the risk of unauthorized access by asking users for additional proof of identity when signing in. Our security key enforcement offers another layer of security for user accounts by requiring a physical key. The key sends an encrypted signature and works only with the sites that it’s supposed to, helping to guard against phishing. Google workspace administrators can easily deploy, monitor, and manage the security keys at scale from within the administrator console—without installing additional software.

Centralized Cloud Access Management

With support for single sign-on (SSO), Google enables unified access to other enterprise cloud applications. Our identity and access management (IAM) service lets administrators manage all user credentials and cloud-application access in one place.

Suspicious Login Monitoring

We use our robust machine learning capabilities to help detect suspicious logins. When we discover a suspicious login, we notify administrators so they can work to ensure the accounts are secured

Enhanced Email Security

Google allows administrators to set customized rules requiring email messages to be signed and encrypted using Secure/Multipurpose Internet Mail Extensions (S/MIME). These rules can be configured to enforce S/MIME when specific content is detected in email messages.

Cloud Identity Premium

Connect LDAP-Based apps & services

Enable authentication, authorization, and group/user lookups for legacy apps (need LDAP over SSL) using Cloud Identity. No need to create a separate user directory; existing users in Cloud Identity can authenticate to LDAP apps. Supports traditional apps and IT infrastructure hosted on-premises and in the cloud (IaaS). No end-user change management required; application configuration only

Password Vaulted apps

To make easy for admins to enable single sign-on for thousands of additional apps that don’t support modern authentication standards like SAML and OIDC, with password vaulting, admins can:

  • Manage credentials in a single space,

  • Securely enable access to shared credentials,

  • Manage access to app credentials based on group membership, and

  • Log and access reports on usage of the credentials within their organization

Web and Mobile apps (Manage SAML)


Security Assertion Markup Language, or SAML, is a standardized way to tell external applications and services that a user is who they say they are. SAML makes single sign-on (SSO) technology possible by providing a way to authenticate a user once and then communicate that authentication to multiple applications.

SAML 2.0 is the modern version of SAML

Data loss prevention

Google administrators can set up a data loss prevention (DLP) policy to protect sensitive information within Gmail and Drive. We provide a library of predefined content detectors to make setup easy. Once the DLP policy is in place, for example, Gmail can automatically check all outgoing email for sensitive information and automatically take action to prevent data leakage: either quarantine the email for review, tell users to modify the information, or block the email from being sent and notify the sender. With easy-to-configure rules and optical character recognition (OCR) of content stored in images, DLP for Drive makes it easy for administrators to audit files containing sensitive content and configure rules that warn and prevent users from sharing confidential information externally. Learn more in our DLP Whitepaper.

Spam Detection

Machine learning has helped Gmail achieve 99.9% accuracy in spam detection and block sneaky spam and phishing messages—the kind that could actually pass for wanted email. Less than 0.1% of email in the average Gmail inbox is spam, and incorrect filtering of mail to the spam folder is even less likely (less than 0.05%).

Phishing Prevention

Google uses machine learning extensively to protect users against phishing attacks. Our learning models perform similarity analysis between previously classified phishing sites and new, unrecognized URLs. As we find new patterns, we adapt more quickly than manual systems ever could. Google also allows administrators to enforce the use of security keys, making it impossible to use credentials compromised in phishing attacks.

DMARC

To help prevent abuse of your brand in phishing attacks, Google follows the DMARC standard, which empowers domain owners to decide how Gmail and other participating email providers handle unauthenticated emails coming from your domain. By defining a policy, you can help protect users and your organization’s reputation.

Integrated device management

Google fully integrated mobile device management (MDM) offers continuous system monitoring and alerts you to suspicious device activity. Administrators can enforce mobile policies, encrypt data on devices, lock lost or stolen mobile devices, and remotely wipe devices.

Third-party application access controls

As part of our authentication controls, administrators get visibility and control into third-party applications leveraging OAuth for authentication and corporate data access. OAuth access can be disabled at a granular level, and vetted third-party apps can be whitelisted.

Information rights management

To help administrators maintain control over sensitive data, we offer information rights management (IRM) in Drive. Administrators and users can disable downloading, printing, and copying of files from the advanced sharing menu, as well as set expiration dates on file access.

Product Security Innovation

Data retention & eDiscovery

Audit Tracking

Easy Monitoring

Google Vault lets you retain, archive, search, and export your organization’s email for your eDiscovery and compliance needs. Vault is entirely web-based, so there’s no need to install or maintain extra software. With Vault, you can search your Gmail, Drive, and Groups data, set custom retention policies, place user accounts (and related data) on litigation hold, export point-in-time Drive files, and manage related searches.

Google allows administrators to track user actions and set up custom alerts within Google. This tracking spans across the Admin Console, Gmail, Drive, Calendar, Groups, mobile, and third-party application authorization. For example, if a marked file is downloaded or if a file containing the word “Confidential” is shared outside the organization, administrators can be notified

Easy interactive reports help you assess your organization’s exposure to security issues at a domain and user level. Extensibility with a collection of application programming interfaces (APIs) enable you to build custom security tools for your own environment. With insight into how users are sharing data, which third-party apps are installed, and whether appropriate security measures such as 2-step verification are in place, you can improve your security posture

Content Compliance

Google monitoring tools allow administrators to scan email messages for alphanumeric patterns and objectionable content. Administrators can create rules to either reject matching emails before they reach their intended recipients or deliver them with modifications.

Insights using BigQuery

With BigQuery, Google’s enterprise data warehouse for large-scale data analytics, you can analyze Gmail logs using sophisticated, high-performing custom queries, and leverage third-party tools for deeper analysis.

Transparency

No ads ever

Your apps are always accessible

You owned your data

Google does not collect, scan, or use your data in Google services for advertising purposes, and we do not display ads in Gmail. We use your data to provide Google services, and for system support, such as spam filtering, virus detection, spell-checking, capacity planning, traffic routing, and the ability to search for emails and files within an individual account.

The data that companies, schools, and government agencies put into Google services does not belong to Google. Whether it’s corporate intellectual property, personal information, or a homework assignment, Google does not own that data, and Google does not sell that data to third parties.

The data that companies, schools, and government agencies put into Google services does not belong to Google. Whether it’s corporate intellectual property, personal information, or a homework assignment, Google does not own that data, and Google does not sell that data to third parties.

Context Aware Access

Using Context-Aware Access, you can create granular access control policies to apps based on attributes such as user identity, location, device security status, and IP address.

Context-Aware Access gives you control over which apps a user can access based on their context, such as whether their device complies with your IT policy.


Data Residency

As an administrator, you can store your covered data in a specific geographic location by using a data region policy. Your geographic location options are the United States or Europe. Users who don't have a supported edition aren't covered by data region policies—even if you apply a data region policy to their organizational unit.