Skip to main content

Security-at-scale: 10 new security and management controls



With so many people working remotely, it's imperative that the tools we use to stay productive are secure. Already this year we have worked to strengthen security for our customers and help make threat defense more effective. 

Today, we’re sharing new advancements that provide robust controls, enable automation, and simplify managing security-at-scale with both G Suite and Google Cloud Platform. 

Enabling extensibility through APIs

First, let’s take a look at enabling extensibility with APIs with the general availability of both Cloud Identity groups API and service account API access for Cloud Identity customers. We recognize that some Google Cloud customers rely heavily on groups but are not G Suite administrators. We are now enabling programmatic access to manage groups without requiring admin roles with Cloud Identity groups API. With this feature, we’ve expanded access to non-admin service accounts and users as group owners and managers.  

Further, you can programmatically manage groups using service accounts without needing to grant domain-wide delegation or use admin impersonation with service account API access. Hand-in-hand with this feature is service accounts as members, in general availability, which natively supports service accounts in groups without changing group settings, and indicates if a member is a service account. These features also allow for more accurate visibility into actions taken by service accounts; now, audit logs will show the service account as the actor as opposed to an impersonated user via domain-wide delegation. 

“Before API access without domain wide delegation, we required many Group Admin accounts to manage the capability. We are now able to limit access to only those who absolutely need it, helping us to strengthen our security posture.” - Woolworths 

Next, we’re adding to G Suite’s Vault API with the general availability of Count API. This API enables you to see the number of messages, files, or other data items that match a search query. Since this functionality can help you estimate the size of an export, Count API helps you ensure a successful export by reducing the likelihood of export errors due to size.

Saving time and effort with group membership automation

We’re helping Cloud Identity customers save time and effort with new automation in group membership. Complete automation of group membership is possible with dynamic groups, now in beta. By simply utilizing the appropriate user attributes in a membership query, you can create groups whose membership is automatically kept up-to-date.

group membership automation.gif

We’re also introducing membership expiration for Cloud Identity in beta, which allows you to set a time-based expiration on group membership to automatically revoke group membership once the specified time period has passed. This can be especially useful to allow engineers to debug in production for a limited time, or grant temporary contractors or vendors time-based access to resources, for example.

Adding controls to enhance security

We want our customers to feel empowered with all of the controls they need to customize security according to their organization’s needs. Here are some ways that we’re giving you even greater control to meet your security objectives when managing groups. 

With security groups for Cloud Identity, now in beta, you can add security labels to groups to differentiate between groups used for access control and those only used for email or other communication. This labeling helps you ensure that security groups cannot contain any groups from outside of your organization or email-only groups.  

Next, to give you more control in managing groups, we launched the beta of groups in GCP console in May. With this feature, we’ve simplified creating groups, adding users, and assigning permission. You can try it here.


groups in GCP console.gif

Use visibility and insights to strategically prioritize your security efforts

Having visibility into the access and data within your organization is a critical step in protecting it. Taking that a step further, having insights to act upon helps you strategically prioritize your security efforts.

First, let’s talk about the visibility you’ll gain with indirect membership visibility & hierarchy APIs, now in beta for Cloud Identity. To help you easily visualize group membership, this feature allows you to view all direct and indirect members of a groupview all direct and indirect memberships of a user, and find paths from a user to a group. In addition, with a new check API, you can identify if an account is a member of a given group or not. You’ll get all of the information you need to create visualization of complex group structures and hierarchies. Having this kind of membership visibility can help you make decisions about who to add to or remove from your groups.

Next, we’re helping you take visibility to the next level with actionable insights that help you keep your organization’s data safe. We’re happy to announce that we are rolling out the general availability of data protection insights in the next couple weeks to help you identify the top sensitive data types for your organization. Beyond just being able to see what sensitive data your organization is dealing with, we’re helping you prioritize and focus your data protection efforts. Data protection insights will be available to G Suite Business customers, in addition to the G Suite Enterprise customers.

data protection insights GA.png

With these tools, we are giving organizations the ability to manage security-at-scale more effectively and securely, while saving time and effort. To help you navigate the latest thinking in cloud security, explore the latest installment of our Google Cloud Security Talks, on-demand now.







Comments

Popular posts from this blog

People are going wild for a handy new shortcut that will change the way you use Google Docs

- Google has introduced new URLs that can open up blank Google Docs with the click of a button.
- To try it out, simply point your browser to doc.new or other Google URLs.
- Here's an incomplete list of these new URLs, along with a way to take the shortcut to the next level.
Last month, Google rolled out a new time-saving shortcut for anyone who spends a lot of time in Google Docs.
To open a new, blank document — or spreadsheet, or presentation — all you have to do is go to one of Google's handy new URLs.
So if you want to start a new document, you just have to type "doc.new" into your browser.








Set start times and import reminders in Tasks

Here comes one of the most awaited features. Tasks is one of the goals to follow what you have to do in G Suite. These new updates will help ensure the majority of your to-dos are in Tasks, and guarantee that you can monitor the due dates related with them. Moreover, importing reminders to Tasks can support your users if your association is at present changing from Inbox to Gmail.
Set a date and time for your tasks and receive notifications - You’ll find a place to add date & time. Create repeating tasks - Also you can make an event recur.

Import reminders into Tasks
This import tool will pull your reminders (from Inbox/Gmail, Calendar, or the Assistant) into Tasks.When importing reminders into Tasks, we’ll copy over the title, date, time and recurrence of the reminder. Please note, reminders with locations associated will not be imported. Additionally, this is a one-time import and not a constant sync.
- When you open Tasks on the web or your mobile app, you’ll see a prompt to cop…

Use Vault for Gmail Confidential Messages and Jamboard Files

Google vault will be supporting two new formats in the future, Gmail confidential mode emails & Jamboard files stored in Google Drive.
Google Vault gives you a chance to retain, hold, search, and export data to support your organization’s retention and eDiscovery needs. This dispatch includes support for new information types with the goal that you can thoroughly oversee your association's information.
What happens when individuals in your association sends confidential messages? Vault can hold, retain, search, and export all confidential mode messages sent by users in your association. Messages are constantly accessible to Vault, notwithstanding when the sender sets a termination date or denies access to private messages.
Here’s an example of what admin@ink-42.com will see in Vault when they search for sam@ink-42.com and preview this email sent by lisa@ink-42.com.
But It’ll not work vise versa. Admins can hold, retain, search and export message headers and subjects of external c…