Skip to main content

Security-at-scale: 10 new security and management controls

With so many people working remotely, it's imperative that the tools we use to stay productive are secure. Already this year we have worked to strengthen security for our customers and help make threat defense more effective. 

Today, we’re sharing new advancements that provide robust controls, enable automation, and simplify managing security-at-scale with both G Suite and Google Cloud Platform. 

Enabling extensibility through APIs

First, let’s take a look at enabling extensibility with APIs with the general availability of both Cloud Identity groups API and service account API access for Cloud Identity customers. We recognize that some Google Cloud customers rely heavily on groups but are not G Suite administrators. We are now enabling programmatic access to manage groups without requiring admin roles with Cloud Identity groups API. With this feature, we’ve expanded access to non-admin service accounts and users as group owners and managers.  

Further, you can programmatically manage groups using service accounts without needing to grant domain-wide delegation or use admin impersonation with service account API access. Hand-in-hand with this feature is service accounts as members, in general availability, which natively supports service accounts in groups without changing group settings, and indicates if a member is a service account. These features also allow for more accurate visibility into actions taken by service accounts; now, audit logs will show the service account as the actor as opposed to an impersonated user via domain-wide delegation. 

“Before API access without domain wide delegation, we required many Group Admin accounts to manage the capability. We are now able to limit access to only those who absolutely need it, helping us to strengthen our security posture.” - Woolworths 

Next, we’re adding to G Suite’s Vault API with the general availability of Count API. This API enables you to see the number of messages, files, or other data items that match a search query. Since this functionality can help you estimate the size of an export, Count API helps you ensure a successful export by reducing the likelihood of export errors due to size.

Saving time and effort with group membership automation

We’re helping Cloud Identity customers save time and effort with new automation in group membership. Complete automation of group membership is possible with dynamic groups, now in beta. By simply utilizing the appropriate user attributes in a membership query, you can create groups whose membership is automatically kept up-to-date.

group membership automation.gif

We’re also introducing membership expiration for Cloud Identity in beta, which allows you to set a time-based expiration on group membership to automatically revoke group membership once the specified time period has passed. This can be especially useful to allow engineers to debug in production for a limited time, or grant temporary contractors or vendors time-based access to resources, for example.

Adding controls to enhance security

We want our customers to feel empowered with all of the controls they need to customize security according to their organization’s needs. Here are some ways that we’re giving you even greater control to meet your security objectives when managing groups. 

With security groups for Cloud Identity, now in beta, you can add security labels to groups to differentiate between groups used for access control and those only used for email or other communication. This labeling helps you ensure that security groups cannot contain any groups from outside of your organization or email-only groups.  

Next, to give you more control in managing groups, we launched the beta of groups in GCP console in May. With this feature, we’ve simplified creating groups, adding users, and assigning permission. You can try it here.

groups in GCP console.gif

Use visibility and insights to strategically prioritize your security efforts

Having visibility into the access and data within your organization is a critical step in protecting it. Taking that a step further, having insights to act upon helps you strategically prioritize your security efforts.

First, let’s talk about the visibility you’ll gain with indirect membership visibility & hierarchy APIs, now in beta for Cloud Identity. To help you easily visualize group membership, this feature allows you to view all direct and indirect members of a groupview all direct and indirect memberships of a user, and find paths from a user to a group. In addition, with a new check API, you can identify if an account is a member of a given group or not. You’ll get all of the information you need to create visualization of complex group structures and hierarchies. Having this kind of membership visibility can help you make decisions about who to add to or remove from your groups.

Next, we’re helping you take visibility to the next level with actionable insights that help you keep your organization’s data safe. We’re happy to announce that we are rolling out the general availability of data protection insights in the next couple weeks to help you identify the top sensitive data types for your organization. Beyond just being able to see what sensitive data your organization is dealing with, we’re helping you prioritize and focus your data protection efforts. Data protection insights will be available to G Suite Business customers, in addition to the G Suite Enterprise customers.

data protection insights GA.png

With these tools, we are giving organizations the ability to manage security-at-scale more effectively and securely, while saving time and effort. To help you navigate the latest thinking in cloud security, explore the latest installment of our Google Cloud Security Talks, on-demand now.


Popular posts from this blog

Use Vault for Gmail Confidential Messages and Jamboard Files

Google vault will be supporting two new formats in the future, Gmail confidential mode emails & Jamboard files stored in Google Drive. Google Vault gives you a chance to retain, hold, search, and export data to support your organization’s retention and eDiscovery needs. This dispatch includes support for new information types with the goal that you can thoroughly oversee your association's information. What happens when individuals in your association sends confidential messages? Vault can hold, retain, search, and export all confidential mode messages sent by users in your association. Messages are constantly accessible to Vault, notwithstanding when the sender sets a termination date or denies access to private messages. Here’s an example of what will see in Vault when they search for and preview this email sent by . But It’ll not work vise versa. Admins can hold, retain, search and export message headers and s

Zoom’s Work Transformation Summit on Jan. 19: Fresh Approaches for Moving Forward

These past two years have undoubtedly reshaped work. More specifically, these past two years — shuffling between remote, in-person, and hybrid work scenarios — reshaped what employees expect out of their jobs, how they want to work, and what the office means to them.  Organizations are challenged with making big decisions to meet those expectations, and those decisions will dramatically alter how they hire, manage their facilities, buy technology, and maintain productivity. Simply adjusting policies and retooling previous work models won’t do. It takes a comprehensive reimagining. To help organizations navigate this next phase of work, Zoom is hosting our  Work Transformation Summit  on Jan. 19, a free, half-day virtual event designed to provide you and your organization with meaningful strategies, creative approaches, and innovative solutions for redefining work.  Summit attendees will have the opportunity to hear from peers and industry experts on the importance of embracing technolo

Access well-known educational technology tools straight from Google Classroom.

  We're making it simpler for instructors to use popular EdTech products that are most effective for their class right in Google Classroom with a new seamless integration of single sign-on, assigning, and grading. With the help of this feature, teachers can find, assign, and grade interesting content for their classes, and both teachers and students can access their EdTech tools without needing to navigate to other websites or apps or go through a cumbersome login process that requires remembering numerous usernames and passwords. This offers a more simplified experience when using technology to affect learning, in addition to saving instructors and students time. We partnered with 15+ EdTech companies to build custom add-ons, including Kahoot!, Pear Deck, IXL, and Nearpod.  Admins :  In order for educators to use add-ons, district administrators must provide access to them. For further information on how to install the add-ons functionality and specific add-ons for a domain, OU, o