From creating team mailing lists to processing support tickets to hosting internal discussions, many organizations use Google Groups to connect and collaborate in the workplace. But as with any communication tool, it’s important that your settings deliver the right balance between sharing and security.

By default, Google Groups are set to private; there have been a small number of instances, however, where customers have accidentally shared sensitive information as a result of misconfigured Google Groups privacy settings. That’s why it’s important to understand how you can tailor the privacy configurations of Google Groups to align with your organization’s policies. Details of how to do this are part of our comprehensive security best practices for G Suite, which we’ve discussed in previous blog posts.

Default protections against accidental misconfigurations
To help prevent data from being accidentally shared, by default Google Groups’ sharing settings are set to best protect privacy:

• Viewing groups: By default, no one outside your domain can view or search groups in your domain.
• Posting to groups: By default, no one outside your domain can post to your groups.
• Joining groups: By default, no one outside your domain can become a group member.
• Creating groups: By default, only those within your domain can create groups.

G Suite admins can adjust each of these default settings individually. They can review and update the sharing permissions for their domains from the Admin console, while end users can review and update Google Groups permissions in group settings. Admins can also manage groups using the Directory API, and group settings can be managed using the Groups Settings API.

Viewing groups: configuring settings at the domain level
Admins can control who can view groups at the domain level, under “access to groups.” There are two options:

• Private, the default setting, means no one outside of your domain can access your groups, and your users and domain admins do not have the ability to create public groups.
• Public on the Internet means users can create public groups, and individuals outside your domain can access content discussed in these groups.

You should carefully consider whether to change the access to groups from Private to Public on the Internet. If you give your users the ability to create public groups, you can always change the domain-level setting back to private. This will prevent anyone outside of your domain from accessing any of your groups, including any groups previously set to public by your users.

Viewing groups: configuring the default view for new groups
Even if you turn on the ability to create public groups, all new groups will be private by default and users will need to proactively change individual group settings to make them public. As an admin, you can change this default setting so that view access for new groups is limited to all members of your domain or a subset of group members.


We recommend you choose the setting that makes the most sense based on how your organization uses Google Groups. Remember, this is the default setting for new groups—group owners can still change settings at the group level (although if admins set “access to groups” to private, users won’t be able to allow anyone on the internet to view the group).

Posting to groups: configuring who can contact group members
By default, external users cannot post to groups. In some instances, however, you may want external individuals to be able to contact a group—for example, when handling incoming sales or support requests. This can be done without making the ability to view topics in a group public.

As an admin, you can allow posts from outside your domain to specific groups within the settings for that individual group (by selecting “Public” under Post). This setting applies regardless of whether group topics are set to public or private.


As an admin, you can also give group owners the ability to authorize external posts via the Admin console setting under “Member & email access.”


Joining groups: configuring group membership
By default, only users in the group’s domain can be group members. Admins, however, can add external members directly to groups, and they can also enable group owners to add external members—for example, if they need to communicate with a vendor organization. Admins can also to add external members regardless of the status of the setting.


Creating groups: configuring who can create new groups
As an admin, you can also decide who can create groups within your organization. By default, anyone in your domain can create groups.


If you allow users in your domain create public Google Groups and give anyone in your domain the ability to create groups, you’re trusting your users to manage their settings and use these groups appropriately. It’s worth carefully considering whether this configuration makes the most sense for your organization.

For more information on securing your Google Groups, visit our Help Center. You may also want to review our security best practices across G Suite.

More Information
Help Center: Google Groups security


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

(Cross-posted from The Keyword)

Security doesn’t have to be complicated. With G Suite, admins can manage and help protect their users with minimal effort because we've designed our tools to be intuitive—like Vault, which helps with eDiscovery and audit needs, and data loss prevention, which helps ensure that your “‘aha”’ moments stay yours. Here are some key security controls that you can deploy with just a few clicks to get more fine-grained control of your organization's security.

1. Enable Hangouts out-of-domain warnings
If your business allows employees to chat with external users on Hangouts, turn on a setting that will show warnings to your users if anyone outside of your domain tries to join a Hangout, and split existing group chats so external users can’t see previous internal conversations. This substantially reduces the risk of data leaks or falling prey to social engineering attacks. (Admin console > Apps > G Suite > Google Hangouts > Chat settings > Sharing options)


2. Disable email forwarding
Exercising this option will disable the automatic email forwarding feature for users, which in turn helps reduce the risk of data exfiltration in the event a user’s credentials are compromised. (Admin console > Apps > G Suite > Gmail > Advanced settings)



3. Enable early phishing detection
Enabling this option adds further checks on potentially suspicious emails prior to delivery. Early phishing detection utilizes a dedicated machine learning model that selectively delays messages to perform rigorous phishing analysis. Less than 0.05 percent of messages on average get delayed by a few minutes, so your users will still get their information fast. (Admin console > Apps > G Suite > Gmail > Advanced settings)


4. Examine OAuth-based access to third-party apps
OAuth apps whitelisting helps keep company data safe by letting you specifically select which third-party apps are allowed to access users’ G Suite data. Once an app is part of a whitelist, users can choose to grant authorized access to their G Suite apps data. This helps to prevent malicious apps from tricking people into accidentally granting access to corporate data. (Admin console > Security > G Suite API Permissions)


5. Check that unintended external reply warning for Gmail is turned on
Gmail can display unintended external reply warnings to users to help prevent data loss. You can enable this option to ensure that if your users try to respond to someone outside of your company domain, they’ll receive a quick warning to make sure they intended to send that email. Because Gmail has contextual intelligence, it knows if the recipient is an existing contact or someone your users interact with regularly, so it only displays relevant warnings. This option is on by default. (Admin console > Apps > G Suite > Gmail > Advanced settings)


6. Restrict external calendar
To reduce the incidence of data leaks, make sure that Google Calendar details aren’t shared outside your domain. Limiting sharing to “free” or “busy” information protects you from social engineering attacks that depend on gleaning information from meeting titles and attendees. (Admin console > Apps > G Suite > Calendar > Sharing settings)

7. Limit access to Google Groups
By setting default Google group access to private, you can limit external access to information channels that may contain confidential business information, like upcoming projects. (Admin console > Apps > G Suite > Groups for Business > Sharing settings)


8. Set Google+ access restrictions
Make the default sharing setting for Google+ restricted and disable discoverability of Google+ profiles outside your domain. Both of these actions can help you control access to critical business information. (Admin console > Apps > G Suite > Google+ > Advanced settings)





Every company has their own unique set of business requirements that need to work in rhythm with their security requirements. By evaluating and implementing some of these suggested security controls, you can make a marked difference in your company’s security posture—with just a few clicks. See this post for other security tips.


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Google Vault helps your organization meet its legal needs, by allowing you to manage your employees' G Suite data for eDiscovery and compliance purposes. Today, we’re launching additional, crucial functionality in Vault, including full support for Drive, newly launched Team Drives, and Google Groups.

Set retention policies for Google Drive, including Team Drives
Starting now, not only can G Suite admins search and export employee Drive files, they can also set retention policies to manage the lifecycle of files in My Drive and the just-launched Team Drives, regardless of whether they’re Google or non-Google files (as long as they’re owned by users in your domain).

Like with mail, the default rule will apply to all users in your domain. You can set an indefinite retention policy (such that files are never expunged), or you can choose to have files expunged at the end of a specific time period. This default rule can be applied to all files or only to files that have been deleted by users.

You can also set custom retention rules for specific organizational units (OUs) or for Team Drives. Like with mail, custom rules override the default rule and, if multiple custom rules apply to a file, the longest rule wins. Custom rules can be applied to all files or only to files that have been deleted by users.

Unlike with mail, you cannot target custom Drive retention rules with specific terms.


Place legal holds on Google Drive files
In addition to setting retention policies, you can now place legal holds on your employees' Google Drive and Team Drives files, whether they are Google files or non-Google files (as long as they are owned by users in your domain). Doing so will preserve all files that are owned by or shared with the user on hold, regardless of whether that user deletes those files. If a user on hold deletes a file, it will appear as deleted for him or her—but it will be available in Vault until the hold is removed. Remember that holds always take precedence over retention rules.

Note that both the retention policy and legal holds features are not yet available for Apps Script.

Export point-in-time Google Drive files
Vault now also allows you to export revisions of your employees’ Drive and Team Drive files from a specific point in time (this applies to Google Docs, Sheets, Slides, and Drawings files). This can be done by simply specifying the desired Version Date in the search form.

Note that this feature is not yet available for Google Forms, Apps Script, or any non-Google document types.


Use Vault for Google Groups
Finally, Vault now works with Groups, meaning you can search, export, and set retention policies and place legal holds on your employees’ Groups content. Groups can be used for email lists, forums, and shared or collaborative inboxes, and now you can apply the same retention and eDiscovery programs that you use in Gmail for content stored in Groups archives.


To learn more about how Vault's support for Drive, Team Drives, and Groups can help your organization meet its legal obligations and archiving needs, check out the Vault Help Center.

Launch Details
Release track:
Launching to both Rapid release and Scheduled release

Editions:
Available to G Suite Business, Enterprise, and Education editions, as well as G Suite Basic users with add-on Vault licenses

Rollout pace:
Gradual rollout (potentially longer than 3 days for feature visibility)

Impact:
Admins only

Action:
Admin action suggested/FYI

More Information
Help Center: Google Vault
Help Center: Supported data types


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

One common request we’ve heard from customers is for an integrated search experience for the content you care about, regardless of what app you’re in. Beginning this week, we’ll be rolling out an integrated search experience in Gmail, Google Calendar, Groups, and Drive on the web for G Suite Basic and G Suite Business customers to make finding the content you care about easier.

This new search experience uses Google’s latest technologies to make searching for content more intelligent than ever. The search results you’ll see will change depending on what you’re trying to accomplish and also which services are enabled for your domain. Typically, search results in the top portion will be the same type as the application you’re using, and below, you’ll see related documents, contacts, calendar events, or emails that are most relevant to what you’re searching for.


Please note: At this time, the integrated search experience will be rolled out only to G Suite Basic and G Suite Business customers (formerly called Google Apps for Work and Google Apps Unlimited).


Launch Details
Release track:
Launching to both Rapid release and Scheduled release

Rollout pace:
Gradual rollout (More than 3 days for feature visibility)

Impact:
All end users on G Suite Basic and G Suite Business

Action:
Change management suggested/FYI

No new features have launched this week.

The following features are intended for release to these domains on July 17th:
- Groups: The new Groups interface will become the default for all users attempting to access Google Groups for Business. Users will have the option to opt out of this change for a limited period of time.

Release track:
Scheduled*

Editions included:
Google Apps, Google Apps for Business, Government and Education

For more information:
http://support.google.com/groups/bin/answer.py?hl=en&answer=2463719

*Scheduled Release track: Domains with ‘Scheduled Release’ option enabled in the administrator control panel. Learn more.

whatsnew.googleapps.com
Get these product update alerts by email
Subscribe to the RSS feed of these updates