Posted by Suzanne Frey, Director, Security, Trust, and Privacy, Google Apps

Every company has data that it must keep secure — whether that data is about confidential innovations, strategic plans or sensitive HR issues — keeping all of your data safe from inadvertent or purposeful leaks needs to be simple, quick and reliable. Google for Work already helps admins manage information security with tools such as encryption, sharing controls, mobile device management and two-factor authentication. However, sometimes user actions compromise the best of all of these controls; for example, a user might hit “Reply all” when meaning to send a private message with sensitive content.

Starting today, if you’re a Google Apps Unlimited customer, Data Loss Prevention (DLP) for Gmail will add another layer of protection to prevent sensitive information from being revealed to those who shouldn’t have it.

How Gmail DLP works Organizations may have a policy that the Sales department shouldn’t share customer credit card information with vendors. And to keep information safe, admins can easily set up a DLP policy by selecting “Credit Card Numbers” from a library of predefined content detectors. Gmail DLP will automatically check all outgoing emails from the Sales department and take action based on what the admin has specified: either quarantine the email for review, tell users to modify the information or block the email from being sent and notify the sender. These checks don’t just apply to email text, but also to content inside common attachment types ― such as documents, presentations and spreadsheets. And admins can also create custom rules with keywords and regular expressions.

Check out the DLP whitepaper for more information including the full list of predefined content creators, and learn how to get started. Gmail DLP is the first step in a long-term investment to bring rule-based security across Google Apps. We’re working on bringing DLP to Google Drive early next year, along with other rule based security systems.

As we round out the year, let’s take a look at what we did in 2015 to enhance the security, privacy and control you have over your information.

• To verify the good work we do on privacy, we were one of the first cloud providers to invite an independent auditor to show that our privacy practices for Google Apps for Work and Google Apps for Education comply with the latest ISO/IEC 27018:2014 privacy standards. These confirm for example, that we don’t use customer data for advertising.
• To make security easier for all, we've expanded our security toolset:
• We introduced Security Keys to make two-step verification more convenient and provide better protection against phishing. For admins, we released Google Apps identity services, which allows secure single sign on access with SAML and OIDC support and we delivered device (MDM) and app (MAM) Mobile Management across Google Apps.
• We launched Postmaster tools to help Gmail users better handle large volumes of mail and report spam.
• For Google Cloud developers, the Cloud Security Scanner allows you to easily scan your application for common vulnerabilities (such as cross-site scripting (XSS) and mixed content).
• For those who want the power and flexibility of public cloud computing and want to bring their own encryption keys, we announced Customer-Supplied Encryption Keys for Google Cloud Platform.
• To give more transparency on how email security, even beyond Gmail, is changing over the years we published the Safer Email report.
• We introduced new sharing features, alerts and audit events to Google Drive for Google Apps Unlimited customers. For example, administrators can now create custom alerts and disable the downloading, printing or copying of files with Information Rights Management (IRM). New sharing settings give employees better control within their organization unit and now admins can let them reset their own passwords.
• Google Groups audit settings allow better tracking of Groups memberships. For all, the launch of google.com/privacy gives better control over personal data and Android for Work makes it easier to keep personal and work data separate on employee devices.

Companies are moving to the Cloud for all kinds of reasons, but Security and Trust remain critical and predominant differentiators between providers. That’s why millions of businesses trust Google to do the daily heavy lifting in security ─ preventing, testing, monitoring, upgrading and patching, while working towards the future. Because Google was born in the cloud, we’ve built security from the ground up across our entire technology stack, from the data centers to the servers to the services and features we provide across all of your devices. No other Cloud provider can claim this degree of security investment at every single layer.

While 2015 was a great year, there’s a lot more in store for 2016. To learn more about how our technology is evolving, please join us at the Enigma conference in San Francisco on January 25th to discuss electronic crime, security and privacy ideas that matter.

Posted by Eran Feigenbaum, Director of Security, Google Apps

No matter how you slice it, mobile and cloud are essential for future business growth and productivity. This is driving increases in security spending as organizations wrestle with threats and regulatory compliance — according to Gartner, the computer security industry will reach $71 billion this year, which is a 7.9 percent increase over 2013.

To help organizations spend their money wisely, it’s essential that cloud companies are transparent about their security capabilities. Since we see transparency as a crucial way to earn and maintain our customers’ confidence, we ask independent auditors to examine the controls in our systems and operations on a regular basis. The audits are rigorous, and customers can use these reports to make sure Google meets their compliance and data protection needs.

We’re proud to announce we have received an updated ISO 27001 certificate and SOC 2 and SOC 3 Type II audit report, which are the most widely recognized, internationally accepted independent security compliance reports. These audits refresh our coverage for Google Apps for Business and Education, as well Google Cloud Platform, and we’ve expanded the scope to include Google+ and Hangouts. To make it easier for everyone to verify our security, we’re now publishing our updated ISO 27001 certificate and new SOC3 audit report for the first time, on our Google Enterprise security page.

Keeping your data safe is at the core of what we do. That’s why we hire the world’s foremost experts in security—the team is now comprised of over 450 full-time engineers—to keep customers’ data secure from imminent and evolving threats. These certifications, along with our existing offerings of FISMA for Google Apps for Government, support for FERPA and COPPA compliance in Google Apps for Education, model contract clauses for Google Apps customers who operate within Europe, and HIPAA business associate agreements for organizations with protected health information, help assure our customers and their regulators that we’re committed to keeping their data and that of their users secure, private and compliant.

Posted by Chuck Coulson, Head of Google Apps and Drive Technology Partnerships

Last month we announced Google Drive for Work, which includes advanced Drive auditing to give organizations control, security and visibility into how files are shared. This new security feature helps companies and IT managers protect confidential information and gain insights into how their employees work.

Drive audit helps IT admins view activity on documents, such as uploading and downloading files, renaming files, editing and commenting, and sharing with others. Filters make it easy to sort and find details like IP address, date range, document title and owner’s email address. To make advanced auditing reports easier to manage, admins can set up alerts for important events like files being shared outside the organization.

To help organizations derive even more value from Drive for Work, we’ve been working with partners to give you even more capabilities through the Drive Audit API:

• Backupify protects your Google Apps data through secure, automatic, daily backup allowing IT users to easily search and restore files with advanced administrative features, safeguarding your business from data loss caused by user errors, malicious deletions, hackers, and app errors. (website, blog post)
• BetterCloud, through their flagship cloud management and security tool, FlashPanel, has enhanced their offering through the Audit API to provide additional controls and insight. (website, blog post)
• CloudLock, who provides a pure-cloud Data Loss Prevention (DLP) solution for SaaS applications, has released a new version of CloudLock for Google Drive, leveraging the new Google Drive audit APIs, to enable large organizations to extend their enterprise security controls to the cloud. (website, blog post)
• SkyHigh for Google Drive delivers Data Loss Prevention (DLP), mobile-to-cloud support, application auditing, data discovery, and anomaly detection without changing the Google Drive experience users love. (website, blog post)

And this is only the beginning. We invite developers and customers alike to get started with the Audit API to provide additional advanced security solutions for Google Drive. Learn more by visiting developers.google.com.

Google is committed to enabling organizations to be successful by leveraging a large community of ISVs. One of the areas we constantly invest in is our APIs, that allow customers and ISVs to extend the functionality of the Google Apps platform. If you’d like to join our ISV community, check out developers.google.com. For a list of ISVs supporting Google Apps, please visit the Google Apps Marketplace.

Posted by Amit Singh, President of Google Enterprise

Millions of businesses trust Google to keep their data safe—a responsibility we take very seriously. We focus on protecting our customers’ data from all unauthorized access, whether from common phishing, sophisticated hacking, or state-sponsored intrusions. That’s why this spring we implemented new, mandatory HTTPS connections to secure user access to Gmail and protect email messages as they move to Gmail servers.

Our commitment to your security doesn’t stop there, which is why we’ve recently added even more business-friendly features for our Google Apps Business, Government and Education customers:

• Mail routing, delivery controls and SMTP relay service—Control the flow of information to and from your company with policy-based routing to ensure that company messages are filtered, even if they are sent from third-party or other non-Gmail sources.
• Attachment compliance—Protect your business by blocking or rerouting messages based on what is attached to emails, providing controls over what content is sent and received.
• TLS Encryption of message content—Prevent eavesdropping and message spoofing through secure encryption and delivery.

In addition to these increased security measures, as we recently announced, we’ve now turned off ads in Google Apps services. This means administrators no longer have the option or ability to turn on ads in these services. We’ve also permanently removed all ads scanning in Gmail for Google Apps, which means Google does not collect or use data in Google Apps services for advertising purposes.

Customers who have chosen to show AdSense ads on their Google Sites will still be able to display those existing ads on their websites. However, it will no longer be possible to edit or add new AdSense ads to new or existing sites.

All this is part of our commitment to providing the best security to ensure your data is protected, while strengthening the features our Google Apps customers care about the most.

Posted by Bram Bout, Director, Google for Education

Today more than 30 million students, teachers and administrators globally rely on Google Apps for Education. Earning and keeping their trust drives our business forward. We know that trust is earned through protecting their privacy and providing the best security measures.

This is why, from day one, we turned off ads by default in Apps for Education services. Last year, we removed ads from Google Search for signed-in K-12 users altogether. So, if you’re a student logging in to your Apps for Education account at school or at home, when you navigate to Google.com, you will not see ads.

Of course, good privacy requires strong security. We have more than 400 full-time engineers — the world’s foremost experts in security — working to protect your information. We always use an encrypted HTTPS connection when you check or send email in Gmail, which means no one can listen in on your messages as they go back and forth between your laptop, phone or tablet and Gmail’s servers — even if you’re using public WiFi.

Today, we’re taking additional steps to enhance the educational experience for Apps for Education customers:

• We’ve permanently removed the “enable/disable” toggle for ads in the Apps for Education Administrator console. This means ads in Apps for Education services are turned off and administrators no longer have the option or ability to turn ads in these services on.
• We’ve permanently removed all ads scanning in Gmail for Apps for Education, which means Google cannot collect or use student data in Apps for Education services for advertising purposes.

Users who have chosen to show AdSense ads on their Google Sites will still have the ability to display those existing ads on their websites. However, it will no longer be possible to edit or add new AdSense ads to existing sites or to new pages.

We’re also making similar changes for all our Google Apps customers, including Business, Government and for legacy users of the free version, and we’ll provide an update when the rollout is complete.

On Thursday, May 1 at 9:00 am PT, we’ll be hosting a Hangout on Air on our Google for Education G+ page with myself; Jonathan Rochelle, Director of Product Management for Docs and Drive and Hank Thiele, Chief Technology Officer for District 207 in Park Ridge, IL who uses Google Apps. We'll be discussing these changes and answering your questions. We look forward to hearing from you.

For more information about student privacy in Google Apps for Education, please visit our website.

Posted by Eran Feigenbaum, Director of Security, Google Apps

Last week, I spoke at a panel with a few peers at RSA, a leading security conference. Microsoft CISO Bret Arsenault, Verizon risk expert Wade Baker, security guru Bruce Schneier and I joined together onstage for a session entitled (and begging the question) “Is the Cloud Really More Secure than On-Premise?” It gave us the opportunity to wholeheartedly agree that the cloud can be as safe as — or in many cases, safer than — storing data on-premise. We even contemplated hosting our data in a rival’s cloud.

It may not surprise you that we believe this — the cloud is what we do. Yet, it was great to hear the panel agree that computing should be outsourced to experts whose job is to provide the best possible security. Leading cloud providers have the size to invest more in security, the speed to react faster to threats and they can work harder to stay ahead of the bad guys.

Millions of businesses have placed their trust in the cloud over recent years, and we take this responsibility seriously. Google’s business customers now include over half of the Fortune 500 and FTSE indexes, three quarters of the DAX, and more than 30 million students, teachers and other education staff.

Looking towards the future, we’ll see even more organizations embrace the cloud — because, as many of our customers have testified, the cloud is often more useful and more secure than existing on-premise solutions. And as they do, you can expect us to evolve our protections and drive security innovations to continue to keep our customers safe.

Posted by Eran Feigenbaum, Director of Security, Google Enterprise

Most businesses these days rely on technology to get their work done. And anyone who’s responsible for that technology — or even anyone who just follows the news — knows that 2013 was a big year for internet security. Of course, security has been a top priority for Google for over a decade. Millions of businesses trust Google to keep their data safe every day -- a responsibility we take very seriously. We focus on protecting our customers’ data from all unauthorized access, whether from common phishing, sophisticated hacking, or state-sponsored intrusions.

Google employs hundreds of full-time world-class security engineers. We were the first to offer important security tools, like free two-step verification, encrypted connections between your browser and our servers, and a handful of other security innovations. As a company, Google uses the same products and services that we offer to our customers. We run on the same infrastructure, in the same data centers.

Before businesses slow down for the holidays, we wanted to highlight a few of the many investments we’ve made and features we’ve launched in 2013 to help keep our customers — and everyone on the web — safe. Of course, there’ll be much more to come next year.

Offering new security tools for Google Apps administrators:

In addition to protecting our customers, Google also makes it easier for customers to protect themselves. For domain administrators, having visibility into and control over how their users’ accounts are working is a big help.

• Suspicious login alerts: A new feature in the Google Apps Admin Console allows administrators to receive email alerts when our systems detect suspicious or unusual login activity in their users’ accounts. This helps admins stay informed of what’s happening in their domain — to a degree not possible with most email systems — and, when necessary, take swift corrective action.
• Android device management: Organizations can manage smartphones and tablets - including Android and iOS - right from the Google Apps Admin console. The Android device management features include the ability to selectively wipe Google Apps account data without wiping a user’s entire device and require the latest version of the Device Policy app to ensure security policies are enforced across all devices.
• Account recovery: A new account recovery process for super administrators helps keep their accounts more secure by allowing each super admin to specify their own recovery email address and telephone number. And the new mobile Admin app lets administrators quickly accomplish the most critical tasks (like suspending users or resetting passwords) wherever they are, using an Android phone or tablet.

Verifying our practices through third-party certifications and regulatory compliance:

When it comes to security and helping our customers comply with specific industry regulations, you don’t just need to take our word for it. Many of our security practices have been reviewed and verified by third-parties in the form of audits.

• FISMA: The Federal Information Systems Management Act includes a rigorous evaluation of the security processes and data protections, and is required by U.S. federal government customers. Google Apps was the first cloud productivity suite to receive FISMA back in 2010, and we renewed our certification again this year.
• ISO 27001: ISO 27001 is one of the most widely recognized, internationally accepted independent security standards. After earning ISO 27001 for Google Apps in 2012, we renewed our certification again this year for Google Apps and received the certification for Google Cloud Platform.
• SOC2, SSAE 16 & ISAE 3402: Companies use the SOC2, SSAE 16 Type II audit, and its international counterpart ISAE 3402 Type II audit, to document and verify the data protections in place for their services. We’ve successfully completed these audits for Google Apps every year since 2008 (when the audits were known by their previous incarnation, SAS 70) and we did so again this year for Google Apps and Google Cloud Platform.
• HIPAA: This year, we started offering Business Associate Agreements (BAAs) to help our customers who need to comply with the Health Insurance Portability and Accountability Act (HIPAA) while using Google App.

Improving security for everyone on the web:

Our work doesn’t end with providing security for Google products or even Google customers. To keep ahead of the bad guys, we work with researchers and others in the broader security community to make sure the the web is safe for everyone.

• Updated SSL certificates: To keep users safe, we utilize encryption on almost all connections made to Google, but this encryption needs to be updated at times to make it even stronger. This year, we upgraded all of our SSL certificates to 2048-bit RSA, which will help the industry move away from weaker, 1024-bit keys next year.
• Vulnerability rewards: Since introducing our vulnerability rewards programs in 2010, we’ve rewarded (and fixed!) more than 2,000 security bug reports, paid out more than $2 million in rewards, and been recognized for setting leading standards for response time. And to convey our commitment to security and thank researchers for their important work, this year we increased the maximum award from $1000 to $5000.
• Easier recovery for hacked websites: As a site owner, discovering your site is hacked with spam or malware is stressful, and trying to clean it up under a time constraint can be very challenging. We’ve been working to make recovery even easier and streamline the cleaning process — we notify webmasters when the software they’re running on their site is out of date, and we’ve set up a dedicated help portal for hacked sites with detailed articles and videos explaining each step of the process to recovery. This year, we released additional security tools so webmasters can find information about security issues on their site in one place and pinpoint problems faster with detailed code snippets.

Whether it’s creating easy-to-use tools to help organizations manage their information or keeping customer data safe from prying eyes, we’re constantly investing to ensure that Google earns and keeps your trust. Here’s to a happy, healthy, and (most of all) safe 2014.