Google Workspace Security Policies: A Detailed Explanation and FAQs

Publication Date: 2024.05.08

Google Workspace Industry-Leading Security Measures

Google Workspace is cloud-based collaboration software adopted by 5 million organizations worldwide, from sole proprietors to MNCs. Renowned overseas organizations such as Air Asia’s Big Rewards, Lalamove, and Zalora implement Google Workspace. Its diverse functions and highly acclaimed security measures are among the features that make it outstanding compared to other cloud-based collaboration software.

The Quality of Google Security Measures

Third-party organizations regularly monitor Google to ensure the organization’s security is covered and reliable. Thus, we are here to show you how Google maintains its security measures to secure users’ information as below:

1. Cultivating a Security-First Culture at Google
2. High-Level Data Center Security
3. Resilient Infrastructure at Google
4. Data Encryption
5. Monitored by a Professional Team

➤1. Cultivating a Security-First Culture at Google

All Google employees receive security training throughout their career path. Google has created a security and privacy culture that raises employees’ awareness. To drive innovation in security and data privacy, Google often organizes internal conferences on security and privacy, open to all employees.

Google’s code of conduct also highlights its commitment to keeping users’ information safe; thus, when developing new products, the security of the products is the priority after the function.

➤2. High-Level Data Center Security

Google’s data centers feature 6 layers of security from before the entrance to the exits. The data centers are monitored 24/7 hours, 365 days a year. Here is the video to bring a more clear picture to you:

➤3. Resilient Infrastructure at Google

All the designed components of the platform were highly redundant. Even if one of the components malfunctions, it won’t affect the other’s connections and cause a knock-off effect.

Google’s data centers are distributed in different countries to minimize the risk of natural disasters that could cause hardware, software, or network connectivity failure. If anything happens, data will be shifted automatically from one facility to another. See here to learn more about Google Infrastructure Security Design.

➤4. Data Encryption

Google is using Transport Layer Security (TLS) for email routing, allowing all the servers to communicate in an encrypted manner. Enabling TLS by default will encrypt the transmission, preventing confidential leaking.

➤5. Monitored by a Professional Team

Every dedicated team at Google includes security and privacy professionals. Their primary role is to build, implement, and review the protection and privacy of new products. They are also tasked with maintaining the defense system and developing the organization’s security policies. The team also researches how to protect the broader community of internet users.

Furthermore, Google’s operational security includes vulnerability management, malware prevention, monitoring, and incident management to identify potential attackers and prevent them, keeping all users’ information safe under its umbrella.

The Core of Google’s Security Measures

Google Workspace has the same strict security measures as Google. Let us show you how Google applies its security measures to Google Workspace.

1. The Authentication (Two-Step Verification and Security Keys)
2. Security Alert Management
3. Encryption Data Protection
4. 99.9% Spam Filtering
5. Virus/Malware Prevention

➤1. The Authentication (Two-Step Verification and Security Keys)

Setting up the two-step verification and security keys can strengthen the account security. With these features, it helps to minimize the risks of being hacked or defects caused by employees. Google also applied an advanced protection program for organizations, to ensure that every user’s account is under protection with their strong curated account security policies.

➤2. Security Alert Management

As an administrator, you can use the security dashboard to track and trace suspicious access. The security center provides advanced security information and analytics to empower the protection of organizations. If there is any network phishing, malware, suspicious account or abnormal device activity detected it will trigger the alert system and send the notification to the admin at the same time.

➤3. Encryption Data Protection

With Google’s hosted S/MIME solution, once an incoming encrypted email with S/MIME is received, it will stored with Google’s encryption. It gives the benefit of strong authentication and encryption in transit without losing safety during the processing process. Just like the bank statement that the bank had emailed to you monthly, even if someone else had hacked into your email, they can’t obtain the account information without the encryption key.

Other than that, Google also provided Data loss prevention (DLP) as an additional layer of protection designed to prevent sensitive or private information such as IC number, password or bank information, from leaking outside of an organization. Administrators can choose to enable this feature to prevent their users from sending confidential data, the same goes for Google Drive. Administrators can control how users share Google Drive files and folders by setting the sharing restricted to its trusted domain or not allowed to share externally. This alert can help remind users to check whether are they sharing confidential files.

➤4. 99.9% Spam Filtering

Through Google’s machine learning models, Gmail has grown with its powerful spam filtering mechanism that can block over 99.9% of junk mail, phishing attempts, and malicious attacks, making it ideal for business email usage. Gmail will place those potential threats in users’ spam folders after scanning the attachment in a security sandbox environment – a virtual environment for testing.

➤5. Virus/Malware Prevention

Google uses multiple antivirus engines in Gmail, Drive, servers, and workstations to help identify malware that antivirus signatures may miss. Google proactively scans websites in its search engines, manually and automatically, to identify sites that may be spreading malware or phishing attacks to prevent infection.

Google processes more than 300 billion attachments weekly to block harmful content and does its best to protect its users. To handle these constantly evolving threats, Google has developed new scanners that can learn intelligence to ensure that detection capabilities can stay updated.

FAQ about Google Workspace Security Measures

Here are some frequently asked questions and answers regarding the security of Google Workspace.

➤Is there a risk of data loss?

Data created within Google Workspace is backed up and distributed across Google’s data centers around the world. If there are any natural disasters or regional power shortages, data will be shifted automatically from one facility to another which minimises the data loss risk. With the 6 layers of security layers for data protection, the success of thieves breaking into Google data centers to steal data is extremely low.

➤Is there a risk of data leakage?

Data leakage is the biggest concern that needs to be focused on for now. Google minimized the risk by developing and implementing various security measures like setting up the two-step account verification, alerts for suspicious logins, malware prevention, etc.

The Enterprise and higher editions have more powerful Data Loss Prevention (DLP) security capabilities. DLP allows monitoring of internal data flows and can trigger warnings or blocking settings to prevent users from sending confidential data.

➤Where is the data stored?

Google Workspace has data centers worldwide, with the Asia centers located in Japan, Singapore, and Taiwan. By selecting a Google Workspace data region, you can choose to store data in custody centers in the US, and Europe, or distribute it globally. Google Workspace offers two data region policy management options: the Base Data Region and the Enterprise Data Region. The applicable data region policy is different based on the region that was selected.

Enterprise Plus includes the Enterprise Data Region, while Frontline, Business Standard/Plus, and Enterprise Standard/Essentials include the Base Data Region.

➤Will Google misuse my data?

This is one of the main concerns why certain organizations refuse to adopt cloud solutions. To prevent any misuse issue, Google and its internal employees, contractors, suppliers, etc, who access those data will be bound by strict confidentiality agreements.

Although all the data is organized and stored in Google, but doesn’t mean the ownership of these data belongs to Google. Google has no rights to sell or allow others to gather information for advertisement purposes thus there is no advertisement in Google Workspace.

➤Will service be unavailable during maintenance?

Data in Google Workspace is backed up and distributed across Google’s servers and data centers worldwide. If one of the servers or data centers fails, data will be shifted automatically from one facility to another, so the service won’t be affected during maintenance periods.

➤Can data leakage be prevented if a computer or USB is lost?

As long you are storing all your data on cloud storage, if your used device is lost, just inform your administrator or sign in with another device to sign out remotely from the lost device. The risk of data leakage compared to storing data in hardware is much lower.

Regular Security Audits by Third-Party Organizations

Third-party organizations regularly monitor Google to ensure the organization’s security is covered and reliable. By continuously undergoing audits by third-party organizations, Google can maintain its security, privacy, and compliance standards. Now we are here to introduce some content that is audited by a third party.

➤ISO/IEC 27001 (Information Technology – Security Techniques – Information Security Management Systems – Requirements)

ISO/IEC 27001 is the international standard for information security management, helping organizations establish an information security management system that balances confidentiality, integrity, and availability. Google has obtained ISO/IEC 27001 certification for the systems, technologies, processes, and data centers required to operate Google Workspace.

➤ISO/IEC 27017 (Cloud Services Information Security Management)

ISO/IEC 27017 is a code of practice for information security controls for cloud services based on ISO/IEC 27002. Google’s compliance with international standards is accredited by the Dutch Accreditation Council (a member of the International Accreditation Forum) and Ernst & Young CertifyPoint, certified by the ISO.

➤ISO/IEC 27018 (Cloud Services Privacy Information Management)

ISO/IEC 27018 is an international standard focusing on protecting Personally Identifiable Information (PII) for public cloud service providers. Key points in ISO/IEC 27018 include not using customer data for advertising, ensuring customer ownership of data generated from Google Workspace services, providing data deletion and export tools, protecting customer information from third-party disclosure requests, and ensuring customers know where their data is stored.

➤SOC 2/SOC 3

SOC stands for Service Organization Controls, an auditing standard for service organizations developed by the American Institute of CPAs (AICPA). It focuses on Trust Services principles of security, availability, processing integrity, confidentiality, and privacy. Google has obtained SOC 2 and SOC 3 reports, with the SOC 3 report publicly available for download.

➤FedRAMP (Federal Risk and Authorization Management Program)

FedRAMP is a U.S. federal program that provides a standardized way to assess and authorize the security of cloud services for use by government agencies. Google Workspace complies with FedRAMP requirements, allowing its use with moderately sensitive government data. It also meets UK government security principles for handling confidential information.

➤PCI DSS (Payment Card Industry Data Security Standard)

The PCI DSS, administered by the Payment Card Industry Security Standards Council, establishes security requirements for organizations processing payment card data.

For Google Workspace users, Data Loss Prevention (DLP) policies can be configured to prevent emails containing payment information from being sent via Workspace. The Google Vault allows auditing of Google Drive content to ensure no cardholder data is stored.

Contact TS Cloud To Understand More Google Workspace Security Questions

The article above covered the security measures of Google and Google Workspace which were summarized from Google’s whitepapers. If you have any further inquiries regarding the Google Workspace security, feel free to contact us and our Google Workspace Specialists are here for you!

Reference

• https://static.googleusercontent.com/media/workspace.google.co.jp/ja/jp/files/google-apps-security-and-compliance-whitepaper.pdf
• https://workspace.google.co.jp/intl/ja/security/?secure-by-design_activeEl=data-centers
• https://workspace.google.co.jp/intl/ja/customers/
• https://support.google.com/a/answer/9378686?hl=ja&ref_topic=9376233
• https://support.google.com/a/answer/7630496?hl=ja
• https://www.google.com/about/datacenters/locations/?_ga=2.243335501.990048692.1622852086-2066775523.1610663154
• https://support.google.com/a/answer/2520500?hl=ja&ref_topic=2683828
• https://support.google.com/a/answer/9223653?visit_id=638016668546074148-123459478&rd=1
• https://policies.google.com/privacy?hl=ja#infosecurity