At a Google Cloud press event on Tuesday, the company announced Google Cloud’s rollout over the course of this year of new AI-powered data security tools bringing zero-trust features to Workspace, Drive, Gmail and data sovereignty. The enhancements to Google Drive, Gmail, the company’s security tools for IT and security center teams and more are designed to help global companies keep their data under lock and encrypted key and security operators outrun advancing threats.
Google Cloud’s enhancements align with CISA’s zero-trust model
The event was kicked off by Jeanette Manfra, senior director of global risk and compliance for Google Cloud and former assistant director for the Cybersecurity and Infrastructure Security Agency. Noting last year’s 38% increase in cyberattacks and an average $4.35 million cost to organizations due to data breaches, she said Google’s ambition behind many of its security innovations is to align capabilities with CISA’s Zero Trust Maturity Model.
“At Google, zero-trust is much more than a buzzword — it’s a core part of our organization,” said Manfra. “I’m a big fan of what CISA is trying to do. We are mapping our capabilities against that, including adding ways to improve how users classify and label data — specifically, using AI in Google Drive to do so automatically.”
SEE: At Black Hat, experts discuss the virtues of AI as a cybersecurity weapon (TechRepublic)
With zero-trust in mind, Google enhances data loss prevention and access
Google said the roster of improvements is designed to enhance security teams’ control over data loss prevention and context-aware access, capabilities that give security operations granular control of who and what digitally enters and leaves an organization. The improvements will also help organizations accelerate their zero-trust adoption and meet standards articulated in CISA’s Zero-Trust Maturity Model and other industry frameworks, according to the company.
Google AI for Google Drive
The focus of the new enhancements across Google Drive includes a slew of zero-trust aligned, AI-powered enhancements to its cloud-native architecture, according to Google, which said AI will drive automated data labeling and classification to defend against exfiltration attempts by threat actors.
In essence, administrators can use customizable confidentiality-preserving AI models to automatically classify and label new and existing files in Google Drive. Administrators can then apply granular data protection controls such as data loss prevention and context-aware access, which allow control over who can access an application depending on such factors as user location, IP address or their device (Figure A).
Tim Ehrhart, domain lead, information security at pharma company Roche extolled the virtues of context-aware access, saying the granular controls CAA allows helped the company shift away from VPNs and office network connections. “Context-aware access has helped us manage our risks by not making access a binary choice, but allowing for more flexibility in access policies and allowing them to be applied to the right people, applications and data,” he said in a statement.
This new AI application for Google Drive is now available in preview.
Enforcing DLP controls in Google Drive
Google is also incorporating data loss prevention into Workspace, a feature that the company said will include the ability for admins to put guardrails around how someone shares data by enabling settings based on criteria such as device location and user security status. A user would only be able to share sensitive content on Google Drive if they met specific requirements. Google said the new capability provides more granular controls to help prevent unintended data loss (Figure B).
Enhanced Data Loss Prevention for Workspace will be available later this year in preview.
Extending enhanced DLP controls to Gmail
Google said it will also extend data loss prevention to Gmail, letting administrators regulate data osmosis in and out of an organization based on the sensitivity of emails. This feature, already in Google Chat, Drive and Chrome, will be added to Gmail initially in preview later this year.
Google’s new sovereignty controls in Workspace
Google is also adding controls to Workspace that can provide a step change in attestable digital sovereignty with secure-by-default infrastructure, technical data access controls and industry certifications all in a single cloud instance.
Andy Wen, Google Cloud’s director of product for Workspace security and compliance, explained that the company’s digital sovereignty controls are enabling a nuanced approach to how organizations control the use of data they own, and how they tailor these priorities to meet such regulatory frameworks as the European General Data Protection Regulation, or GDPR. He said new sovereignty controls improve upon such tactics as data residency, when it comes to how an organization controls the movement of its information across borders.
SEE: On GDPR’s fifth birthday, experts lauded its successes (TechRepublic)
“By itself, data residency in a given country does not prevent unintended data transfer due to things like law enforcement requests,” Wen said. He added that if an organization is using on-premise solutions to prevent data transfer, it may inadvertently transfer data in, say, email notifications because of aspects of email content such as subject lines. “Customers implementing data transfer limitations might not realize this is happening and therefore are countermanding sovereignty.”
Google adds keys to data encryption
Among the announcements Google Cloud made at the press event was a new client-side encryption program that lets administrators thwart third-party access to sensitive data. The third parties include foreign governments and Google.
The involvement of security firms Thales, Stormshield and FlowCrypt speaks to the program’s focus on issues around securing transnational data flow from the peering eyes of threat actors, government entities and others. Google said CSE customers will be able to securely store their encryption keys with trusted partners in the country of their choice in order to make the local regulatory compliance process easier.
In June 2023, Google launched an open beta feature that allows individuals and organizations to log in to Workspace with public and private encrypted passkeys. This feature enhances identity access management for users.
Other encryption-focused enhancements Google Cloud said it is installing include the following.
- Support for mobile apps in Google Calendar, Gmail and Meet. This is generally available.
- The ability to set CSE as default for select organizational units. This will be available in preview later this year.
- Guest-access support in Meet. This will be available in preview later this year.
- Comments support in Docs. This will be available in preview later this year.
- The ability for users to view, edit or convert Microsoft Excel files. This is available in preview.
“We started work on client-side encryption in 2021; today, we’re launching an expansion of coverage to our mobile apps for Gmail, Calendar and Meet so that our enterprise and public sector customers can get the benefit of CSE on-the-go instead of just their desktops,” said Wen. “It protects data by encrypting it browser to browser, so even Google doesn’t see the content. We think this is not only a great control for sovereignty but a helpful control for security.”
SEE: Google Cloud study sees risks in proliferating credentials (TechRepublic)
Adding AI to Google Cloud SOC support
Google Cloud spokespeople said the company will incorporate new and sometimes mandatory identity access management protocols into its Workspace tools for IT and security operations.
- Google this year will phase in two-step verification for reseller administrator accounts and make 2SV mandatory for its biggest enterprise customers.
- The company will, later this year, require multi-party approval for sensitive administrator actions such as changing a user’s 2SV settings.
- AI-powered automated email filtering or forwarding to screen for potential phishing content. This is available in preview.
- The ability for Workspace administrators to export Workspace logs into Google’s Chronicle SIEM, using AI to identify anomalies and help improve their response time to threats. This is available in preview.
“Most security administrators are overwhelmed with alerts,” said Wen, adding that the ability to move Workspace logs into Chronicle reduces the workload on security teams. “There are lots of scenarios that our Chronicle investigation tool can help identify. It can even detect insider threats, where a trusted insider has downloaded data and is potentially looking for data leaks. This type of detection is particularly handy amid ongoing resource constraints in the security industry.”