Security news that informs and inspires

Google Gives Enterprises Control of Workspace Encryption Keys

Google is readying a new set of security protections for enterprises that use its Workspace suite of tools, including the ability for organizations to enable client-side encryption of their data and have direct control of the keys.

Once the feature rolls out, when users create a new document, spreadsheet, or other file in Google Workspace, they can choose to create it as an encrypted file. To enable the feature, which will be coming out in beta form in the next few weeks, customers will need to choose one of four key-management companies that Google has partnered with: Thales, Virtru, Flowcrypt, or Futurex.

“With Client-side encryption, customer data is indecipherable to Google, while users can continue to take advantage of Google’s native web-based collaboration, access content on mobile devices, and share encrypted files externally. When combined with our other encryption capabilities, customers can add new levels of data protection for their Google Workspace data,” Karthik Lakshminarayanan and Erika Trautman of Google said in a post.

“Client-side encryption is especially beneficial for organizations that store sensitive or regulated data, like intellectual property, healthcare records, or financial data.”

“Client-side encryption is especially beneficial for organizations that store sensitive or regulated data."

The way that the new feature is set up ensures that the key-management service, and not Google, controls the encryption key and the access to it. And, Google will be publishing an API in the near future that will allow enterprises to build their own internal key-management services if they’d rather not trust that to a third party.

In addition to the client-side encryption, Google is also adding a feature that allows administrators to create granular rules for sharing files internally. The feature enables the creation of policies for file-sharing among specific groups inside an organization that take into account the way that business units and partners work together.

“With these new rules in place, admins can enforce restrictions that limit internal and external sharing. Specific rules can even be set for organizational units and groups, allowing a more granular approach than enforcing blanket policies on every user,” Lakshminarayanan and Trautman said.

Google also is adding enhanced malware and phishing protection for Workplace users, a feature that allows for the detection and quarantine of malicious or otherwise unwanted files created internally. It’s an analog to the protections that Google provides customers from malware from external sources.

“If abusive content is found, the relevant file is flagged and made visible only to admins and the file’s owner. This prevents sharing and reduces the number of users potentially impacted by the abusive content,” Lakshminarayanan and Trautman said.

The beta rollout for the new features will start in the next few weeks.