Google security: Raising the bar

Google was born in the cloud and we run on the cloud, so it's no surprise that our infrastructure is even more secure than most traditional solutions. With Google Apps for Work, you can harness all the benefits of the strong security we rely on every day. By combining the robustness of a world-scale infrastructure, along with over 550 security professionals, combined with our drive to constantly to innovate, enables Google to stay ahead of the curve in security and offers the safest data protection environment for your organization.

Secure infrastructure

At Google data centers, security and data protection aren't afterthoughts — they're central to our design. Our physical security model includes standard safeguards like custom electronic access cards, perimeter fencing, and metal detectors. But we also use cutting-edge tools like biometrics and laser-based intrusion detection — making physical breaches a "mission impossible" scenario for would-be attackers.

Google uses custom-built servers and network equipment that we design ourselves. Unlike most commercially available hardware, Google servers don’t have unnecessary components that can introduce vulnerabilities. This standardized environment is continually monitored for binary modifications. If a modification deviates from the standard Google server image, the system is automatically returned to its official state.

Google’s vast network of data centers is connected by our own network, consisting of our own fiber, public fiber, and undersea cables. This allows us to deliver highly available, low-latency services across the globe.

Core customer data handled in the Google Apps for Work suite is encrypted while at rest. Data in transit is also encrypted: as your information travels over the Internet to or from Google’s servers or moves within Google from one datacenter to another, it is protected.

Google's collaborative security culture

At Google, all employees are required to be security-savvy. From hiring and onboarding to training and events, we continually raise awareness and encourage vigilance. Google employs more than 550 full-time security and privacy professionals. Our team includes some of the world’s foremost experts in information, application, and network security.

To supplement the expertise of our employees, we have long enjoyed a close relationship with the security research community. Researchers regularly help identify vulnerabilities in Google Apps and other Google products. Our Vulnerability Reward Program encourages researchers to report design and implementation issues that may put customer data at risk, and we offer substantial rewards for these contributions. We publicly thank these individuals and list them as contributors to our products and services.

Our security team also takes part in research and outreach activities to protect the wider community of Internet users, beyond just those who choose Google solutions. For example, our Project Zero team of security analysts finds zero-day exploits, not just in Google products but in all software used by our users.

To help Google to continue to remain secure, we have incorporated a security into our software development process. This can range from security professional analyzing proposed architectures, to reviewing code for security vulnerabilities to understand the different attack models for a new product or features. However this starts with security education and ingraining security into our culture and everything we do.

Transparency and control

We’re committed to providing customers with the information they need about our systems and processes — whether that's a real-time performance overview; the results of a data handling audit; or the location of our data centers. It’s your data, so we make sure you have control over it. You can delete it or export your data and take it with you at any time.

We regularly publish Transparency Reports detailing how governments and other parties can affect your security and privacy online. We think you deserve to know; we have a long track record of keeping you informed and standing up for your rights.

Product security highlights

Google Apps for Work offers administrators extensive control over system configuration and application settings—all integrated in a single dashboard that includes many easy-to-use security features. This section summarizes several of these features; for details, see the Google for Work Security and Compliance Whitepaper.

Data Loss Prevention (DLP)

Google for Work administrators can set up a DLP policy to protect sensitive information. A library of predefined content detectors is provided to make setup easy. Once the DLP policy is in place, Gmail will automatically check all outgoing email and take action: either quarantine the email for review, tell users to modify the information, or block the email from being sent and notify the sender. These checks apply not only to email text, but also to content within common attachment types. Learn more in our DLP whitepaper.

2-step verification and Security Key

2-step verification greatly reduces the risk of unauthorized access by asking users for additional proof of identity when signing in. The Security Key feature offers another layer of security for user accounts, by requiring a physical key. The key sends an encrypted signature rather than a code, helping to guard against phishing. Google for Work administrators can easily deploy, monitor, and manage the Security Key at scale from within the Admin console — with no additional software to install.

Google Apps identity services (IDaaS)

With the Google Apps for Work single sign-on service (SSO), customers can use one set of credentials to access multiple apps. Google products support SAML 2.0 (Security Assertion Markup Language) for more than 15 popular Software as a service (SaaS) identity providers. Users can discover and connect with more than 1,000 SAML 2.0 and OpenID Connect (OIDC) apps through the Google Apps Marketplace.

Information Rights Management (IRM)

To help admins maintain control over sensitive data, we offer Information Rights Management in Google Drive. Administrators and users can disable downloading, printing, and copying from the advanced sharing menu.

Data Retention and eDiscovery

The Google Apps Vault lets you retain, archive, search, and export your organization's email for your eDiscovery and compliance needs. Vault is entirely web-based, so there's no need to install or maintain any software. With Vault, you can search your domain's email data; set custom retention policies; place user accounts (and related data) on litigation hold to preserve email data; manage related searches.

Mobile device management (MDM)

The Google Apps for Work Admin console helps you manage your users' Android, iOS, Windows, and Blackberry devices. With MDM, you can enforce device policies throughout your organization and perform other security-related actions, such as remote wiping.

Suspicious login monitoring

Google uses its robust machine learning capabilities to help detect suspicious logins. When we discover a suspicious login, we notify admins so they can work to ensure the accounts are secured.

Spam filters and Malware Detection

Google has one of the best spam filters available. We use machine learning to detect and block even the most advanced types of spam. Less than 0.1% of email in the average Gmail inbox is spam, and incorrect filtering of mail to the spam folder is even less likely (under 0.05%).

To help prevent malware, Google automatically scans every attachment for viruses prior to a user downloading it. Gmail even checks for viruses in attachments that are being sent. This helps to protect everyone who uses Gmail, and prevents the spread of viruses.

No advertising in Google Apps for Work

There is no advertising in the Google Apps core services. We have no plans to change this. Google does not collect, scan, or use data from Google Apps core services for advertising purposes.

For information about our policies for our free consumer products (not Google Apps for Work), be sure to check our Privacy and Terms pages.

Data access and restrictions

Only a small number of Google employees have access to customer data. Access rights and levels are based on employee job function and role; we use the concepts of least privilege and need-to-know to match access privileges to defined responsibilities. Google employee access to customer data is monitored and audited by our dedicated security, privacy, and internal audit teams.

Law enforcement data requests

Google may receive direct requests from governments and courts around the world for customer data. The customer, as the data owner, is primarily responsible for responding to law enforcement data requests. Respecting the privacy and security of the data you store with Google remains our priority as we comply with these legal requests. Detailed information about data requests and Google’s response to them is available in our Transparency Report. It is Google’s policy to notify customers about requests for their data, unless specifically prohibited by law or court order.

Customer administrator roles

While they are managing servers, software or patches customers can assign a variety of internal administrative roles and privileges to manage their users. This role-based access control in Google Apps protects privacy by allowing individual team members to manage certain services or perform specific administrative functions without gaining access to all settings and data.

EU Data Protection

Google for Work has a broad customer base in Europe. Google provides product capabilities and contractual commitments to enable and facilitate our customers’ compliance with EU Data Protection requirements, and follows the recommendations provided by the Article 29 Working Party (an independent European advisory body focused on data protection).

Model contract clauses

The European Commission has approved a set of model contract clauses as a means to ensure adequate safeguards for the transfer of personal data to processors established outside the European Economic Area. The Article 29 Working Party has provided further guidance on how to meet European data protection requirements when engaging with cloud computing providers, in the form of additional model contract clauses. Google provides EU Model Contract Clauses that reflect the requirements and guidance provided by these European data protection bodies.

Data Processing Amendment

To help Google Apps for Work customers address data protection and compliance regulations, we offer a Data Processing Amendment that describes our specific data protection commitments for your Google Apps information. You can access the data processing amendment from the Admin console.

  • Author
    Julien Blanchez - Google for Work Security & Privacy

  • Topics

  • Roles

  • Industries

Want to continue the discussion?