Google has announced enhancements to its Workspace productivity and collaboration suite that it claims will reduce security risks for distributed workforces. The company uses Google AI to improve data loss prevention (DLP) controls in Drive, implement new zero-trust controls, classify data in Drive, and automate the protection of sensitive information in Gmail.\n\nNew data sovereignty controls will enhance client-side encryption to give Workspace customers ownership of encryption keys, more options on where to store or process data, and the ability to limit access to support personnel in the European Union. On the admin side, Google will make two-step verification mandatory on select administrator accounts and require multiparty approval on sensitive administrator actions.\n\nGoogle Workspace includes popular SaaS applications such as Drive, Gmail, Meet, Calendar, Docs, and Slides. Some of the enhancements announced today will apply to both the enterprise and consumer versions of those applications. All are either in the pilot stage or will be released in beta form by the end of the year.\n\nData loss prevention a key focus\n\nWhat makes SaaS suites like Workspace attractive to organizations with distributed workforces also increases the risk of data theft or exposure. Workspace makes it easy to share data both within the enterprise and with external parties. Employees might inadvertently or intentionally make sensitive information available to unauthorized parties or leave it accessible to threat actors.\n\nThe first step to protecting sensitive information is to accurately identify and label it as such. Then controls must be placed around who has access to it and where it can reside. Available in preview, Workspace can now automatically classify and label data stored in Google Drive using Google AI. Workspace admins can then apply their own DLP or context-aware access (CAA) controls to help implement a zero-trust model. Google will help train customers\u2019 own AI models.\n\n\u201cContext-Aware Access has helped us manage our risks by not making access a binary choice but allowing for more flexibility in access policies and allowing them to be applied to the right people, applications, and data,\u201d Tim Ehrhart, domain lead, information security at Roche, said in a statement. \u201cSince using CAA, we've been able to allow our users to use more of Google Workspace for a broader set of scenarios with more confidence in the safety of that work.\u201d\n\nAdmins can also now set context-aware controls for information stored in Drive using criteria such as device location or security status. Information that does not meet the security criteria will be blocked from Drive. This feature will be available in preview later this year, as will enhanced DLP controls for Gmail.\n\nNavigating the complexities of digital sovereignty rules\n\nMore than 100 countries now have digital sovereignty laws that mandate organizations to store or process data on their citizens within their boundaries. This creates challenges for security and IT teams, especially when using cloud-based applications like Workspace. Google announced its Sovereign Controls for Google Workspace in May 2022 with the promise to add enhancements through this year. Among the new capabilities announced today are client-side encryption features including:\n\nEnterprise Workspace customers can also now select where they store their encryption keys. Google can offer this capability with the help of global partners Thales, Stormshield, and Flowcrypt. The company claims this will simplify local regulatory compliance.\n\nLater this year in preview, Workspace customers will be able to choose whether their data is processed in the EU or US. They can already choose where data is stored at rest. Customers also now have the option of storing a copy of Workspace data in a country of their choice.\n\nPreventing identity-based attacks\n\nAI or any other technology isn\u2019t much help in denying access if a threat actor has obtained credentials through social engineering or other means. Compromised admin credentials are particularly dangerous. To address this, Google has provided new access controls.\n\nStarting later this year in a phased approach, Google will require Workspace resellers and its largest enterprise customers to implement two-step verification on enterprise admin accounts. Also, Workspace admins will be able to require additional approval by another administrator to complete sensitive actions. This feature will be available in preview later this year.\n\nAI-enhance threat detection\n\nArtificial intelligence is particularly good at accurately spotting anomalies in large data sets. To that end, Google is using AI to help detect threats on a couple of levels. Available in preview now is a new AI-powered Gmail feature that scans for potentially malicious actions or mishandling of sensitive data. This feature is available to both enterprise customers and consumers.\n\nWorkspace customers who also use Google Cloud\u2019s Chronicle security operations suite can now export logs \u201cin just a few clicks\u201d for threat analysis. \u201cHundreds of Workspace customers are already using Chronicle for modern threat detection, investigation and response,\u201d Andy Wen, director of product for Workspace Security and Compliance, Google Cloud, tells CSO. \u201cWith this new integration, our customers can sync Workspace data to Chronicle with a few clicks and leverage out-of-the-box curated Workspace detections to respond to risks with greater speed and precision.\u201d This integration is available now in preview. Google offers APIs and BigQuery exports to enable integrations with other SIEMs.