Google security: Raising the bar
Google was born in the cloud and we run on the cloud, so it's no surprise that our infrastructure is even more secure than most traditional solutions. With G Suite, you can harness all the benefits of the strong security we rely on every day. The robustness of our world-scale infrastructure, along with over 650 security professionals, and our drive to innovate, enables Google to stay ahead of the curve in security and offer the safest data protection environment for your organization.
At Google data centers, security and data protection aren't afterthoughts — they're central to our design. Our physical security model includes standard safeguards like custom electronic access cards, perimeter fencing, and metal detectors. But we also use cutting-edge tools like biometrics and laser-based intrusion detection — making physical breaches a "mission impossible" scenario for would-be attackers.
Google uses custom-built servers and network equipment that we design ourselves. Unlike most commercially available hardware, Google servers don’t have unnecessary components that can introduce vulnerabilities. This standardized environment is continually monitored for binary modifications. If a modification deviates from the standard Google server image, the system is automatically returned to its official state.
Google’s vast network of data centers is connected by our own network, consisting of our own fiber, public fiber, and undersea cables. This allows us to deliver highly available, low-latency services across the globe.
Core customer data handled in G Suite is encrypted while at rest. Data in transit is also encrypted so that your information is protected as it travels over the Internet to or from Google’s servers or moves within Google from one data center to another.
Google's collaborative security culture
At Google, all employees are required to think "security-first." From hiring and onboarding to required training and events, we continually raise awareness and encourage vigilance. Google employs more than 650 full-time security and privacy professionals. Our team includes some of the world’s foremost experts in information, application, and network security.
To supplement the expertise of our employees, we have long enjoyed a close relationship with the security research community. Researchers regularly help identify vulnerabilities in G Suite and other Google products. Our Vulnerability Reward Program encourages researchers to report design and implementation issues that may put customer data at risk, and we offer substantial rewards for these contributions. We publicly thank these individuals and list them as contributors to our products and services.
Our security team also takes part in research and outreach activities to protect the wider community of Internet users, beyond just those who choose Google solutions. For example, our Project Zero team of security analysts finds zero-day exploits, not just in Google products but in all software used by our users.
To ensure Google remains secure, we incorporate security into our entire software development process. This can range from security professionals analyzing proposed architectures, to reviewing code for security vulnerabilities in order to understand the different attack models for a new product or feature.
Transparency and control
We’re committed to providing customers with the information they need about our systems and processes — whether that's a real-time performance overview; the results of a data handling audit; or the location of our data centers. It’s your data; we ensure you have control over it. You can delete your data or export it at any time.
We regularly publish Transparency Reports detailing how governments and other parties can affect your security and privacy online. We think you deserve to know, and we have a long track record of keeping you informed and standing up for your rights.
Product security highlights
G Suite offers administrators extensive control over system configuration and application settings—all integrated into a dashboard that includes many easy-to-use security features. This section summarizes several of these features; for details, see the G Suite Security and Compliance Whitepaper.
Data Loss Prevention (DLP)
G Suite administrators can set up a DLP policy to protect sensitive information. A library of predefined content detectors is provided to make setup easy. Once the DLP policy is in place, for example, Gmail can automatically check all outgoing email and take action: either quarantine the email for review, tell users to modify the information, or block the email from being sent and notify the sender. These checks apply not only to text, but also to content within common attachment types. Learn more in our DLP whitepaper.
2-step verification and Security Key
2-step verification greatly reduces the risk of unauthorized access by asking users for additional proof of identity when signing in. Our Security Key feature offers another layer of security for user accounts, by requiring a physical key. The key sends an encrypted signature rather than a code, helping to guard against phishing. G Suite administrators can easily deploy, monitor, and manage the Security Key at scale from within the Admin console — with no additional software to install.
G Suite identity services (IDaaS)
With the G Suite single sign-on service (SSO), customers can use one set of credentials to access multiple apps. Google products support SAML 2.0 (Security Assertion Markup Language) for more than 15 popular software as a service (SaaS) identity providers. Users can discover and connect with more than 1,000 SAML 2.0 and OpenID Connect (OIDC) apps through the G Suite Marketplace.
Information Rights Management (IRM)
To help admins maintain control over sensitive data, we offer Information Rights Management in Google Drive. Administrators and users can disable downloading, printing, and copying from the advanced sharing menu.
Data Retention and eDiscovery
Google Vault lets you retain, archive, search, and export your organization's email for your eDiscovery and compliance needs. Vault is entirely web-based, so there's no need to install or maintain extra software. With Vault, you can search your domain's email data; set custom retention policies; place user accounts (and related data) on litigation hold to preserve email data; and manage related searches.
Mobile Device Management (MDM)
The G Suite Admin console helps you manage your users' Android, iOS, Windows, and Blackberry devices. With MDM, you can enforce device policies throughout your organization and perform other security-related actions, such as remote wiping.
Suspicious login monitoring
Google uses its robust machine learning capabilities to help detect suspicious logins. When we discover a suspicious login, we notify admins so they can work to ensure the accounts are secured.
Spam filters and malware detection
Google has one of the best spam filters available. We use machine learning to detect and block even the most advanced types of spam. Less than 0.1% of email in the average Gmail inbox is spam, and incorrect filtering of mail to the spam folder is even less likely (under 0.05%).
To help prevent malware, Google automatically scans every attachment for viruses prior to a user downloading it. Gmail even checks for viruses in attachments queued for dispatch. This helps to protect everyone who uses Gmail, and prevents the spread of viruses.
No advertising in G Suite
There is no advertising in G Suite Services, period. Google does not collect, scan, or use data from the core services for advertising purposes.
For information about our policies for our free consumer products (not G Suite), be sure to check our Privacy and Terms pages.
Data access and restrictions
Only a small number of Google employees have access to customer data, and those who do are subject to comprehensive monitoring and logging. Access rights and levels are based on employee job function and role; we use the concepts of least privilege and need-to-know to match access privileges to defined responsibilities.
Law enforcement data requests
Google may receive direct requests from governments and courts around the world for customer data. The customer, as the data owner, is primarily responsible for responding to law enforcement data requests. Respecting the privacy and security of the data you store with Google remains our priority as we comply with these legal requests. Detailed information about data requests and Google’s response to them is available in our Transparency Report. It is Google’s policy to notify customers about requests for their data, unless specifically prohibited by law or court order.
Customer administrator roles
Customers can assign a variety of internal administrative roles and privileges to manage their users. This role-based access control in G Suite protects privacy by allowing individual team members to manage certain services or perform specific administrative functions without gaining access to all settings and data.
EU Data Protection
G Suite has a broad customer base in Europe. Google provides product capabilities and contractual commitments to enable and facilitate our customers’ compliance with EU Data Protection requirements, and follows the recommendations provided by the Article 29 Working Party (an independent European advisory body focused on data protection).
Model contract clauses
The European Commission has approved a set of model contract clauses as a means to ensure adequate safeguards for the transfer of personal data to processors established outside the European Economic Area. The Article 29 Working Party has provided further guidance on how to meet European data protection requirements when engaging with cloud computing providers, in the form of additional model contract clauses. Google provides EU Model Contract Clauses that reflect the requirements and guidance provided by these European data protection bodies.
Data Processing Amendment
To help G Suite customers address data protection and compliance regulations, we offer a Data Processing Amendment that describes our specific data protection commitments for your G Suite information. You can access the data processing amendment from the Admin console.
Julien Blanchez - Google Cloud Security & Privacy