Google Cloud whitepaper
November 2019
Trusting your
data with G Suite
2
Table of contents
1. Introduction 3
2. Managing your data lifecycle on G Suite 4
2.1 Data protection
2.2 Data deletion
2.3Dataexpoanddownload
2.4 Data governance
2.5 Data residency
2.6 Incident detection & response
3. Managing Google’s access to your data 10
3.1 Data access controls
3.2 Data access transparency
3.3 Google employee access authorization
3.4Whathappensifwegetalawfulrequestfromagovernmentfordata?
4. Security and compliance standards 13
4.1Independentvericationofourcontrolframework
4.2Compliancesuppoforcustomers
Conclusion 14
The information contained herein is intended to outline general product direction and should not be relied upon in making purchasing decisions nor shall it be used
to trade in the securities of Alphabet Inc. The content is for informational purposes only and may not be incorporated into any contract. The information presented
is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Any references to the development, release, and timing of any
features or functionality described for these services remains at Google’s sole discretion. Product capabilities, timeframes and features are subject to change and
should not be viewed as Google commitments.
3
1. Introduction
At Google Cloud we’ve set a high bar for what it means to host,
serve, and protect customer data. Security and data protection are
at the core of how we design and build our products. We start from
the fundamental premise that Google Cloud customers own their
data and control how it is used. The data that a customer stores
and manages in G Suite is only used to provide that customer with G
Suite services. These services are provided in accordance with the
customer’s contract¹ and for no other purpose - not for advertising,
not for anything else. Our Google Cloud Trust Principles² summarize
our commitment to securing and protecting the privacy of data
stored by customers in Google Cloud.
This whitepaper provides details about how we protect customer
data throughout its lifecycle as well as how we provide customers
with transparency and control over their data in G Suite. G Suite
offers built-in data protection at scale, by default, designed to
protect your business from intrusions, theft, and attacks. Customer
data in G Suite is encrypted at rest³ by default and, depending on
the connection, Google applies default protections to customer
data in transit. In addition to continuous security monitoring for
external threats, we explain the robust controls and auditing in place
to protect against insider access to customer data. These include
providing customers with near real-time logs of Google administrator
access data, where available. If you'd like to learn more about how
G Suite Terms.
G Suite products regularly undergo independent, third-party audits
our controls and commitments. An overview of our key compliance
with their compliance journey, is also provided in this paper.
¹ Including additional instructions provided by the customer in accordance with the
contract, for example, instructions provided to Google through the Admin console.
² Page 3, Privacy
³ Page 3, How Google Uses Encryption to Protect Your Data
Page 3, How Google Uses Encryption to
Protect Your Data
Page 3, G Suite (Online) Agreement
4
2. Managing your data
lifecycle on G Suite
This section describes the data lifecycle in G Suite through the lens of security and privacy, including
G Suite features that can help reduce common risks.
2.1 Data protection
Using G Suite services involves transferring data between your computer (typically via your browser) or mobile
device, Google’s servers and, sometimes, other users. Google enables encryption in transit by default between
your device and our data centers, and uses Transport Layer Security (TLS) protocol to encrypt requests before
transmission outside Google. This helps prevent third parties from exploiting vulnerabilities in internet
connections to access sensitive data.
encrypted
at rest without the customer having to take any action. For further information on encryption, please see our
G Suite Encryption whitepaper.
Customers can control access to data and services on G Suite to help ensure that data is protected in accordance
Role-based access controls enable customers to appoint users as
administrators, granting the user the ability to access and perform certain tasks in the G Suite Admin console. You
can make a user a super administrator who can perform all tasks in the Admin console. Or you can assign a role
that limits which tasks the administrator can perform, for example, by allowing them only to create groups, manage
service settings, or reset a user's password.
Customers can strengthen account security by using 2-step verification and security keys. These can help mitigate
accounts. With the Advanced Protection Program for enterprise, we can enforce a curated set of strong account
security policies for enrolled users. These include requiring security keys, blocking access to untrusted apps, and
enhanced scanning for email threats.
Page 4, How Google Uses Encryption to Protect Your Data
Page 4, How Google Uses Encryption to Protect Your Data
Page 4, Assign administrator roles to a user
on our
support page.
Page 4, See security best practices guidance on our security
checklists page.
5
To facilitate easier user access, while at the same time protecting the security of data, Google has
developed context-aware access.¹¹ This provides granular controls for G Suite apps, based on a
user’s identity and context of the request (such as device security status or IP address). Based on
the BeyondCorp¹² security model developed by Google, users can access web applications and
infrastructure resources from virtually any device, anywhere, without utilising remote-access VPN
gateways while administrators can establish controls over the device.
The protection of information on mobile and desktop devices can be a key concern for customers. G
Suite customers can use endpoint management¹³ to help protect corporate data on users’ personal
devices and on an organization’s company-owned devices. By enrolling the devices for management,
users get secure access to G Suite services and organizations can set policies to keep devices and
data safe through device encryption and screen lock or password enforcement. Furthermore, if a device
is lost or stolen, corporate accounts can be remotely wiped from mobile devices and users can be
remotely signed out from desktop devices. Reports enable customers to monitor policy compliance and
get information about users and devices. You can obtain further information on endpoint management
here.
¹¹
Using context-aware access capabilities to protect access to G Suite
apps requires a Cloud Identity Premium or G Suite Enterprise license.
¹² Page 5, BeyondCorp
¹³
Page 5, Manage devices for your organization
6
2.2 Data deletion
Customers may also seek control over the deletion of data. The safe deletion of data is important to
customers to protect them from the risk of accidental data loss. At the same time, when customers
instruct deletion of data, it is equally important that this data is completely deleted from servers after a
period of time.
When you delete data in G Suite, we immediately start the process of removing it from the product and
our systems unless it is subject to a Google Vault retention policy per the customer’s instructions.
First, we aim to immediately remove it from view. We then begin a process designed to safely and
completely delete the data from our storage systems. Each Google storage system from which data
gets deleted has its own detailed process for safe and complete deletion. This might involve repeated
backup storage as another layer of protection to help recover from potential disasters. Data can remain
on these systems for up to 6 months.
2.3Dataexpoand
download
Customers may want to export and download
their data securely from our services.
We provide portability and migration
commitments are included in our data
processing agreement.
The data export tool available in your G
Suite Admin console enables you to export all
supported data for each active user in your
organization. We also provide the ability for
your users to directly download their data on
an individual level.
6, Note that administrators can restore data that was
on our support page.
6, G Suite Data Processing Amendment
Page 6, Export your organization's data
Customers cannot partially export certain types of data, and cannot
export data for a subset of users
Page 6, Download your data
7
2.4 Data governance
Enterprises operating in certain countries and/or regulated industries, such as Healthcare and Financial Services,
may be required to meet certain compliance obligations, including HIPAA, PCI DSS, GDPR, etc. By using security
compliance. Section 4.2 of this paper provides an overview of the compliance support that we offer to customers.
Most organizations also have internal policies which dictate the handling of sensitive data. To help G Suite
administrators maintain control over sensitive data, we offer information rights management in Google
Drive. Administrators and users can use the access permissions in Google Drive to protect sensitive content
Administrators can control
trusted domains.²¹
they are shared outside of the organization.
Many organizations are required to preserve data for certain periods of time and to delete sensitive data after a
time period. Google Vault,²² the retention solution for G Suite customers, can be used to set retention rules that
remove affected data.²³ Customers can create as many custom rules as their organization needs. Learn more
about how Vault manages retention.
Page 7, Set Drive users' sharing permissions
²¹ Certain features, such as restricting sharing to only
whitelisted domains, are only available with G Suite Enterprise,
Enterprise for Education, Drive Enterprise, Business, Education,
²²
Drive Enterprise and G Suite Enterprise for Education editions only.
²³ Refer to section 2.2 Data Deletion for further information about Google’s
deletion process.
Page 7, How retention works
8
Data loss prevention (DLP) adds another layer of protection designed to prevent sensitive or private information
on warning or blocking actions, to prevent users from either accidentally or maliciously sending condential data.
their enterprise needs. For attachments and image-based documents, DLP uses Google’s leading optical character
recognition to increase detection coverage and quality. Learn more here about Gmail DLP. DLP can also be used
to prevent users from sharing sensitive content in Google Drive or shared drive with people outside of your
organization.
Enterprises storing data in the Cloud seek visibility into data access and account activity. G Suite audit logs help
security teams maintain audit trails in G Suite and view detailed information about Admin activity, data access, and
system events. G Suite users can use the Admin Console to access these logs and can customize and export logs
as required.
Customers may wish to allow their users access to third party apps or may even wish to develop their own custom
apps. G Suite has a robust developer ecosystem, with thousands of apps available via G Suite Marketplace and
directly to customers, and a rich API framework enabling users to develop custom apps. However, not all third-party
apps will conform to every customer’s security policy. With app access control, enterprises can see which third-
party apps users have approved to access their G Suite data and can reduce this risk by limiting access to trusted
apps. We also help enterprises manage risk with app verification, which ensures that apps accessing Gmail data
meet security and privacy standards.³¹
Available to G Suite Enterprise, Drive Enterprise and G
Suite Enterprise for Education customers only.
Page 8, Understand audit logs
Available for all G Suite customers
³¹ Page 8,
Further information for developers is provided in our OAuth API Verification FAQ.
9
2.5 Data residency
Google’s globally distributed data centers³² reduce latency for multinational organizations and protect their data
with geo redundancy. Some organizations, however, have requirements around where their data is stored, and we’re
committed to meeting their needs.
Data regions³³ for G Suite provides control over the geographical location for storage of email messages,
documents, and other G Suite content. Customers can choose between the United States, Europe or global
this support page for more information on
this feature.
2.6 Incident detection & response
With multiple security and privacy controls in place, organizations need a centralized location where they can
prevent, detect, and remediate threats. The G Suite security center provides advanced security information and
analytics, and added visibility and control into security issues affecting your domain. It brings together security
analytics, actionable insights and best practice recommendations from Google to empower you to protect your
organization, data and users.
As an administrator, you can use the security dashboard to see an overview of different security center reports.
The security health page provides visibility into your Admin console settings to help you better understand and
manage security risks. Furthermore, you can use the security investigation tool to identify, triage, and take action
on security and privacy issues in your domain. Administrators can automate actions in the investigation tool by
creating activity rules
In addition, the alert center for G Suite provides all G Suite customers with alerts and actionable security insights
about activity in your domain to help protect your organization from the latest security threats including phishing,
malware, suspicious account, and suspicious device activity. You can also use the alert center API to export alerts
into your existing ticketing or SIEM platforms.
availability of customer data. You can learn more about how Google detects and manages our own incidents in our
Data incident response process whitepaper.
³² Page 9, Discover our data center locations
³³ Page 9, Data regions
Page 9, Refer to this guidance for a list of
data and services covered by Data Regions.
Page 9, Choose a geographic location for
your data
Suite Enterprise edition.
You must be an administrator with a G Suite Enterprise, G
Suite Enterprise for Education, Drive Enterprise, or Cloud Identity
Premium Edition license to access the security center. With Drive
Enterprise or Cloud Identity Premium Edition, you receive a subset
of security center reports on the security dashboard.
Page 9, About the security dashboard
Page 9, Get started with the security health page
Page 9, About the security investigation tool
Page 9, Create activity rules
with the investigation tool
Page 9, Alert Centre
Page 9, Programmatically
manage G Suite alerts.
Page 9, Data incident
response process
10
3. Managing Google’s access
to your data
This section explains the limited circumstances under which customer data may be accessible by Google
personnel and the internal controls to ensure this access is appropriate and limited. The customer contract
describes and governs Google’s access to customer data. This section further describes the available tools that
provide visibility into Google access and the ability to manage and control that access.
3.1 Data access controls
There are three ways customer data may be accessed in G Suite:
1
Direct customer access
2
Internal Google access by authorized individuals
3
Suite service access
Google has three types of controls in place to ensure that each of
these access pathways function as intended:
•
Direct customer access: All authentication sessions to G
Suite are encrypted and users can only access the services
enabled by their Domain Administrator.
•
Internal Google access by authorized individuals:
Google implements strict access controls to ensure
the person accessing the data is authorized to do so and
Access Transparency Logs.
•
G Suite Service Access: When internal G Suite
services access your data, Google uses technologies like
Binary Authorization to validate the provenance and integrity
of the software.
services integrated with Access Transparency. Access
Transparency is available to G Suite Enterprise and G
Suite Enterprise for Education customers only
Page 10, Binary Authorization
11
3.2 Data access transparency
Google Cloud is explicit in its commitment to customers: you own your data, and we will never use it for any
commitments, customers want additional transparency and control from their cloud service provider.
As part of Google's long-term commitment to transparency and user trust, we provide Access Transparency, a
feature that enables customers to review logs of actions
customer data.
Access Transparency log entries include the following types of details: the affected resource and action; the time
of the action; the reasons for the action (for example, the case number associated with a customer support
request); and data about who is acting on the data (such as the Google staff member's location).
Access Transparency logs are generated when people at Google access data in an Access Transparency supported
G Suite customers can
monitor the logs through the G Suite Admin console.
Learn more about Access Transparency for G Suite on this support page.
3.3 Google employee access authorization
with Google’s code of conduct. In addition, we’ve designed our systems to limit the number of employees that
have access to customer data and to actively monitor the activities of those employees.
Google employees are only granted a limited set of default permissions to access company resources. Access
to internal support tools is controlled via access control lists (ACLs). Google follows a formal process to grant or
revoke employee access to Google resources, and access is automatically removed for departing employees.
and logged. An employee's authorization settings are used to control access to all resources, including data and
systems for G Suite products. Access is monitored by our dedicated security teams as a check on the effectiveness
of our controls. The security teams actively monitor access patterns and investigate unusual events.
Page 11, Access Transparency logs
Page 11, There are some exceptions
which are detailed in this support article.
Page 11, Access Transparency logs
Page 11, Use Access Transparency to report Google access
Page 11, Google Code of Conduct
12
3.4Whathappensifwegetalawfulrequest
fromagovernmentfordata?
Like other technology and communication companies, Google receives requests from governments
public the volume and type of government requests for customer data that we receive in a biannual
transparency report, and describe how Google responds to those requests. Our reports are industry-
leading and have become the standard in the U.S.
If Google receives a government request for cloud customer data,
it is Google’s policy to direct the government to request such data
directly from the cloud customer. Each request that Google receives
regarding a customer account is reviewed using these guidelines:
1
Respect for the privacy and security of data stored with Google.
We have a team that reviews and evaluates each and every one
of the requests we receive based on international human rights
standards, our own policies, and the law. Google does not
provide any government entity with "backdoor" direct access and
we do not hesitate to protect customer interests.
2
Customer notication. Except in emergency situations involving
a threat to life, it is our policy to notify the customer before any
by law.
3
Consideration of customer objections. Google will, to the
extent allowed by law and by the terms of the request, comply
with a customer’s reasonable requests regarding its efforts
to the disclosure with the relevant court and providing a copy of
the objection to Google.)
Detailed information is available in our Transparency Report.
Page 12, Requests for user information
Page 12, Requests for user information
13
4. Security and
compliance standards
4.1Independentvericationofourcontrolframework
undergoes several independent third-party audits on a regular basis to provide this assurance. Some of the key
international standards we are audited against are:
• ISO 27001 (Information Security Management)
• ISO 27017 (Cloud Security)
• ISO 27018 (Cloud Privacy)
• SOC 2 and SOC 3 reports
Google also participates in sector and country-specific frameworks, such as FedRAMP (US government), BSI C5
(Germany), MTCS (Singapore), and many others. We also provide resource documents and mappings for certain
frameworks where formal certifications or attestations may not be required or applied.
For a complete listing of our compliance offerings, please visit cloud.google.com/security/compliance/.
4.2Compliancesuppoforcustomers
who has access to data, and how security incidents will be managed. We have dedicated teams of engineers and
compliance experts who support our customers in meeting their regulatory compliance and risk management
obligations. Our approach includes collaborating with customers
regulatory needs.
We allow customers in certain regions or customers operating in certain regulated verticals to conduct audits to
validate Google’s security and compliance controls.
Page 13, ISO 27001
Page 13, ISO 27017
Page 13, ISO 27018
Page 13, SOC 2
Page 13, SOC 3
Page 13, FedRAMP
Page 13, Cloud Computing Compliance Controls Catalog (C5)
Page 13, MTCS (Singapore) Tier 3
Page 13, Compliance resource center
14
5. Conclusion
Protecting customer data is a primary design consideration for Google Cloud’s infrastructure,
applications and personnel operations. Google’s security practices are verified by independent third-
parties, providing assurance to customers regarding our security controls and practices. Google
offers strong contractual commitments to ensure our customers maintain control over their data
and its processing, including the commitment that we only process your customer data according to
your instructions
Google Cloud will continue to invest so that customers can use our services in a secure and
transparent manner. For more information, please visit cloud.google.com/security/ and to learn
more about G Suite security visit gsuite.google.com/security.
15
Appendix: URLs
Page 3
Page 4
Page 5
Page 6
² Privacy: https://cloud.google.com/security/privacy/
³ How Google Uses Encryption to Protect Your Data: https://storage.googleapis.com/gfw-touched-accounts-pdfs/
google-encryption-whitepaper-gsuite.pdf
How Google Uses Encryption to Protect Your Data: https://storage.googleapis.com/gfw-touched-accounts-pdfs/
google-encryption-whitepaper-gsuite.pdf
G Suite (Online) Agreement: https://gsuite.google.com/intl/en_uk/terms/2013/1/premier_terms.html?_
ga=2.236109891.-396183558.1551709596&_gac=1.185934747.1566901180.CIODgNiF7-MCFWWOxQIday8BMw
How Google Uses Encryption to Protect Your Data: http://services.google.com/fh/files/helpcenter/google_
encryptionwp2016.pdf
How Google Uses Encryption to Protect Your Data: https://storage.googleapis.com/gfw-touched-accounts-pdfs/
google-encryption-whitepaper-gsuite.pdf
Assign administrator roles to a user: https://support.google.com/a/answer/172176
https://support.google.com/a/answer/175197?hl=en
https://support.google.com/a/answer/9184226?hl=en&ref_topic=7559287
¹¹ Context-aware access: https://cloud.google.com/context-aware-access/
¹² BeyondCorp: https://cloud.google.com/beyondcorp/
¹³ Endpoint Management: https://gsuite.google.com/products/admin/endpoint/
Manage devices for your organization: https://support.google.com/a/topic/24642?hl=en&ref_topic=4499525
https://support.google.com/a/answer/6052340?hl=en
https://gsuite.google.com/terms/dpa_terms.html
Export your organization's data: https://support.google.com/a/answer/100458?hl=en
Download your data: https://support.google.com/accounts/answer/3024190
16
Appendix: URLs
Page 8
Page 9
Page 10
Google Data Loss Prevention for work: https://storage.googleapis.com/gfw-touched-accounts-pdfs/Gmail_dlp_
whitepaper.pdf
https://support.google.com/a/answer/6280516?hl=en
https://support.google.com/a/answer/6321530?hl=en
Understand audit logs: https://support.google.com/a/topic/9027054
https://support.google.com/a/answer/9352843?hl=en
³¹ OAuth API Verification FAQ: https://support.google.com/cloud/answer/9110914
³² Discover our data center locations: https://www.google.com/about/datacenters/location/
³³ Data regions: https://gsuite.google.com/products/admin/data-regions/
What data is covered by a data region policy?: https://support.google.com/a/
answer/9223653?visit_id=637055305974501610-3285746069&rd=1
Choose a geographic location for your data: https://support.google.com/a/
answer/7630496?hl=en&ref_topic=7631290
Security centre: https://gsuite.google.com/products/admin/security-center/
About the security dashboard: https://support.google.com/a/answer/7492330
Get started with the security health page: https://support.google.com/a/answer/7491656
About the security investigation tool: https://support.google.com/a/answer/7575955
Create activity rules with the investigation tool: https://support.google.com/a/answer/9275024?hl=en
Alert Centre: https://gsuite.google.com/products/admin/alert-center/
Programmatically manage G Suite alerts: https://developers.google.com/admin-sdk/alertcenter/
Data incident response process: http://services.google.com/fh/files/misc/data_incident_response_2018.pdf
Access Transparency logs: https://support.google.com/a/answer/9230979?hl=en&ref_topic=9230579
Binary Authorization: https://cloud.google.com/binary-authorization/
Page 7
Set Drive users' sharing permissions: https://support.google.com/a/answer/60781?hl=en
²² What is Google Vault?: https://support.google.com/vault/answer/2462365?hl=en
How retention works: https://support.google.com/vault/answer/2990828?hl=en#
17
Appendix: URLs
Page 13
ISO 27001: https://cloud.google.com/security/compliance/iso-27001/
ISO 27017: https://cloud.google.com/security/compliance/iso-27017/
ISO 27018: https://cloud.google.com/security/compliance/iso-27018/
SOC 2: https://cloud.google.com/security/compliance/soc-2/
SOC 3: https://cloud.google.com/security/compliance/soc-3/
FedRAMP: https://cloud.google.com/security/compliance/fedramp/
Cloud Computing Compliance Controls Catalog (C5): https://cloud.google.com/security/compliance/bsi-c5/
MTCS (Singapore) Tier 3: https://cloud.google.com/security/compliance/mtcs/
Compliance resource center: https://cloud.google.com/security/compliance/
Page 12
Requests for user information: https://transparencyreport.google.com/user-data/overview
Requests for user information: https://transparencyreport.google.com/user-data/overview
Page 11
Access Transparency logs: https://support.google.com/a/answer/9230979?hl=en&ref_topic=9230579
https://support.google.com/a/
answer/9230474?hl=en&ref_topic=9230579
Access Transparency logs: https://support.google.com/a/answer/9230979?hl=en&ref_topic=9230579
Use Access Transparency to report Google access: https://support.google.com/a/
answer/9230474?hl=en&ref_topic=9230579
Google Code of Conduct: https://abc.xyz/investor/other/google-code-of-conduct/
