Bring your own device (BYOD) is no longer just a trend — it’s how business gets done. With thousands of mobile applications to choose from and an increasing number of websites optimized for mobile, today’s employees can work whenever and wherever they choose. It also means IT organizations now have the dual challenge of both helping employees be more productive and protecting corporate data.

We're adding new features to Google Apps Mobile Management for Android to help your organization meet these challenges head on:

  1. Inactive account wipe: Set policies that will wipe an inactive account from a device if it has not been synced for a predetermined number of days, so a lost device that wasn’t reported or the old device left in a drawer does not cause a security risk.
  2. Support for EAP-based WiFi Networks: Configure settings and distribute certificate authority (CA) based certs for EAP networks.
  3. Compromised device detection: Set policies that will detect signals for common forms of a compromised device, such as “rooting” or installing a custom "ROM", and block that device.
  4. Additional reporting fields: Access new reporting fields via the API and Admin console to better understand the devices that are in use and troubleshoot issues. Additional fields include: Serial number, IMEI, MEID, WiFi MAC address, baseband version, kernel version, build number, mobile operator/carrier, language settings, and account ownership/management.

To learn more about these mobile device management features visit our Help Center. You can also visit the Google Admin console at to enable this service to help you rest assured that your corporate data stays safe.


Millions of businesses trust Google to keep their data safe—a responsibility we take very seriously. We focus on protecting our customers’ data from all unauthorized access, whether from common phishing, sophisticated hacking, or state-sponsored intrusions. That’s why this spring we implemented new, mandatory HTTPS connections to secure user access to Gmail and protect email messages as they move to Gmail servers.

Our commitment to your security doesn’t stop there, which is why we’ve recently added even more business-friendly features for our Google Apps Business, Government and Education customers:

  • Mail routing, delivery controls and SMTP relay service—Control the flow of information to and from your company with policy-based routing to ensure that company messages are filtered, even if they are sent from third-party or other non-Gmail sources.
  • Attachment compliance—Protect your business by blocking or rerouting messages based on what is attached to emails, providing controls over what content is sent and received.
  • TLS Encryption of message content—Prevent eavesdropping and message spoofing through secure encryption and delivery.

In addition to these increased security measures, as we recently announced, we’ve now turned off ads in Google Apps services. This means administrators no longer have the option or ability to turn on ads in these services. We’ve also permanently removed all ads scanning in Gmail for Google Apps, which means Google does not collect or use data in Google Apps services for advertising purposes.

Customers who have chosen to show AdSense ads on their Google Sites will still be able to display those existing ads on their websites. However, it will no longer be possible to edit or add new AdSense ads to new or existing sites.

All this is part of our commitment to providing the best security to ensure your data is protected, while strengthening the features our Google Apps customers care about the most.


Today more than 30 million students, teachers and administrators globally rely on Google Apps for Education. Earning and keeping their trust drives our business forward. We know that trust is earned through protecting their privacy and providing the best security measures.

This is why, from day one, we turned off ads by default in Apps for Education services. Last year, we removed ads from Google Search for signed-in K-12 users altogether. So, if you’re a student logging in to your Apps for Education account at school or at home, when you navigate to, you will not see ads.

Of course, good privacy requires strong security. We have more than 400 full-time engineers — the world’s foremost experts in security — working to protect your information. We always use an encrypted HTTPS connection when you check or send email in Gmail, which means no one can listen in on your messages as they go back and forth between your laptop, phone or tablet and Gmail’s servers — even if you’re using public WiFi.

Today, we’re taking additional steps to enhance the educational experience for Apps for Education customers:

  • We’ve permanently removed the “enable/disable” toggle for ads in the Apps for Education Administrator console. This means ads in Apps for Education services are turned off and administrators no longer have the option or ability to turn ads in these services on.
  • We’ve permanently removed all ads scanning in Gmail for Apps for Education, which means Google cannot collect or use student data in Apps for Education services for advertising purposes.

Users who have chosen to show AdSense ads on their Google Sites will still have the ability to display those existing ads on their websites. However, it will no longer be possible to edit or add new AdSense ads to existing sites or to new pages.

We’re also making similar changes for all our Google Apps customers, including Business, Government and for legacy users of the free version, and we’ll provide an update when the rollout is complete.

On Thursday, May 1 at 9:00 am PT, we’ll be hosting a Hangout on Air on our Google for Education G+ page with myself; Jonathan Rochelle, Director of Product Management for Docs and Drive and Hank Thiele, Chief Technology Officer for District 207 in Park Ridge, IL who uses Google Apps. We'll be discussing these changes and answering your questions. We look forward to hearing from you.

For more information about student privacy in Google Apps for Education, please visit our website.


(Cross-posted on the Official Google Blog and Gmail Blog)

Editor's note: The updates below apply to both consumers and Google Apps users.

Your email is important to you, and making sure it stays safe and always available is important to us. As you go about your day reading, writing, and checking messages, there are tons of security measures running behind the scenes to keep your email safe, secure, and there whenever you need it.

Starting today, Gmail will always use an encrypted HTTPS connection when you check or send email. Gmail has supported HTTPS since the day it launched, and in 2010 we made HTTPS the default. Today's change means that no one can listen in on your messages as they go back and forth between you and Gmail’s servers—no matter if you're using public WiFi or logging in from your computer, phone or tablet.

In addition, every single email message you send or receive—100% of them—is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail's servers, but also as they move between Google's data centers—something we made a top priority after last summer’s revelations.

Of course, being able to access your email is just as important as keeping it safe and secure. In 2013, Gmail was available 99.978% of the time, which averages to less than two hours of disruption for a user for the entire year. Our engineering experts look after Google's services 24x7 and if a problem ever arises, they're on the case immediately. We keep you informed by posting updates on the Apps Status Dashboard until the issue is fixed, and we always conduct a full analysis on the problem to prevent it from happening again.

Our commitment to the security and reliability of your email is absolute, and we’re constantly working on ways to improve. You can learn about additional ways to keep yourself safe online, like creating strong passwords and enabling 2-step verification, by visiting the Security Center:


Most businesses these days rely on technology to get their work done. And anyone who’s responsible for that technology — or even anyone who just follows the news — knows that 2013 was a big year for internet security. Of course, security has been a top priority for Google for over a decade. Millions of businesses trust Google to keep their data safe every day -- a responsibility we take very seriously. We focus on protecting our customers’ data from all unauthorized access, whether from common phishing, sophisticated hacking, or state-sponsored intrusions.

Google employs hundreds of full-time world-class security engineers. We were the first to offer important security tools, like free two-step verification, encrypted connections between your browser and our servers, and a handful of other security innovations. As a company, Google uses the same products and services that we offer to our customers. We run on the same infrastructure, in the same data centers.

Before businesses slow down for the holidays, we wanted to highlight a few of the many investments we’ve made and features we’ve launched in 2013 to help keep our customers — and everyone on the web — safe. Of course, there’ll be much more to come next year.

Offering new security tools for Google Apps administrators:

In addition to protecting our customers, Google also makes it easier for customers to protect themselves. For domain administrators, having visibility into and control over how their users’ accounts are working is a big help.

  • Suspicious login alerts: A new feature in the Google Apps Admin Console allows administrators to receive email alerts when our systems detect suspicious or unusual login activity in their users’ accounts. This helps admins stay informed of what’s happening in their domain — to a degree not possible with most email systems — and, when necessary, take swift corrective action.
  • Android device management: Organizations can manage smartphones and tablets - including Android and iOS - right from the Google Apps Admin console. The Android device management features include the ability to selectively wipe Google Apps account data without wiping a user’s entire device and require the latest version of the Device Policy app to ensure security policies are enforced across all devices.
  • Account recovery: A new account recovery process for super administrators helps keep their accounts more secure by allowing each super admin to specify their own recovery email address and telephone number. And the new mobile Admin app lets administrators quickly accomplish the most critical tasks (like suspending users or resetting passwords) wherever they are, using an Android phone or tablet.

Verifying our practices through third-party certifications and regulatory compliance:

When it comes to security and helping our customers comply with specific industry regulations, you don’t just need to take our word for it. Many of our security practices have been reviewed and verified by third-parties in the form of audits.

  • FISMA: The Federal Information Systems Management Act includes a rigorous evaluation of the security processes and data protections, and is required by U.S. federal government customers. Google Apps was the first cloud productivity suite to receive FISMA back in 2010, and we renewed our certification again this year.
  • ISO 27001: ISO 27001 is one of the most widely recognized, internationally accepted independent security standards. After earning ISO 27001 for Google Apps in 2012, we renewed our certification again this year for Google Apps and received the certification for Google Cloud Platform.
  • SOC2, SSAE 16 & ISAE 3402: Companies use the SOC2, SSAE 16 Type II audit, and its international counterpart ISAE 3402 Type II audit, to document and verify the data protections in place for their services. We’ve successfully completed these audits for Google Apps every year since 2008 (when the audits were known by their previous incarnation, SAS 70) and we did so again this year for Google Apps and Google Cloud Platform.
  • HIPAA: This year, we started offering Business Associate Agreements (BAAs) to help our customers who need to comply with the Health Insurance Portability and Accountability Act (HIPAA) while using Google App.

Improving security for everyone on the web:

Our work doesn’t end with providing security for Google products or even Google customers. To keep ahead of the bad guys, we work with researchers and others in the broader security community to make sure the the web is safe for everyone.

  • Updated SSL certificates: To keep users safe, we utilize encryption on almost all connections made to Google, but this encryption needs to be updated at times to make it even stronger. This year, we upgraded all of our SSL certificates to 2048-bit RSA, which will help the industry move away from weaker, 1024-bit keys next year.
  • Vulnerability rewards: Since introducing our vulnerability rewards programs in 2010, we’ve rewarded (and fixed!) more than 2,000 security bug reports, paid out more than $2 million in rewards, and been recognized for setting leading standards for response time. And to convey our commitment to security and thank researchers for their important work, this year we increased the maximum award from $1000 to $5000.
  • Easier recovery for hacked websites: As a site owner, discovering your site is hacked with spam or malware is stressful, and trying to clean it up under a time constraint can be very challenging. We’ve been working to make recovery even easier and streamline the cleaning process — we notify webmasters when the software they’re running on their site is out of date, and we’ve set up a dedicated help portal for hacked sites with detailed articles and videos explaining each step of the process to recovery. This year, we released additional security tools so webmasters can find information about security issues on their site in one place and pinpoint problems faster with detailed code snippets.

Whether it’s creating easy-to-use tools to help organizations manage their information or keeping customer data safe from prying eyes, we’re constantly investing to ensure that Google earns and keeps your trust. Here’s to a happy, healthy, and (most of all) safe 2014.


More than ever, people are bringing their own mobile phones and tablets to work. This "bring your own device" (BYOD) trend appeals to companies that want their employees to be productive on the go, with devices they enjoy using. As an admin, your role in a BYOD environment is to make sure users keep their mobile devices secure.

Comprehensive mobile device management is included with Google Apps for Business, Government and Education. Organizations large and small can manage smartphones and tablets - including Android and iOS - right from the Google Apps Admin console, with no need for special hardware or software.

Today we’re adding new Android device management features based on top requests from our customers.
  1. Selective wipe - Remove Google Apps account data without wiping a user’s entire device. 
  2. SD card wipe - During a full device wipe, wipe SD cards in addition to the internal memory.
  3. Device Policy app - Ensure that security policies are enforced across all devices by requiring the latest version of the Device Policy app. 
  4. Wi-Fi configuration - Enter wi-fi settings in the Admin console once -- and they'll be automatically pushed out to all managed Android devices.
Android users can stay connected on the go with mobile apps like Gmail, Drive and Hangouts. Admins can manage their domain with the new mobile Admin app. And admins can let employees bring their own devices to work while keeping those devices secure and saving their employees time with Google Apps device management.

To learn more about these mobile device management features, visit our Help Center or start managing devices right away by visiting your Admin console at


(Cross-posted on the Official Google Blog.)

Editor's note: Staying safe on the internet means being smart whenever you're online -- at home, at work and on your mobile device. The tips shared below are intended to help you protect yourself and your family. For more information about what Google does to protect our enterprise customers' data, check out our trust series on this blog and our security white paper.

Technology can sometimes be complicated, but you shouldn’t have to be a computer scientist or security expert to stay safe online. Protecting our users is one of our top priorities at Google. Whether it’s creating easy-to-use tools to help you manage your information online or fighting the bad guys behind the scenes, we’re constantly investing to make Google the best service you can rely on, with security and privacy features that are on 24-7 and working for you.

Last year, we launched Good to Know, our biggest-ever campaign focused on making the web a safer, more comfortable place. Today, on Safer Internet Day, we’re updating Good to Know to include more tips and advice to help you protect yourself and your family from identity theft, scams and online fraud. You can also learn how to make your computer or mobile device more secure, and get more out of the web — from searching more effectively to making calls from your computer. And you can find out more about how Google works to make you, your device and the whole web safer.

For example, we encrypt the Gmail and Google Search traffic between your computer and Google -- this protects your Google activity from being snooped on by others. We also make this protection, known as session-wide SSL encryption, the default when you’re signed into Google Drive. Because outdated software makes your computer more vulnerable to security problems, we built the Chrome browser to auto-update to the latest version every time you start it. It gives you up-to-date security protection without making you do any extra work.

Even if you don’t use Google, we work hard to make the web safer for you. Every day we identify more than 10,000 unsafe websites — and we inform users and other web companies what we’ve found. We show warnings on up to 14 million Google Search results and 300,000 downloads, telling our users that there might be something suspicious going on behind a particular website or link. We share that data with other online companies so they can warn their users.

We know staying safe online is important to you — and it is important to us too. That's why we've had independent third parties perform inspections and audits for the data protections in Google Apps.

Please take some time today to make your passwords stronger and turn on 2-step verification to protect your Google Account. Talk with friends and family about Internet safety. And visit our new Good to Know site to find more tips and resources to help you stay safe online.


In March 2012, we launched Google Apps Vault, bringing enterprise-class information governance to Google Apps. Vault delivers retention, archiving and eDiscovery capabilities for email and chat messages, enabling businesses of all sizes to access and manage business-critical information. Vault offers true manage-in-place capabilities by applying retention policies directly to the Google Apps data, without the need to move, export, or create a copy of data in a separate location.

Google Apps Vault already archives, searches and manages messages in all languages that Google Apps supports (50+). Now the Google Apps Vault user interface is available in 28 languages, including double-byte languages like Japanese, Chinese and Arabic. This new, global Vault interface enables customers worldwide to more easily access and manage their data, further reducing the costs and risks that businesses today face.
"Google Apps Vault offers compelling capabilities and value for businesses around the world in preparing for litigation, investigation, and managing day-to-day business. Vault integrates seamlessly across the evolving Google platform while integrating with business and industries of all sizes. This is a key component in our forward thinking strategy to drive down costs and provide enhanced client service."

- Eric Hunter - Director of Knowledge, Innovation & Technology Strategies at Bradford & Barthel, LLP
Google Apps Vault is available for new and recent Google Apps for Business and Education customers. Existing customers will be able to deploy Google Apps Vault later this year.


Keeping Google Apps accounts secure is important to us, and we've recently added two security features that can better protect user accounts. The first helps businesses deploy 2-step verification and the second enhances integration with Microsoft Active Directory®.

Since we launched 2-step verification, we’ve seen millions of users enable it and thousands more do so every day. 2-step verification requires two means of identification to sign in to a Google Apps account: something you know (a password) and something you have (a verification code from your mobile phone). Even if someone has stolen your password, they'll need more than that to access your account. This additional layer of security greatly reduces the chance of unauthorized access via account hijacking or other means.

Starting today, domain administrators can require the users in their domain to use 2-step verification. This new feature will help Google Apps customers accelerate their deployment of 2-step verification.

For businesses that use Microsoft Active Directory® (AD), we’ve added new capabilities to synchronize and manage passwords. Businesses can manage password policies (e.g. password strength, reset intervals, etc.) using AD and then synchronize from AD to Google Apps when passwords are changed. Passwords are transmitted hashed and encrypted during synchronization.

Learn how to configure this new 2-step verification policy in the Google Apps help center. Download the Google Apps Password Sync for Active Directory (GAPS), and learn how to configure it in the help center.


In the early days of the cloud, security concerns were often at the top of business minds as they considered moving to Google Apps. More recently, though, security has become a major reason businesses are moving to the cloud. The reason for this shift is that businesses are beginning to realize that companies like Google can invest in security at a scale that's difficult for many businesses to achieve on their own. This investment has produced an infrastructure and a set of services with robust data protections for our customers.

Today we are proud to announce that Google Apps for Business has earned ISO 27001 certification. ISO 27001 is one of the most widely recognized, internationally accepted independent security standards and we have earned it for the systems, technology, processes and data centers serving Google Apps for Business. Our compliance with the ISO standard was certified by Ernst & Young CertifyPoint, an ISO certification body accredited by the Dutch Accreditation Council, a member of the International Accreditation Forum (IAF). Certificates issued by Ernst & Young CertifyPoint are recognized as valid certificates in all countries with an IAF member.

“As a multi-billion dollar, global provider of packaging and packaging solutions, MWV understands the value of international standards. Many of our own processes are ISO certified. So, I am thrilled that Google Apps, our core communications platform, is also now ISO certified with its recent ISO 27001 certification. This certification validates what I already knew, through due diligence, about Google Apps - that the technology, process and infrastructure offers good security and protection for the data that I store in Google Apps. I think it's important, find it assuring and am very pleased that Google Apps will be audited and certified to this Information Security Management System ISO standard on an ongoing basis”

- Chet Loveland, CISO and Global Compliance Officer, MWV
This new certification, along with our existing SSAE 16 / ISAE 3402 audits and FISMA certification for Google Apps for Government, help assure our customers that Google is committed to ongoing development and maintenance of a robust Information Security Management System (ISMS) that an independent, third-party auditor will regularly audit and certify. For more information on the security audits and certifications for Google Apps, please review our certification 1-pager.


(Cross-posted from the Official Google Blog and the Google Green Blog.)

For the last year, our data center team has been working on a project to bring our facilities to even higher standards for environmental management and workforce safety. Recently we got the good news that our work paid off.

All of our U.S. owned and operated data centers have received ISO 14001 and OHSAS 18001 certification. We’re the first major Internet services company to gain external certification for those high standards at all of our U.S. data centers.

In a nutshell, both standards are built around a very simple concept: Say what you’re going to do, then do what you say—and then keep improving. The standards say what key elements are required, but not how to do it—that part’s up to us. So we set some challenging goals for ourselves, and we asked our auditors to confirm that we’ve followed through on them.

Here’s an example of the kind of improvements we’ve implemented: Like most data centers, ours have emergency backup generators on hand to keep things up and running in case of a power outage. To reduce the environmental impact of these generators, we’ve done two things: first, we minimized the amount of run time and need for maintenance of those generators. Second, we worked with the oil and generator manufacturers to extend the lifetime between oil changes. So far we’ve managed to reduce our oil consumption in those generators by 67 percent.

A second example: each of our servers in the data center has a battery on board to eliminate any interruptions to our power supply. To ensure the safety of the environment and our workers, we devised a system to make sure we handle, package, ship and recycle every single battery properly.

These are just two elements of what ultimately adds up to a comprehensive system of policies that our data center teams follow in their day-to-day operations. We do this because we want to be the gold standard in environmental and workforce safety, and because we care about the communities where we live and work. This is one more reason you can feel confident that when you're using our products, you're making an environmentally responsible choice.

Our data centers in the following U.S. locations have received this dual certification. We plan to pursue certification in our European data centers as well.

  • The Dalles, Ore.

  • Council Bluffs, Iowa

  • Mayes County, Okla.

  • Lenoir, N.C.

  • Monck’s Corner, S.C.

  • Douglas County, Ga.


Posted by Adam Dawes, Gmail Product Manager

Last year, we started integrating Postini’s business-class email security and management capabilities into Gmail and today we’re excited to be rolling out the latest round of integrated features. Google Apps administrators can now take advantage of improved email compliance footers, approved/blocked sender lists and file attachment policies. These capabilities help our customers address compliance requirements and effectively manage email traffic. Previously, Google Apps customers used Google Message Security, powered by Postini, to provide these capabilities.

With this new release, we’ve improved these features and designed them specifically to meet the needs of our Apps customers. Admins will manage the features natively in the Google Apps control panel (localized in 28 languages), leverage our granular policy framework to customize settings for different types of users, and join multiple rules together to address very targeted use cases.

These new features are available globally for Google Apps for Business, Google Apps for Government and Google Apps for Education editions.

Dominie Liang, IT Director at New Media Group in Hong Kong, was able to use the new features to quickly address his company’s compliance requirements:

"Our legal team wanted us to add a compliance note to all of our outbound email. Thanks to Google's new email feature set, we could easily add the rich text format disclaimer with Chinese characters to the email footer, and solved the issue within a minute."

George Krieger, Technical Services Manager, Mazda Raceway Laguna Seca, adds:

"The new message footers in Gmail have made it easy for us to standardize our email signatures and more effectively promote our race schedules. And I love the ability to delegate control of these to our Media department so they can change them when they want without having to call me. This is a major improvement for us."

With the addition of these features to Gmail, there is no longer a need to use Google Message Security (GMS) with Google Apps so we will no longer offer GMS to Google Apps customers. We’ll work with those customers currently using GMS to migrate their settings to these new features. For more information on these features and how customers can migrate to them please refer to this Google Apps Help Center article and the Transition Guide.


Editors note: This is the final post in a series that explores the top ten reasons why customers trust Google with their business data. A complete top ten list can be found here.

It’s important for all businesses regardless of size or industry to assess the risk of potential data breaches and take steps to prevent them, especially in the area of information technology. The use of laptops, smartphones, tablets and other mobile devices is increasing as users demand anytime, anywhere access to email and documents. This can increase the risk of a data breach if you’re using traditional applications which store a local copy of the data on the device and the device gets lost or stolen.

Google Apps can help reduce the risk of a data breach by limiting the data that is stored on your devices. When you check email or work on a document in a browser with Google Apps, the data is stored in our data centers, not on your device. That means that if your device gets lost or stolen, there is lower overall risk of a data breach. Similarly, if you collaborate with others in Google Docs, you don’t need to send them a copy of the document. You can enable and disable access to the document with a simple set of sharing controls and your collaborators access it from their browser. The document does not need to be stored locally on their device for them to collaborate on it.

For those times when you want to access Google Apps but you don’t have an Internet connection, we recently released an offline capability for Gmail and for Google Docs. The offline capability does involve some local data storage on devices. The amount of stored data is likely to be smaller as only a limited amount of documents and email are synchronized to the device for offline access. If you decide that this local data storage poses a risk, you can easily disable offline access.

For additional security and data protection information, including a video tour of a Google data center, you can visit our Google Apps security page.

Posted by Sam Srinivas, Product Management Director, Google Information Security Team

Editors note: This post is part of a series that explores the top ten reasons why customers trust Google with their business data. A complete top ten list can be found here.

As you compose a message in Gmail or collaborate on a document in Google Docs, you probably don’t often think about what we do to protect the data in that email or document. But behind the scenes we have an information security team that makes protecting your information its highest priority.

Information security is something that is important to every business. As Internet use has become widespread in the business world, attacks on applications and systems are becoming pervasive and sophisticated. Increasingly, monitoring and protecting applications and users against these attacks requires a great deal of infrastructure and technical expertise — usually more than one person or a small team can manage. Our information security team includes hundreds of full-time members working in close cooperation with the engineers developing Google applications. Some of the world's leading security researchers are members of our team, allowing Google to stay at the forefront of detection, response, and security software best practices.

We monitor our applications and systems continuously, using sophisticated automated systems that are designed to detect unusual activity and block it or flag it for immediate analysis by our monitoring team. We provide end-user features including 2-step verification, which defeats many common attacks such as trying to break into an account using a stolen password. Our Safe Browsing service helps protect users against malware and phishing. All of this technology and expertise comes together to enhance the security of your Google Apps data, allowing your IT staff to focus more of their attention on your business’s strategic needs.
“As the threats in the external environment change, [Google is] at the forefront of preventing, responding and anticipating. That’s one of the great things about partnering with Google - you have some of the best minds in the world working on those problems, which really frees me up to work on the problems that are unique to me and that I can really specialize in.”

- Todd Pierce, CIO of Genetech
Finally, we work to educate users about online safety. To that end, one of the most important things you can do to improve the security of your Google Apps accounts is to start using 2-step verification. We encourage you to set it up and start exploring other ways to better protect your information.


Editors note: This post is part of a series that explores the top ten reasons why customers trust Google with their business data. A complete top ten list can be found here.

Google Apps allows you to be productive anywhere. For example, you may want to check your email or work on a document in a coffee shop, airport or hotel using a public wireless network. Google Apps protects your data in these situations by establishing an encrypted connection while you work. Without it, an unauthorized person could potentially hijack your session and gain access to your account. Using an Internet standard known as HTTPS, we encrypt your data as it travels from your browser to our servers. This makes it much harder for an imposter to access your account this way. We’ve supported encrypted connections from the day Google Apps launched over five years ago, and we made it the default setting for all users at the beginning of last year.

October is National Cyber Security Awareness Month and we’ve introduced a new Google Security center with more information on encrypted connections and other ways you can stay safe online.


Editors note: This post is part of a series that explores the top ten reasons why customers trust Google with their business data. A complete top ten list can be found here.

We believe our customers should have lots of visibility into how we protect the data that is stored in Google Apps. And while it’s one thing for us to tell you how we protect the data, as we do in our blog posts and security white paper, it’s also helpful when independent third parties perform inspections and audits.

Cloud computing companies use the the SSAE 16 Type II audit, and its international counterpart ISAE 3402 Type II audit, to document and verify the data protections in place for their services. These auditing standards are defined by the The American Institute of Certified Public Accountants (AICPA) and the the International Auditing and Assurance Standards Board (IAASB), respectively. These audit standards have replaced the SAS 70 Type II audit, which Google Apps first completed in 2008. In our audits, we specify the confidentiality, integrity and availability controls that our customers are most concerned about, which are then verified by our auditors. We recently announced that we’ve successfully completed the SSAE 16 and ISAE 3204 Type II audits for Google Apps, Postini services, Google Apps Script, Google Storage for Developers and Google App Engine.

Google Apps for Government has also received Federal Information Security Management Act (FISMA) certification from the U.S. Government. The FISMA certification includes a rigorous evaluation of the security processes and data protections in place in Google Apps for Government and is required by U.S. federal government customers, who must comply with FISMA by law.

Third party audits are only part of the security and compliance benefits of Google Apps. For more information visit our Google Apps security page.


Editors note: This post is part of a series that explores the top ten reasons why customers trust Google with their business data. A complete top ten list can be found here.

Technology failures and natural disasters can significantly impact your business. Planning for them can be cumbersome and expensive. In a typical on-premise IT environment disaster recovery often means redundant infrastructure, backup tapes or storage area networks and a lot of IT complexity. Some businesses even build and manage duplicate data centers, specifically for disaster recovery, and those data centers sit idle the majority of the time.

The effectiveness of a disaster recovery plan is commonly measured in two ways: Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO measures how long before users can access systems in the event of a failure. RPO measures how much of a time gap exists when the data is restored. Businesses that have invested lots of time and money in disaster recovery preparation are typically able to set RTO and RPO goals at a few hours or less for critical systems, with the cost increasing as those timeframes decrease. For other businesses that haven’t invested at that level, RTO and RPO can stretch into hours or days. And in extreme cases, if disaster strikes, some businesses just have to start over.

Google Apps offers a better way, with robust disaster recovery capabilities built right in. Our RPO design target is zero data loss and our RTO design target is instant failover. This means that if there is a disaster or disruption that affects one of our data centers, we are able to shift users to an alternate data center, so they can can continue working uninterrupted. And while no disaster recovery solution from any provider is perfect, we are proud of the benefits our customers gain.

In the words of Mark Switalski, Macomb County Circuit Court Chief Judge, and Carmella Sabaugh, Macomb County Clerk:

“We know that when a disaster happens, our system will not go down and because our data is in the cloud, it is protected and accessible from anywhere. After a rare tornado hit last summer, briefly disrupting power and some network services, the clerk’s Google service remained accessible via cell phone and other networks.”

Planning for disasters is a big challenge, but with Google Apps you have fewer things to worry about. Your email and documents will be accessible so your business can continue despite the disaster. It’s one of the main reasons that businesses trust Google Apps with their data.


Editors note: This post is part of a series that explores the top ten reasons why customers trust Google with their business data. A complete top ten list can be found here.

We recently announced that more than 4 million businesses run on Google Apps and 5,000 more are signing up every day. Many of these business “go Google” for enhanced security features. One example is 2-step verification, an opt-in security feature that we added to Google Apps last year.

2-step verification adds an additional layer of protection to your account and significantly reduces the risk of unauthorized access. With 2-step verification, you sign into your account with both your password and a one time verification code you get on your phone. You can generate the code with a mobile app (on Android, iPhone and Blackberry), or get it in an SMS text message or a voice call.

This feature helps ensure that only you can sign in to your account. It also helps protect you if your password gets stolen via phishing attempts, keyloggers or other malicious software, or from another website where you might have used the same password. Without the verification code, hackers can’t access your Google Apps account—even if they have your password.

While two-factor authentication is not a new concept, many businesses have historically struggled with deploying it due to cost, IT complexity and usability issues associated with requiring users to carry separate token generators. Google Apps includes 2-step verification at no additional cost, using existing phones to make it simple and easy to deploy. It’s available in over 40 languages and in more than 150 countries.

We also support Security Assertion Markup Language (SAML)-based Single Sign-On (SSO) for businesses that already use separate authentication technologies and would like to continue using them. Google Apps for Business supports the SAML 2.0 specification and allows businesses to apply custom security features, password management policies, and their own two-factor authentication solution. This SSO capability is an alternative to the 2-step verification feature that is included with Google Apps.

Protecting your accounts with strong authentication mechanisms is a great way to help ensure your information remains safe online. If you are an existing customer, you can easily configure 2-step verification, once your administrator has enabled the feature for your domain.


Editors note:This post is part of a series that explores the top ten reasons why customers trust Google with their business data. A complete top ten list can be found here.

In the previous post in this series, we described how Google’s cloud data centers are designed and built to protect the data that customers store in Google Apps. One of the benefits of this architecture is that our customers don’t have to maintain the systems that run Google Apps, we do it for them. This reduces both costs and risks for our customers.

One of the risks organizations face comes from malicious software (a.k.a. “malware”) that attempts to exploit vulnerabilities in operating systems and applications. As vulnerabilities are exposed, technology vendors issue patches to fix them in what has become a seemingly never-ending routine. This can be costly and time consuming as it becomes a race to patch vulnerabilities before they’re exploited. When organizations support multiple versions and types of operating systems and applications, the challenges increase rapidly. Using Google Apps eliminates servers and reduces the number applications that need to be patched, which helps reduce risk.

Customers such as Brian Hobbs, IT Director for Hunter Douglas have this to say about patch management in Google Apps: “The company saves money but even more importantly, I save time in administering licenses, installations, security patches, and training.”

Many organizations that I talk to describe how they have developed a proficiency in deploying patches in their legacy environments. They’ve done so out of necessity - there really was no choice. But these proficiencies carry high costs in terms of human resources and 3rd party patch management systems. Google Apps allows organizations to change this mindset and reduce the number of IT resources and 3rd party systems dedicated to the patch management process.

Andrew Murrey, Vice President of IT Infrastructure at Cinram North America, had this comment: “we calculated that we could be saving 60% on email alone by moving to Google Apps for Business – a clear winner when it came to price per user – but we also knew we’d save serious time on IT management, freeing my team up to do more strategic work.”

IT security professionals often ask me how we address patching. In our data centers we take a different approach to patch management. Rather than many different types of systems, we have a very homogeneous architecture that allows us to be highly efficient in deploying patches. The data center machines are specifically designed and identically configured in ways that reduce the potential number of vulnerabilities within our systems compared to traditional on-premise, so called “private cloud” and hybrid technologies. When a patch is required, our architecture allows us to deploy it very quickly across all our systems. And it’s seamless and invisible to our customers, which allows them to take a different approach to patch management as well: one that reduces risk and cost.

In the next post in the series we’ll look deeper into strong authentication. In the meantime, for more information about the data protections in place for Google Apps, please visit our Google Apps Trust page.


Editors note: This post is part of a series that explores the top ten reasons why customers trust Google with their business data. A complete top ten list can be found here.

When users think of Google Apps, they often think of their Gmail inboxes or collaborating on documents in real time with others. They often don’t think of what’s going on behind the scenes. Our cloud computing data centers offer our customers scalability and reliability across all of our products and websites, supporting millions of businesses on Google Apps and over 1 billion Internet searches every day. Our pure and proven cloud offers Apps customers significant data protections that would be hard for those customers to achieve on their own. It’s also the infrastructure that we use to run our own business.

As we’ve grown, we’ve developed an expertise around building data centers and protecting the data stored in them. The machines in the data centers that run our applications are built to our own specifications, including ones focused on security. The hardware is limited to what is necessary for the applications to run, and eliminates unnecessary components such as peripheral connectors or video cards. Similarly, the software that we run on the machines is a specialized, stripped-down version of the Linux operating system leaving out any unnecessary software code such as device drivers. This approach helps provide a computing environment that is less prone to vulnerabilities, compared to typical on-premise, so called “private cloud” or hybrid IT environments.

The services we offer are first and foremost Internet-based applications and platforms. We were born on the Internet, not on a single computer or server. We've published some of our core underlying technologies such as BigTable, the SPDY protocol, Google FIle System (GFS) and MapReduce. The last two of which have gone on to inspire Hadoop, the Apache open source framework that underpins many leading cloud or big data applications. Googlers Luiz André Barroso and Urs Hölzle even wrote a mini-book about some of Google’s approaches, entitled “The Datacenter as a Computer: An Introduction to the Design of Warehouse-Scale Machines”.

Lots of users leads to lots of network traffic that allows us some significant advantages in terms of security. For instance, the spam filtering in Gmail gains rapid visibility into emerging and evolving spam and virus threats, which in turn helps us to block the vast majority of them. This kind of large scale Internet infrastructure also typically provides better protection from denial of service type attacks. It also puts us in a position to spot malicious traffic and help protect users from malware.

Unprecedented global scale would not matter without the ability to reliably deliver business critical services. That is another powerful feature of Google’s technology and process discipline. We’ve built our platform to withstand expected hardware failure, relying on software and highly automated processes in order to support a 99.9% uptime SLA that has no maintenance window. In 2010 Gmail uptime was 99.984% and we are over 99.99% for the first half of 2011. This is an approach you fundamentally can’t take with traditional on premise IT systems.

Running data centers at this kind of scale takes energy, but as a carbon-neutral company we strive to use as little as possible - in fact, our facilities use half the energy of a typical data center. You can read more about our efficiency efforts and our approach to purchasing renewable energy.

In just the 4.5 years I’ve been at Google, I’ve seen quite a few generational changes in the kit we run, be it “simple” things like sheet metal for servers to something more complex like our motherboards, or something even more fluid and complicated like our various software layers. Through all those upgrades, build outs, and migrations, the focus on reliability remains. This is something that keeps me coming back to work day after day, and drives me to help others understand the value we can add to protecting their data and powering their businesses.