Google launches AI-powered data classification for Workspace

Google on Wednesday launched new capabilities for its office productivity suite Workspace, including one that uses generative AI to automatically classify and label files in Drive for zero trust purposes.

The feature marks the latest generative AI capabilities added to Workspace this year, alongside pre-existing tools such as virtual assistant Duet AI. New features announced Wednesday also include data loss prevention (DLP) capabilities and "digital sovereignty" controls.

Google said in an accompanying blog post that Google AI will be able to "automatically and continuously classify and label data in Google Drive to help ensure data is appropriately shared and protected from exfiltration." With this capability, administrators can utilize customizable, "confidentiality-preserving" LLM models to classify and label new and existing Drive files using risk-based controls.

"No one else in the market can do this," said Jeanette Manfra, director of risk and compliance at Google Cloud Google, during a Tuesday press conference. The feature aims to automate certain typically-manual aspects of zero-trust security, such as setting specific access controls on a per-user basis. It is available now in preview.

Andy Wen, director of product management for Google Workspace, told TechTarget Editorial said Google believes it is the "first to apply AI to data classification, customized by each customer's classification."

"This makes it much easier for organizations to adopt zero-trust frameworks, which call for data classification," he said. "In CISA's framework, you need to have an automated and continuous data classification to qualify for the optimal level of zero-trust. By classifying sensitive data, organizations can add extra protection to just that data, so security can be agile and dynamic."

Jack Poller, an analyst at TechTarget's Enterprise Strategy Group, said Google is "one of many applying AI to data security and the challenges of classification.

"Traditionally, classification used sophisticated pattern matching that required organizations to devote considerable time and effort to tune to their specific needs," he said in an email. "AI engines can identify and classify data in context, are much more tolerant of formatting errors, and tuning [training] is much simpler than tuning pattern matching. Thus, applying AI to data classification increases accuracy and reduces false alerts."

The tech giant also announced Wednesday new DLP controls for Drive and Gmail. For the former, Google said Workspace admins will be able to set criteria and requirements for a user to be able to share sensitive content via the storage product. Examples provided include device location and security status to offer, the blog post said, "more granular controls."

For Gmail, the DLP controls are designed to give security teams better control over sensitive information sharing via features currently available in Google Chat, Drive and Chrome.

"This can help, particularly, organizations who struggle with preserving sensitive data when it shows up, especially, in unexpected places," Manfra said. "Say a customer inadvertently sends sensitive data in a customer support email. This allows a customer of Gmail to take the controls and raise the bar on their security policies."

Both DLP control enhancements will launch in preview later this year.

Google also announced digital sovereignty controls for Workspace, which primarily includes client-side encryption (CSE) enhancements -- a term that refers to data encrypted locally on the organization's end to provide additional protections. CSE enhancements announced Wednesday include the ability to set CSE as default for "select organizational units," guest access support in Google Meet, comment support in Google Docs, and Microsoft Excel file viewing and modification. Excel features are in preview now, while others will be available later this year.

CSE customers will also be able to store encryption keys with select providers in their country of choice, choose whether data is stored and processed in the E.U. or U.S., and enforce regional access controls.

Lastly, Google announced new security controls built around preventative defense. Features include requiring two-step verification on "select administrator accounts of our resellers and largest enterprise customers" (starting later this year); an option for Workspace admins to require multi-party approval for certain sensitive actions (in preview later this year); exporting Workspace logs to Chronicle (available now in preview); and using Google's AI-powered defenses to automate protection on certain actions in Gmail, including email filtering and forwarding.

Alexander Culafi is a writer, journalist and podcaster based in Boston.