On Tuesday, Google released the Advanced Protection Program—its strongest security measure yet, intended to protect the personal accounts of those most at risk of targeted attacks, such as business leaders, political campaign teams, and journalists.
The move marks one of the few times the tech giant is targeting a small, non-general group of users with a product. It was first announced earlier in October.
"We took this unusual step because there is an overlooked minority of our users that are at particularly high risk of targeted online attacks," wrote Dario Salice, Advanced Protection product manager, in a blog post. "For example, these might be campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety. Sometimes even the most careful and security-minded users are successfully attacked through phishing scams, especially if those phishing scams were individually targeted at the user in question."
It is also likely a reaction to the 2016 hack of the Gmail messages of John Podesta, Hillary Clinton's 2016 campaign chairman.
SEE: Information security incident reporting policy (Tech Pro Research)
Advanced Protection offers Google's strongest protection and most strict security rules. It includes three core defenses, according to the blog post:
1. Phishing defense: Advanced Protection offers "the strongest defense against phishing," Salice wrote in the post. The program requires users to have a Security Key—a small USB or wireless device—to sign into their account. These keys "have long been considered the most secure version of 2-Step Verification, and the best protection against phishing," Salice wrote. "They use public-key cryptography and digital signatures to prove to Google that it's really you." Even if an attacker has your password, they will still be blocked without your security key.
2. Protecting sensitive data from accidental sharing: Advanced Protection prevents users from accidentally granting a malicious application access to their Google data, by automatically limiting full access to Gmail and Drive to specific apps. At this point, those are only Google apps, but they will likely be expanded in the future, Salice wrote.
3. Blocking fraudulent account access: Hackers often try to access accounts by impersonating the account owner and pretending they have been locked out, Salice wrote. Advanced Protection includes extra steps to prevent this from happening during the account recovery process, including additional reviews and requests for more details as to why the user lost access to their account.
Google has been testing Advanced protection for the last several weeks, according to the post, and gaining feedback from users.
"Journalists, human rights defenders, environment campaigners and civil society activists working on any number of sensitive issues can quickly find themselves targeted by well-resourced and highly capable adversaries," Andrew Ford Lyons, a technologist at international nonprofit Internews who tested the program, wrote in the post. "For those whose work may cause their profile to become more visible, setting this up could be seen as an essential preventative step."
Any user with a personal Google Account can now enroll in Advanced Protection using Chrome, as it supports the U2F standard for Security Keys, but it's likely other browsers will do the same soon, the post noted.
While Advanced Protection is currently only available for consumer Google accounts, G Suite account administrators can gain similar protections with Security Key Enforcement and OAuth apps whitelisting, the post said.
Advanced Protection is the latest in a number of moves by Google to strengthen the security of Gmail and other G Suite apps. The company also introduced new warnings to defend against phishing in 2016, and added new machine learning-enabled tools to help secure Gmail data in 2017.
The 3 big takeaways for TechRepublic readers
1. Google released its the Advanced Protection Program, a strong security measure intended to protect the personal Google accounts of those most at risk of targeted attacks, such as business leaders, political campaign teams, and journalists.
2. Advanced Protection includes enhanced protections against phishing, accidental data sharing, and fraudulent account access.
3. Advanced Protection is now available for consumer Google accounts, but businesses can gain comparable protections for G Suite accounts with Google's Security Key Enforcement and OAuth apps whitelisting.
- How to build a successful career in cybersecurity (free PDF) (TechRepublic)
- Most Fortune 500 companies aren't using this basic email security feature (ZDNet)
- Personal vs. corporate email: The security threats differ, says Google (TechRepublic)
- Google's new Gmail security: If you're a high-value target, you'll use physical keys (ZDNet)
- Why email encryption is failing, and how to fix it (TechRepublic)
Alison DeNisco Rayome has nothing to disclose. She does not hold investments in the technology companies she covers.
Alison DeNisco Rayome is a Senior Editor for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.