Google Client Side Encryption for Workspace: Privacy-Enhanced Cloud Collaboration in Partnership with Virtru

In the past 12 months, Google has introduced two capabilities that significantly distinguish Google Workspace from Microsoft Office 365 and help answer an important question on the minds of technology leaders around the world: Which cloud collaboration platform provides superior data-centric security, compliance, and privacy?

Google’s first announcement was client-side encryption (CSE) for Google Workspace, an important innovation that adds a layer of additional security and privacy to cloud-hosted data in Google Drive, Docs, Sheets, Slides, and Meet. In summary, CSE is privacy-enhanced collaboration technology that enables customers to use their own encryption keys to encrypt their own data, ensuring no unauthorized party – including Google – has access to this information. 

The second announcement was Google's expansion of CSE to Gmail, providing an additional method for businesses to encrypt emails and keep sensitive information private from Google itself — and anyone else who is not the intended recipient of an email message. Different from CSE for Google Drive, Docs, Sheets, Slides, Calendar and Meet, CSE for Gmail utilizes S/MIME-based encryption, which can be applied to email messages containing sensitive information. 

While both Google Workspace Client Side Encryption solutions offer Workspace customers enhanced data-centric security capabilities,  there are distinct characteristics and considerations that organizations should understand before deciding which solution is best for their needs.

Over the past decade, Virtru has served as an important partner to Google and has helped to influence the design and development of these new Google Workspace CSE capabilities. Virtru today supports more than 5,000 customers actively collaborating on Workspace, and our software is available in the Google Cloud Marketplace, making them eligible for Google Cloud Committed Use Discount burndown.

Given our breadth and depth of experience, the purpose of this post is to clearly identify the benefits of each solution and how they apply to specific collaboration workflows.

What is Google CSE for Workspace?

At a macro level, CSE is a capability that encrypts data on the “client side” — inside the user’s browser — before any data is transmitted and stored in the Google Workspace cloud. With Google CSE for Workspace, customers (not Google) control their own private encryption keys. Because Google doesn’t have the cyrptographic keys, Google servers cannot decrypt and view any customer data.

The following animation shows how CSE, in conjunction with the Virtru Private Keystore, works for Google Drive, Docs, Sheets, Slides, and Meet.

As you can see, three things are happening:

1. Customer data is encrypted before being transmitted to the Google Workspace cloud.
2. Customer data encryption keys are stored and managed in the customer’s self-hosted Virtru Private Keystore.
3. The customer is the only entity that can access the private encryption keys, which means the customer’s content is completely private and indecipherable to both Google and Virtru.

To use CSE for Workspace, customers must select an encryption key management provider, like Virtru. Alternatively, customers can invest the time and money necessary to build their own key management service using the CSE API.

How is Virtru different from other Google CSE for Workspace partners?

Virtru sets itself apart among Google Workspace CSE key management providers with its comprehensive approach to data-centric security. On top of offering robust encryption and key management for Workspace data, Virtru empowers users to apply tailored access controls using custom labels, ensuring sensitive information remains shielded from unauthorized access, regardless of its location within the system.

With Virtru, users can seamlessly utilize Google Workspace labels to categorize documents and enforce access controls. Leveraging Google Workspace groups, Virtru enables precise access permissions, ensuring only authorized individuals can access specific files. Virtru ensures persistent protection, even as files are moved to other Drives or folders, safeguarding data throughout its lifecycle.

As the sole Google Workspace CSE key management partner providing such granular access control, Virtru stands out among partners. Additionally, Virtru is the only partner to double-wrap encryption keys in an additional layer of protection, ensuring that even Virtru cannot access your data.

What is CSE for Gmail?  How does it differ from other CSE offerings?

CSE for Gmail is an offering from Google that enables customers to send and receive S/MIME-encrypted emails.

With the introduction of CSE for Gmail, customers now have two options to send and receive encrypted Gmail messages and attachments:

1. CSE (S/MIME) for Gmail + Virtru Private Keystore
2. Virtru for Gmail (when CSE for Gmail does not meet customer requirements) 

Both options provide end-to-end encryption for Gmail, but there are fundamental differences regarding setup, configuration, maintenance, and day-to-day user experiences.

Option 1: Google CSE for Gmail

CSE for Gmail requires that customers source S/MIME certificates for all senders and receivers of encrypted messages, in conjunction with an encryption key manager like Virtru. Once S/MIME certificates have been successfully exchanged between senders and receivers, those users can begin to exchange emails encrypted with Google CSE.  

To use CSE for Gmail, organizations must take the following four steps:

1. Choose a Google CSE Encryption Key Management Service

Before signing up for CSE for Gmail, customers will also need to choose an external key management system partner, such as Virtru. Virtru is a leading provider of Google encryption and key management for organizations of all sizes —  currently supporting more than 5,000 joint customers and managing hundreds of millions of encryption keys on behalf of Google customers every day. With the encryption capabilities of a key management partner like Virtru, customers encrypt their S/MIME certs so that Google cannot gain visibility to them, and therefore, Google cannot access or read their encrypted Gmail data in the cloud.

2. Purchase S/MIME Certs and Assign Key Pairs for Each User

CSE for Gmail requires organizations to purchase S/MIME certificates from a certificate authority and assign key pairs for each individual user. These key pairs should then be encrypted by the key management partner, such as Virtru, before being shared with cloud provider Google. Large organizations should keep in mind that this may be labor-intensive, as a company with 10,000 employees will require 10,000 S/MIME certificates. The customer’s IT team should be prepared to continuously support the provisioning of these certs as needed. It’s important to consider that these certs and keys are designated for individual users, not for individual pieces of data. This means that, should a user’s key become compromised, all the data they have shared can still be accessed with that compromised key.   

3. Upload Certificates to Google Cloud

Next, the customer will need to upload each encrypted S/MIME certificate to Google Cloud to put the framework in place for CSE. At this point, the customer’s users can start establishing trusted connections with their contacts to exchange encrypted data via S/MIME.

4. Train End Users on S/MIME Practices

To benefit from CSE for Gmail, end users should be trained to understand the S/MIME key exchange process required to establish a secure connection with any external contacts.  Specifically, users must know how to follow the extra steps required to exchange encrypted messages with a new external contact.  To ensure an intended recipient can receive an S/MIME encrypted message, the sender must first exchange a “signed” email to establish a trusted connection. This requires both parties to be well-versed in S/MIME and to know what to look for before they can exchange encrypted information. Once that trusted connection has been established, the user can then exchange encrypted messages and attachments with their contact. A user cannot send an encrypted email to a new contact if they’re communicating for the first time. Further, collaboration can become more complicated if a piece of sensitive information needs to be shared with multiple people, as this process needs to be followed for each contact.

Option 2: Virtru for Gmail

Virtru for Gmail is currently used by more than 5,000 Google Workspace customers, including some of the world's largest banks, healthcare firms, technology firms, defense contractors, state governments, universities, and federal agencies.

Virtru for Gmail provides advanced security capabilities for companies governed by data privacy and data security regulations like ITAR, CMMC, CJIS, and HIPAA, each of which requires complete privacy of sensitive data shared via email. Virtru is well-suited for organizations that have dynamic collaboration patterns and prefer less overhead and complexity compared to S/MIME-based encryption.

Virtru’s end-to-end encryption for Gmail is deployed as a Chrome plugin, making it fast and easy to onboard high volumes of employees at once. The user experience within Gmail doesn’t change, as the plugin puts Virtru front and center within the Gmail Compose window. Users simply click a toggle button to encrypt their messages and attachments. 

Virtru offers data-centric protection, wrapping each data object — each email, file, document, video, or any other piece of data — in a distinct layer of encryption, which allows them to make different access decisions about different types of data based on each recipient’s need to know. This aligns with a Zero Trust strategy of “never trust, always verify.” For every piece of data that is shared, Virtru makes it simple for recipients to authenticate their identity (using their existing credentials) and access the information they need. No key exchange or new passwords are necessary.

Virtru for Gmail also includes additional access control features, including the ability to:

• Revoke access to shared information at any time: For example, if a nurse sends a medical record to the wrong person, he can quickly take action to revoke access to that message at any point in the data's lifecycle. 
• Set an expiration date: If certain sensitive information only needs to be accessed in the near term, you can set an expiration date that will revoke access after that point in time, limiting the exposure of that data to the timeframe when it’s needed — like a short-term project or a time-sensitive assignment.
• Add watermarks: Include distinctive watermarks on PDFs and other files so that your customers have a clear view of who has shared a given piece of information.
• Restrict forwarding: What if your customer only wants information viewed by the intended recipient? With Virtru, senders can restrict forwarding so that the message can’t be passed along to other people.

With Virtru, enterprise admins also have a clear picture of what data is being shared outside of the organization, when, and with whom. Admins can also set data loss prevention (DLP) rules to trigger automated encryption for sensitive data that fits those parameters; things like credit card numbers, social security numbers, or keywords that indicate the presence of something sensitive.

Virtru Server-Side Encryption for Gmail 

In addition to providing customers with client-side, end-to-end encryption capabilities, Virtu also offers organizations data-centric security controls that can be implemented server-side using Virtru’s Data Protection Gateway.

When Virtru controls are implemented server-side, security leaders can put rules in place that automatically encrypt and/or decrypt certain kinds of data flowing into and out of their email servers. This protection can also extend to SaaS apps like Salesforce, Zendesk, and Looker, where data flows via email into and out of the organization. 

How to Choose the Best Option for Your Gmail Encryption Requirements

Despite setup and configuration overhead, S/MIME is a proven and reliable method of encryption. If your organization tends to have structured, established collaboration workflows with the same trusted partners over time, CSE for Gmail could be a great solution for you. Think federal organizations with consistent, established data-sharing relationships — or organizations that collaborate internally the vast majority of the time, and infrequently share sensitive information externally. Because that network of contacts is relatively consistent, the requirement for recipients to be prepared and enabled to receive S/MIME emails may be less of a concern, and your team can leverage Gmail while you remain confident that their data is shielded from Google and any other third party. 

However, if your collaboration workflows are more temporary, high-velocity, and/or regularly changing — think of healthcare providers that need to share records with patients, schools that need to share sensitive information with parents and students, or commercial organizations where employees are constantly sharing information with a wide and ever-growing variety of external partners — they may find that managing S/MIME for email is less practical or suitable. This is because S/MIME requires the establishment of a distinct connection between the sender and every recipient of secure information before the secure message can be sent, and it requires the recipient’s domain to be equipped for such a connection.

CSE for Gmail Setup Guide → Virtru's detailed flowchart provides a comparison of the setup processes for both encryption options for Gmail.

Take the Next Step Toward Privacy-Preserving Cloud Collaboration

With the advent of CSE for Workspace, Google has taken a major step forward in delivering privacy-enhanced cloud collaboration capabilities for customers around the world. This creates a compelling ecosystem in which data-centric security can be leveraged at scale, while delivering powerful privacy, interoperability, and data sovereignty for organizations of all sizes around the world. 

To learn more about how Google and Virtru can empower your organization with privacy-preserving collaboration capabilities, contact our team for a demo. We'd love to show you what Google + Virtru cybersecurity can do for your business.