Threat Watch

Google Has Improved Gmail Security via Client-Side Encryption

Google announced on Friday that its client-side encryption for Gmail is available in the beta version for Workspace and education clients as part of its efforts to protect emails sent via the platform’s web version. This improvement comes when concerns about internet privacy and data security are at an all-time high. To take part in the beta test, Google Workspace Enterprise Plus, Education Standard, and Education Plus customers should apply before January 20, 2023. This option is not yet available for personal Google Accounts. “Using client-side encryption in Gmail ensures sensitive data in the email body and attachments are indecipherable to Google servers. Customers retain control over encryption keys and the identity service to access those keys,” stated the company. It’s crucial to understand that the newly provided Gmail security features differ from end-to-end encryption. As the name suggests, client-side encryption is a method for securing data at rest. It enables companies to use their own cryptographic keys to encrypt data on Google services. Keys are generated and managed by a key management service hosted in the cloud and used to decrypt the data on the client side. Administrators who wish to use Google’s new feature must either create their own service using the company’s client-side encryption Application Programming Interface (API) or use one of Google’s partners, such as Flowcrypt, Fortanix, Futurex, Stormshield, Thales, or Virtru. This means that data will be unavailable without authorization, even for the service provider or the server. However, the organization or administrator maintains control over the keys and can monitor users’ encrypted files or revoke a user’s access to the keys.

ANALYST NOTES

On the contrary, End-to-End Encryption (E2EE) is a communication technique in which data is encrypted on the sender’s device and can only be unlocked by the recipient’s device using a secret key that is shared between the sender and receiver. Other Google products outside of Gmail also have client-side encryption enabled. Earlier this year, the tech giant made the same feature available for Google Meet, Drive, and Calendar. Google Drive apps also support client-side encryption for PC, Android, and iOS. According to Google, the security feature will be integrated into mobile apps for Google Calendar and Meet in a future update. “Client-side encryption helps strengthen the confidentiality of your data while helping to address a broad range of data sovereignty and compliance needs,” stated the company.

https://thehackernews.com/2022/12/gmail-encryption.html