Guard against targeted attacks

Beta: Protect users with the Advanced Protection Program

This feature is available in all G Suite and Cloud Identity editions.

Advanced Protection helps you protect users who are at risk for a targeted attack, such as:

  • G Suite and Cloud Identity super admins or delegated admins
  • Political campaigns
  • Activist groups
  • Celebrities
  • Journalists
  • Business leaders
  • Firms dealing with cryptocurrencies
  • Law firms

Targeted attacks could be low volume, carefully crafted, phishing attacks, often personalized to individuals, and can be hard to distinguish from legitimate activity. This makes targeted attacks the hardest to protect against. The Advanced Protection Program is specifically designed to thwart targeted online attacks on Google accounts.

What is the Advanced Protection Program? 

The Advanced Protection Program is designed to protect Google accounts against targeted online attacks. It is available for consumer as well as Enterprise Google accounts. The Advanced Protection Program includes a curated group of high-security policies that are applied to enrolled accounts. Additional policies may be added to the Advanced Protection Program to ensure the protections are current.

Advanced Protection allows you to apply all of these protections at once, and override similar settings you may have configured manually. These policies include:

  • Strong authentication with security keys
  • Restrictions on third-party access to account data
  • Deep email scans
  • Google Safe Browsing for Chrome (when users are signed into Chrome using the same identity as their Advanced Protection Program identity)
  • Account recovery through the admin

Advanced Protection Program security policies

In the Admin console, you can allow users to self-enroll in Advanced Protection. After they enroll, users are protected by these security policies:

  • Stronger authentication with security key. Using 2-Step Verification, Advanced Protection enforces the use of security keys by users. You do not have to configure 2-Step Verification policies separately. Users register their keys when they enroll in Advanced Protection Program. Security key usage is enforced even if a domain is using a third-party IdP.

    Security keys are the most secure form of 2-Step Verification. Users in Advanced Protection Program are required to use security keys, and not any of the other 2SV methods supported by Google (such as Google Authenticator). Security key usage is enforced even if a domain is using a third party IdP. Advanced Protection policies take precedence over prior 2-Step Verification settings.

    Also, if your users need to occasionally use platforms that do not support native security keys, you can allow users to sign in and authenticate with a special, one-time security code. Users can generate this code only on a device that supports security keys.

    Using security codes with security keys weakens security. Using security keys without security codes provides stronger security, and maximum phishing protection. But if your organization has important workflows where security keys can’t be used directly, enabling security codes for those workflows can improve your security.  For example, security keys often don’t work with Internet Explorer, Safari, iOS apps, remote desktops, and legacy applications. Go to the G Suite Updates Blog for details.

  • Restrictions on third-party data access. Apps that require high-risk scopes are blocked unless they are explicitly whitelisted by admins, or on the default whitelist.

    Default trusted apps available for Advanced Protection are:
    • Google native apps
    • Apple Native iOS apps
    • Mozilla Thunderbird
  • Deep Gmail scans. Enhanced scanning of incoming email for phishing attempts, viruses, and deep scanning of attachments for malicious content.
  • Google Safe Browsing protections in Google Chrome.  Reduces a user exposure to risky downloads in Google Chrome. When signed into Chrome using the same identity as their Advanced Protection Program identity, users receive warning if Safe Browsing cannot verify that a file is safe. This warning tells users to proceed with caution and check the reputation of the source of the file to be sure the file is safe to download.
  • Account recovery through admin. Advanced Protection includes strict account recovery for users who have lost their security keys have to come to you to regain access to their account.

Admin requirements

Advanced Protection Program enrollment can be enabled by these admins:

  • Super admin or delegated admin with the privilege Security > Security Settings.

What’s next: enable user enrollment

Was this helpful?
How can we improve it?