cyware: New Google Workspace feature prevents sensitive security changes if two admins don’t approve them – Help Net Security

Summary: Google is rolling out a multi-party approvals feature for Google Workspace customers, allowing certain sensitive admin actions to be approved by an admin who did not initiate them, adding an extra layer of security.

Threat Actor: N/A
Victim: Google Workspace customers

Key Point :

  • Google is introducing multi-party approvals for Google Workspace customers, allowing certain sensitive admin actions to be approved by an admin who did not initiate them.
  • The feature aims to prevent accidental or unauthorized changes made by malicious insiders or outsiders who have compromised an admin account.
  • The feature is off by default and can be enabled via the Admin console.
  • Sensitive admin actions that can require additional approval include changes to 2-step verification and account recovery policies, Advanced Protection and Google session control settings, account login challenges, and the login-via-passkey option.
  • Multi-party approvals will be available to Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Cloud Identity Premium customers.

Google is rolling out multi-party approvals for Google Workspace customers with multiple super admin accounts, the company has announced.

What does the feature do?

Google Workspace (formerly G Suite) is a cloud-based set of productivity and collaboration tools/services aimed at enterprise audiences.

The (optional) multi-party approvals feature is one of many that were announced by the Google Workspace team in August 2023.

If the feature is enabled, certain sensitive admin actions can be taken only if approved by an admin who did not initiate them and thus, in theory, preventing accidental or unauthorized changes made by either malicious insiders or outsiders that have managed to compromise an admin account.

Google Workspace multi-party approvals

Admins can view details about each approval request before allowing or denying it. (Source: Google)

“This added layer of approval helps ensure actions are being taken appropriately and not too broadly or too often,” the team explained.

“Multi-party approvals makes super admins aware of what changes are being attempted and gives them the opportunity to accept or reject these sensitive actions. Additionally, this is more convenient for admins because the action is executed automatically after approval and the requester doesn’t need to take additional action.”

Which changes can be made to require multi-party approvals?

The feature is off by default and can be turned via the Admin console (Security > Multi-party approval settings).

The sensitive admin actions that can require additional approval include changes to 2-step verification and account recovery policies, Advanced Protection and Google session control settings, account login (security) challenges, and the login-via-passkey option.

Multi-party approvals will be available to Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Cloud Identity Premium customers.

Source: https://www.helpnetsecurity.com/2024/04/09/google-workspace-multi-party-approvals/


“An interesting youtube video that may be related to the article above”