3 Reasons Why You Should Choose Google for Work Premier Partner Instead of Going Direct to Google

In your company’s transition to Google for Work, you may wonder whether it makes sense to go through a Google premier partner or go directly to Google.

What’s the difference, and what are the benefits?

What is a Google Premier Partner?

Google for Work Premier Partners provides amazing products for an all-encompassing business solution. Their product suite has many solutions from email, collaboration, word processor, video chats, storage, intranet builder… and more.

But you already know that.

Think of going direct to Google as going to an auto parts store. You know your car. You know how to do the installation yourself and you have the time.

Going with a Google Partner is like going to a mechanic. You get services to make sure everything runs properly and you won’t stall out on the highway. Google partners provide clear and knowledgeable guidance with support from start to finish while implementing these tools for you.

Many businesses enjoy the benefits of working with a partner for an easy transition and to have Google product experts foresee situations for them and provide solutions to ongoing business challenges.

So, here are 3 things (among many others) you can get from a Google for Work Premier Partner that you can’t get if you go direct to Google:

Develop a Custom Strategy

Google for Work Premier Partners bring Google into your business in an efficient and knowledgeable way, from strategy, rollout, deployment, training, change management, and onward.

Before making changes, partners assess where your company is and where you want it to go.

It’s a tailored approach to make sure each Google product fits well with your business goals and your teams can adapt.

If you need a custom solution, some partners are experts in developing scalable products on Google Cloud Platform. Application developers guarantee that your company isn’t forced into a mold.

Your partner team will guide you through recommended Google products as well as suggested custom alterations. Once a strategy and product suite is settled upon, you’re guided through a seamless purchasing process. Google Partners handle all of the logistics, allowing you to focus on managing a single account.

Working without a Google for Work Partner, your business is left with a one-size-fits-all solution. Though Google for Work products are versatile, companies benefit immensely from customized solutions that maximize ROI and productivity.

Migration, Deployment, and Change Management

Choosing to migrate your company to Google for Work on your own can be time-consuming and interrupt flow of business.

Using a Google for Work Partner allows you to focus on work while they handle migration and deployment. With decades of experience, a partner team understands the requirements of each legacy system. They can deploy new products and seamlessly migrate your data with little to no impact on workflow.

Change management professionals are vital to the success of any major transition in a company. A lack of support and education can cause even positive changes to stall.

Your partner team will closely examine the organization, judging previous change patterns, methods that were successful, number of users, and the company’s needs. An implementation strategy is then tailored to fit the specific business.

Preparing users for the transition and determining an efficient and realistic timeline are a large part of successful implementation: downtime and redundancy are reduced while productivity increases.

Your partner team will conduct a series of trainings to ensure employees feel confident moving forward with a new system. Basic trainings cover the transition process and how to use new products.

Additional sessions are available to encourage user engagement. They’re conducted on site or remotely. A benefit of using Google for Work Partners is that every training is fitted to the client. Surveys are distributed and analyzed to determine the level of user confidence and the location of knowledge gaps.

As a result, employees feel heard, their concerns are addressed, and user engagement is heightened.

Internal marketing and communications trainings are conducted between Google for Work Partners and internal marketing teams.

Your change manager will discuss techniques to increase enthusiasm among employees adopting new platforms. Internal teams will be guided in communicating useful and energizing information throughout your company, enhancing adoption and engagement.

Maintain Support

After Google for Work has been deployed, your Google for Work Partner team remains with you each step of the way.

Account administrators are assigned to your company, ensuring ongoing technical support. Especially in the early days of a new system implementation, existing IT departments and account admins can feel overwhelmed by big changes.

Working with a partner removes that.

If you work alone, in-house technical support can inadvertently slow things down. By using a highly experienced team to complement your on-site support, both the transition and ongoing use of new platforms are made easier.

Ongoing trainings are also available to companies that use a Google for Work Partner. These cover a range of topics and are tailored to fit your business needs. Project management and coordination meetings are conducted at regular intervals. Each meeting addresses whether target timelines and objectives are being met.

Additional trainings can include case development. Every development training is designed for your particular company and its needs. Workflow requirements and business scenarios specific to your enterprise are addressed.

Your partner team will discuss how to streamline work and increase productivity in your field, leveraging Google for Work’s specific capabilities for your company.

Ongoing webinars and events keep your team informed of changes, updates, and helpful hints to maximize Google for Work’s applications.

Newsletters are also distributed frequently, containing tricks for better productivity with Google systems. If you find that your teams need further training in a particular area, your premier partner will create a custom 30-60 minute training session to be conducted remotely or in person. You can issue brief quizzes before and after each training session, assessing the effectiveness of each meeting. Additional training can be designed around continued knowledge gaps, and materials can be further tailored to your specific employee base. By providing your team with the tools needed to succeed, productivity and ROI increase.


Google for Work Premier Partner is a comprehensive and versatile suite of products that make the most of speed and efficiency in the cloud.

Optimize your investment in these products by using a Google for Work Premier Partner. With support from start to finish, these experts provide amazing insight, support, strategy, and knowledge throughout the entire process.

Going directly with Google can be a good solution for some small businesses who feel confidant doing a technical deployment. But for most mid to large-sized companies, product experts are required to guarantee a smooth transition.

Google Premier Partner for Your Business?

Agosto is a Tier 1 Google Cloud Premier Partner and cloud product development company. We partner with companies looking for a fresh perspective to work smarter with Google Cloud. Learn more about the services we offer, give us a call at 612.400.9563 or contact us here.

What Happens to My Data in Google? (Pt. 3 of 3)

This is the 3rd of a 3-part series on Google Cloud Security. You can read the first part here, and the second part here

When I talk to customers, we get past the security conversation pretty quickly. 

When I explain to them how Google does things, they have lots of independent verification, your rate, you can test Google, they buy the security very quickly.  

The problem now is people worry more about what’s happening to their data. 

It quickly goes from a security conversation to, “No, no, I believe Google’s security is better than ours,” to a conversation more like, “I want to know what happens to my company’s data within Google’s hands.”  

What happens to your company data in Google?

Now, there’s a lot of misinformation about this.  

So, how does Google think about data protection? They think about it two ways. I always like to start this talk with security, because without security, you’re not going to have data protection.

The other component is privacy. If you don’t have a solid privacy policy and policy practices in place, you’re not going to have it either. 

The number one piece of misinformation is that people confuse Google’s consumer services (the ones that Google offers for free) with the services they offer to companies, businesses, schools, and nonprofits. 

They’re completely different offerings. Just to be clear, for that free Gmail account that you sign up for, yes, they’re using that data for advertising. Yes, there’s profiling. Yes, there’s scanning.  

But for all the products that they offer to businesses, schools, nonprofits, that’s not the case. In that case, in the original case, you guys own the data. Google is simply considered the data processor.  

Google can only use the data in the way in which you’ve instructed them. Let me go into a bit more detail here… This has three big components, like three legs in a stool, really.  

1. Transparency

What transparency means is that they’re going to tell you what they’re doing with your data. And it’s about being transparent before you’re a customer, without having to sign some sort of magical, special agreement.  

So, I mean sharing things like where their data center locations, Google’s security reports, their SOC 3 reports, their ISO reports. All of their contracts are public. Meaning their data processing and who their subprocessors are, all these components, all of their commitments on data deletion, information on what data can be used for… this is all publicly available. 

You can look it up now. It’s on the web.

And what it comes down to is what can Google use the data for?

We can use the data for absolutely nothing but what you instruct us to do.  -Google

So just to be clear, Google cannot use your data for advertising. They cannot mine your data for any purpose whatsoever, even to improve their own product; they’re simply not allowed to do so. And this is part of their business contract with companies.  

The intellectual property of the data is yours. You get the idea: Google literally has zero rights on your data. They own the rights to their service.  

So, as long as you don’t try to reverse-engineer Gmail, you’re going to be OK.

They’re also extremely portable. 

You could literally take your entire organization’s data and shift it into Google over the weekend. And you could change your mind next week, and move everything out Google. You can do that too.  

There’s no penalty. It comes out in usable file formats. It works so well, Google’s competitors have built tools around it to quickly expedite the movement of data in and out of their platform.  

2. Strong Contracts

All of Google’s contracts are written in a way that’s European-centric language. It’s not because they’re a European company. It’s just that the standards there are very, very specific when it comes to data.  

So there, you’re the data controller and the data owner. You give Google instructions, they’re the data processor. They can only do what you tell them. They have a global data privacy policy that applies to businesses, schools, and non-profits

It’s different from the one that if you look up “Google Privacy Policy,” it’s not that one. That’s for consumers.  

This one is publicly available and they update this all the time. Because they’re constantly getting feedback from data protection authorities in the US, in Europe, in Asia and our position is that they will only strengthen their commitments, not weaken them. So one of the more recent ones is they put an SLA on data deletion. Google made ongoing commitments to maintain compliance with their security audits and data privacy audits, which I’ll talk to you about here in a moment.

These sorts of things, this is all available, which is very useful for a business.  

So if you’re a parent, and you want to know what’s happening to your children’s data, you can just go and read it. There’s no advertising. There’s no scanning. It’s not some secret contract that each company has their own thing agreed upon.

They build on it. Google tells you what they’re going to do, they’re transparent. They legally commit.

But how do you really know what they’re doing? Google’s perspective is that you should trust them, but verify yourself.

3. Auditing

The problem in the past is that all of Google’s audits had been very, very focused on security. They start with security. Security’s strong. They have all the ones you’d expect– ISO 27001, SOC 2, SOC 3, SSAE in 16, ISAE 3402.  

These are all independent security audits. But again, we get past that security conversation pretty quickly and it goes into data usage. People don’t argue about security. They know what good security is.  

They argue about data usage, and how data should be protected.

Should it be transferred internationally? How does all that work?

So, what did Google do? They went and worked with their buddies over at ISO, their Swiss friends, Google’s standard-setting organization. And they worked with them to develop a new standard.

The new standard is called ISO 27018. This is about data privacy, the processing of personally identifiable information by public clouds, which is Google.

It’s exactly what Google’s looking for.

The next thing Google did is work with their auditor to be able to audit them against this new standard. So remember their infrastructure, everything I talked about being completely customized?  

Google can’t run an audit sending a college kid in with a clipboard saying, “Oh, there’s my blade server, and what’s my patch level?” 

It doesn’t work that way.  

At Google, everything is customized. They have to embed their auditors with their engineering teams. It takes a long time. It took over a year for the auditors to be trained on Google’s platform, and then be able to conduct an audit afterwards.

But the good news here is that they’ve adopted the standard, and they’ve had this since September.

Google announced it almost a year to the date after the standard had been released. Just so you understand how important this is, let me talk a little bit about how these standards work, if you’re not familiar with them.  

ISO 27001 is a family of standards.  

The first level is around security. There’s 114 security controls, which goes back to our story. You have to have security before you can have privacy. After you’ve gone through, and we talk about all these different controls that are in place for Google’s platform, you’ll learn that ISO 27018 is built on top of it.

You have to have security before you can have data protection and these are looking at different things. This is asking if Gmail is secure? Is it locked down? Are all those controls in place?  

And the next one is looking at the question: what’s that data being used for? Is it guaranteed that it’s not being used by other systems? What’s out there? How is this being protected? 

This is what’s important.  

So now, for the first time, you have independent, third-party, audited verification on what’s happening to your data.

This is something that you can take to your board. This is something you can tell your users about. But what makes it interesting, when we start talking about things like data privacy, is that it just doesn’t apply to services like security.  

So security on Gmail, Drive, and all of those products are covered. But, data is different; you can get to that from all kinds of different ways.

For Google’s privacy standard, yes, it had to cover the applications. But it had to cover every way that you could get to the data, so all the APIs, all the SDKs, or the software development kits, and tools that you might want to run on top of them.

So all these have been included as well.  

Another benefit of working with a company like Google who operates around the world is that they operate around the world. And that means that different countries and regions have different standards relating to data privacy.  

And for Google, they always have to take the strictest one.  

International Security Compliance

Sometimes it’s Europe, sometimes it’s Korea, and sometimes it’s the US. And these sorts of things, knowing that they have to meet all of these strict standards, you can have peace of mind that this is something that’s important to them, and that they’re going to be on the leading edge of what’s happening with data protection around security and data privacy.

Google has a very, very large team, both in DC, in Brussels, in Singapore, working with governments, who focus on working with data protection authorities because this is an evolving thing.

In Europe, there’s a lot of change happening right now. Google is compliant with everything that’s happening there now. They work very, very closely with them. But this is something that is constantly developing and because Google has such a vested interest in all these markets, it’s in their interest to be compliant and to be a leader.

And this is something that they’re really trying to bring home to the US. So when you talk about moving to the cloud, now, you can think about the abilities, but it does this increase the risk for what you’re doing on a day-to-day basis at your business?  

We think that you should look at it as a risk assessment. We talk about having extraordinarily strong, world-class, leading-edge security. That’s great, but it’s only part of the problem.  

You have to understand how that data is being used and know what systems there are.

Having all this information available, it’s fun to share with you guys extraordinarily detailed security audit reports to back all these claims up.

You can run your own penetration testing. Having strict, bulletproof contracts about what your data can and cannot be used for and having very, very strong enforcement mechanisms for them there. 

Don’t look at Google’s platform as being the same as you have on your personal accounts, or being equivalent. It’s 10 times better.

How Does Google Handle Cloud Security? (Pt. 2 of 3)

This is the second post in a three-part series on cloud security. To read the first post on, click here. 

We live in a mobile-first world. What have we learned from the security mishaps in the past few years?

The traditional thinking of having walls around everything, putting everything on your secure network, well that doesn’t work anymore.  

The reason people did that is because they don’t have infinite budgets, and they said, “Okay, we need to focus on security. The logical place to focus security measures on is the network.”

Google’s philosophy is a bit different. 

Big surprise there. 

Google’s Philosophy With Securing a Network

Google believes there’s no such thing as a secure network anymore, whether it’s run by a government or a company.

At Google, they assume everything is breached. They assume everything is broken. They assume these things because they believe that it is the only way to protect yourself.

When talking about secure architecture, you can’t just be good at one thing. You have to own the entire stack. And for most companies and organizations, this is far too expensive.  

There’s no way you’re going to get budget to do this.

So Google, at the scale that they operate on, literally invests billions of dollars in this. Because they’re investing at this scale, they’re able to do things that other companies simply can’t.  

Google looks at their data centers (their network) and they secure all the information.  

But where do most of the breaches occur?  

Hackers haven’t breached a data center. But, they’ve hacked social networking, or they’ve installed something on your browser or your device. So, Google has taken the steps to protect you there as well.

How Google Protects Your Users From Attacks

First thing’s first, Google has Chrome as a browser.

There’s a version of Chrome called Chrome for Work. You can use it, it’s free.  

But, with Chrome for Work, what makes it different is the fact that you can apply up to 280 security policies to Chrome. And you might say, “Well, I could do that with Internet Explorer.”

But, Internet Explorer just runs on Windows. Chrome runs on Windows, Macs, Linux, iPhones, Android, and all the Chrome devices.

You can now have one set of security policies, apply it across all your different devices, and have them all act as first-class citizens.

So, where are those breaches happening?  

It’s that old enemy of ours, the username and the password. And what happens? It’s that thing that you tell your users not to do. You say, “Please don’t use your password on other sites.” 

What do they do? Everyone has their favorite password and they reuse it over, and over, and over again.

So, at Google, what they’re trying to do is to make the password irrelevant. In fact, we have multi-factor authentication. 

With multi-factor authentication, the username and password become irrelevant without a code or having a phone nearby, which is connecting via Bluetooth or et cetera.

This is the next step to get around that social engineering.

There’s a Chrome extension called Password Watch. It’s a Chrome extension you can require via policy for all your users. 

It takes a portion of your corporate password – a portion of it, not the whole thing. It’s hashed, it’s salted, it’s stored on the browser (not at Google). And what happens is it watches what your users are doing.  

Then, if someone tries to reuse your corporate password on another website, it locks the account.

So, it’s the end of the night, I’m sleepy, I go to another website. That password’s muscle memory, right? I accidentally put in my corporate password on a different site.

I’m like, oh no, now I need to reset, everything is off now and I need to go back and reset all my accounts.  

It’s that kind of proactive security you need to use to protect yourself.

Encryption in Transit

As I talked about in Part One of the series, Google has an amazing story on encryption at rest in their data centers. 

Encryption in transit at Google, they use a technology called Perfect Forward Secrecy.

It’s stronger than most military-grade VPNs.  

Effectively, what this is, is that for every single user, for every single web session, they have a unique set of certificates, hardened to 2048-bit strength.  

If you’re using mobile devices, it’s a mobile-first world out there. On Google’s platform, there’s Android for Work. This uses SELinux to create a secure container on the device where you can store your corporate information and manage the device.

But not everybody’s on Android.

So you can do the same thing for the iOS, for the native iOS MDM, MAM APIs.

Again, enforcing things like encryption and data management, that’s all part of our platform. But, if you have another third-party solution, Google plays nice with everyone else.

It uses the bits that makes sense for your organization. If you guys have a robust authentication system for your company (Google works with governments and militaries as well), if you want to be able to have a username, a password, a token, a retinal scan, a blood sample, if that’s what you want to do you want to manage that, that’s something Google can integrate with all those different systems.

They have lots of customers with great examples.  

How do Google’s Products Work in Light of Security?

There’s a product called Google Drive. I’m sure you’ve used it and are familiar with it. 

For those who don’t know what it is: it’s a huge, unlimited hard drive in the sky for your data. The only limit is that of file size; the maximum size a file can be is five terabytes.  

So, if you have one that’s bigger than that, I’m sorry, not yet.  It’ll probably be coming. But you can have as many of those 4.9 terabyte files as you want.

The amazing thing about Google Drive is that it works with all the different file formats, not just Google stuff. It works with Microsoft OpenOffice, Adobe, whatever.

Whatever you have, or just big, big, big files of data, you can upload them here, it becomes very easy to share, and it’s available on different devices.

Now, the great thing about Drive is that it’s easy to share. But, the scary thing about Drive is also that it’s easy to share.  

I want to be able to control what’s happening to my information. So, if you’ve never seen a sharing dialogue within Google Drive, the way that it works is that every single document has strict permissions.

Now, with the strict permissions, I can invite individual users within my company to have access to that. I can have them view it. I can have them edit it. I can have them collaborate it.  

All these things are there and I can actually put information rights management on it. This is a problem Google has been trying to solve in IT for a long time. So I want IRM. I want to be able to prevent people from copying, downloading, or printing this information.  

When you combine IRM with permissions like this, you have real control of your data.

When I want to share a document with you, I send an email. It has a link. I click on the link, and if I decide later that you shouldn’t have access anymore, I remove your access.  

That data has never left the cloud, and it’s not available on their device anymore. But let’s say you really want to control who you share it with. Lots of folks say, well, I want to share my information, I want to collaborate, but I want to control the collaboration.

So, now Google has said you can whitelist organizations outside of your own who you’d like to collaborate with.

So, it’s not just the entire world.

You can limit it to a set of other organizations- this is having real control of your data. And again, this works within any file format.

How Google Protects You Against Hackers

Scale matters in security more than anything else. If you’re going to scale in any area, you have to scale in security. At Google, they have over 500 full-time engineers working on security all the time.  

That’s more the most IT departments. And their guys (as you can imagine) are very, very good, but there are lots of smart people outside of Google.

So they collaborate with the academic research community and the security community. They’re published over 160 white papers on security.  

If you don’t believe any of the claims I’m making, Google was the first company to have a bug bounty program.

Hey, if you don’t believe that their security is so good, you’re welcome to try and hack it yourself.  

Conduct your own penetration test. You don’t have to call me. If you can find something interesting, Google has money for you. It can make you famous, give you a swag T-shirt, and, if you do something really impressive, maybe even a job.

This is the proof that’s in the pudding. I was talking with one of the head security guys at Google and he was mentioning that six of their large customers in the last six months conducted penetration tests against Google… with no results. 

A government customer for Google in Australia, in the military, was talking about the security of their network. Google proposed, “Well, let’s run a pentest on your network and mine. I know who’s going to come up on top. And this can be part of an evaluation.”  

This is not being cocky, but it is saying there’s a difference between perceived security and actual security and that Google is interested in actual security.

Of course, it wouldn’t be any fun for Google just to say, “Come try and hack us” if they didn’t try and hack other people.  

So they have a team called Project Zero.  

This is where they’re hacking their friends in Redmond and their friends in Cupertino. Of course they’re nice, not bad guys.

So when Project Zero finds vulnerabilities, they tell them about it. But the only catch is that they only give them 30 days to fix it.

Now for Google, 30 days is a very long time. For some of Google’s competitors, 30 days is not near enough. And if they don’t fix it, Google shames them publicly about their security vulnerabilities, and releases it to the press.

So, that entices the companies to do the right thing.

Now, the reason that they do this is not to be mean. It’s their philosophy that if the cloud is not secure for everyone, then it is secure for no one.

So, we’re all better off working together. Now, the way in which Google runs their infrastructure makes them very agile with security.  

And when I’m talking about agility, you could think about a zero-day attack. 

So, if there’s a new zero-day attack, what do you have to do today? Well, it has to come out, and it has to be discovered. After it’s discovered, you’re going to go and work with your AV vendor.

You’re going to say, please give me a fix. They’re going to develop a fix. They’re going to give it to you. Then you’re going to have to distribute it. You’re going to have to install it. You’re going to have to go through all this. How many days have passed already?  

But you’ve already been taken. The Chinese are in and out.  

Since Google is the world’s largest email provider (with over 900,000 active accounts), they have to be ready for zero-day attacks.

With AV and vulnerability scanning, Google has multiple layers. In addition to that, there’s a company out there called VirusTotal. That’s a Google company. Their sole reason for existing is to facilitate the identification and addressing of malware and threats.  

Now, in that same zero-day attack scenario, there’s a new zero-day attack, it attacks a Gmail user in Mumbai. Not only can Google protect that one user in Mumbai, they then immediately protect all other accounts in real time. 

This is the speed you have to move at to stay ahead in today’s world. 

Google can actually prevent incidents before they even happen now.

You guys heard about the Heartbleed SSL vulnerability? That was a big one last year. The POODLE SSL exploit? Google discovered all of those.

So, before they were even announced, Google was patched and fixed for those vulnerabilities over their entire platform, network, and user base.  

Google’s not always going to be the first one to find a bug. But, because of the way that they run their infrastructure, when it’s fixed once, it’s fixed everywhere.

This is the only way you really have a chance to stay ahead when it comes to cloud security.

Click here to read part 3/3

How Does Google Handle Cloud Security? (Pt. 1 of 3)

Why should you think about moving to the cloud?

And what does that mean from a security standpoint?

You’ve probably wondered that, as many people have — how does Google actually secure their data for enterprise use? 

What’s Driving the Migration to the Cloud?

When you think about what is available out there, you think about WhatsApp, or you think about Snapchat, it’s all built in the cloud.

These companies weren’t even thought of a couple years ago and they’re making a huge impact in the business world.

Take Uber. They weren’t around a couple years ago. They started out driving people and connecting people directly with the end-users and with the suppliers.

Now they’re moving people, and now they’re thinking about how can I actually even move products and services? So they’re growing very rapidly.

And because they started out in the cloud, they were able to scale themselves, and continue to grow and look at other products and services that they could be offering, actually in the space.

Airbnb, which is now valued more than Marriott, needed to scale. And the way they were able to scale was how quickly their business could grow – which had no limits since they are in the cloud. 

And so what are the driving factors for large companies like these to be born in the cloud or to migrate to the cloud?

Well, there’s a huge shift.

People are moving to mobile. And the only way that you can actually build applications in scale with people is actually have them build those applications into the cloud.

We know that even from a statistic from 2014 said that most people and internet traffic is now coming from mobile. 

And it’s only increasing.

As you think about your legacy systems that you have, how do you stay on top of this and the rate of change? How do you stay on top of it in front of your consumers and your customers, and also your employees? 

How do you give the right tools to your employees so that they can actually make quick decisions, get a product to market, and communicate and collaborate with each other?  

Considering that the cost of computing is almost zero, when you think about how you enter this space, if you look at just going pure cloud, or if you look at a solution that’s half cloud, half on-prem, it’s very inexpensive to move to the cloud.

So you can actually make good business decisions based on low cost.  

And then the rise of public infrastructure and the shift to mobile is something that I think we’re all looking forward to trying to figure out. How do we tap into those consumers? How do we get them?  How do we meet them where they are? How, when I walk into a store, can I put relevant information in front of them?  

And security plays a huge role in all of this changing landscape. If you think about the breaches that have just happened over the last couple of years, there has to be a serious focus on cybersecurity, whether it’s on-prem or in the cloud.

I think that’s what a lot of us are thinking about: to really understand how can you move to this place where we all want to go, and still make sure that your customer data is secure, make sure your employee data is secure, and make sure that you’re making the right impact for your business, but also making sure that you’re protecting those assets as well.

The Evolving Cloud Security Threat

When talking about security threats, my goal is to evolve your thinking about how to address these new security threats.

When Google thinks about threats that are addressing your business or your users, you have several new problems.

The bad guys out there are becoming increasingly more sophisticated. Their attacks are often well-organized, and very, very, very complex in nature, and difficult to defend against.

Now at the same time, your user base is not making your job any easier. Your users want to do things on mobile devices. They want to do things across platform. They want things to be easy, which is often a counter-intuitive proposition.  

Now when we start talking about the types of security threats that are being addressed today, we want to talk first about the ones that are kind of the standard, same old, same old. Situations like, “I have an on-premise system. It needs to be patched on a regular basis.”

Which is ultimately not successful.  

But here’s an example from the press, where both the Ukrainian government and NATO were attacked by hackers going through a known vulnerability on an existing on-premise platform.

This is the kind of security threat that Google has addressed for years.  

But this is not really interesting.  

The new threats are much, much more sophisticated.  You can’t really talk about hacking without having to talk about Sony.

The Sony attack, for those of you who don’t know, was a malware-based attack that came in – no one is actually sure – via an email or via a web session.

And it spread through all of their on-premise systems.  

They went in, they took all their email, all their documents, pulled them out of the system, and then they went ahead and wiped all of the servers clean.

This is the new sort of threat that you need to be able to defend yourself against. If you would like to go a step further, we can talk about JPMorgan Chase.

This is the largest data breach in US history.  

Again, an unpatched server on the edge, but what makes this different is the types of attackers.

This was an organized group operating internationally from countries from the US, to Israel, to Eastern Europe. And what happened is once they breached their systems, they found the sensitive data, and then they held it.

They didn’t expose it or use it until the price of that data hit the appropriate level on the black market.

You’re working against not just a couple of geeks in their basement trying to make a name for themselves, you’re working against a sophisticated set of users in a very for-profit business.

Last, but not least, let’s talk about state-sponsored tax.

So in the US, the FBI has gone on record and said there are basically two kinds of organizations out there. You have companies that have been hacked by the Chinese. And then you have companies that don’t realize that they’ve been hacked by the Chinese.

Now we can’t just pick on one group or one government because there are many, many governments, both friendly and less friendly, who are attacking infrastructure for data-mining purposes.

Google’s Scale and Approach to Cloud Security

Most people don’t understand the scale in which Google operates.

So I’m going to share a few Google secrets with you.  

Firstly, this is a picture of one of their data centers.

It’s not a particularly exciting picture, but what you see in this picture is special.

Everything here is custom-made for and by Google.

And what does that mean?  

That means on any given day of the year, Google is the world’s third or fourth largest manufacturer of servers in the world. This is sourcing our own silicon, everything from custom motherboards, proprietary operating systems, networking equipment, HVAC, etc… is all custom-made for and by Google.  

Let me give you a further example.  

Here is a picture of Google’s Jupiter Superblock.

This is a switch Google designed that pushes 40 terabits a second of data across their network.

That’s the equivalent of 40 million high-speed home internet connections.

And here is another one of their innovations, the Pluto Switch.  

The Pluto Switch sits on top of a storage array.  

Now, Google didn’t do all this customization just to be cool. They had to meet requirements that effectively didn’t exist in the market before. They couldn’t go and buy things off the shelf to solve their problems.  

And from a security perspective, this gives them some really amazing advantages.

We have security by obscurity.

Because you can’t go out and buy our server, or our OSes, or anything, and reverse-engineer them, people don’t understand how we operate.  

It makes it difficult for Google to be attacked. Since they own the whole stack, they’re actually are not inheriting security problems, whether built-in, on purpose, or by accident, from third-party vendors. They’re in charge of everything.  

And if there is a vulnerability, Google is in charge of fixing it. So they can respond very, very quickly.

This customization at the networking level, when we talk about building this equipment, it’s not just about providing a service. They’ve actually had to build their own internal networking protocols.  

So their equipment speaks a language internally to Google that doesn’t get spoken outside. And they have different protocols in different parts of the country in different data centers to further segregate and secure our information.  

And we haven’t even gotten to the cool stuff yet.  

The cool stuff is their network.

It doesn’t matter how you measure the network: by length, traffic, ingress, or digressive data, Google has the largest network in the world.

This photo shows Google’s dark and light fiber across every continent on the planet other than Antarctica. 

They have 13 undersea cables across the Atlantic and the Pacific. Their network just doesn’t connect data centers to each other, it connects their data centers to nearly every ISP in the world.

There’s a couple dark, dark heart-of-Africa places where they’re still two hops away. But this is Google’s differentiator.

Now what does this mean from a security perspective?  

Well, we can talk about where your data is at risk. It’s typically at risk when it’s in transit. And with Google, your users are typically one hop away. It doesn’t matter what device they’re on. They go from their device, their ISP, and you’re on Google’s network now.

And this also has great other benefits like: being able to collaborate in real time, have low latency, and you can operate across the world without having to worry about where data centers are located.

It just works. And this is how Google delivers all of their solutions. Whether it’s Search, YouTube, et cetera. Their network is so big on any given day, they’re holding between 25% to 38% of total internet traffic.

Because we operate globally, we can correlate security events that other regional players, or even larger players, simply can’t.  

So what might seem like a little anomaly here, it actually could be part of something much bigger. Think about things like a DDOS attack (Distributed Denial of Service attacks) Google can not only detect those in real time, but they can stop them because of it.

Google has even extended this as a project to protect journalists and free speech advocates from being blasted by third parties.  

This is something they can just do in real time without their engineering team needing to be paged.

Reliability of a Service

Google is known for being reliable. For example, when was the last time you saw Google.com down?

Google has actually solved one of the more difficult computer science problems at Google but they’ve not done a very good job of explaining it to the world.

If you’re in IT, we typically measure reliability with a Service Level Agreement (SLA). In SLAs, a company guarantees the service is available for x amount of time.  

With modern solutions, this has gotten foggy. Somehow everyone seems to boast getting 99.999% availability (five nines), but they’re down for maintenance on Sunday.

How is that possible? 

Google prefers to use a more precise engineering metric. It’s called MTBF – Mean Time Between Failures – and if you go out and buy one enterprise-grade device, you can expect that to last for 10 years before it catches on fire and it catastrophically fails, on average.  

The problem is scale.

Go from one device to 100,000 devices, your failure rate drops from one failure every 10 years to a failure every hour. Now scale that up to Google size, with literally millions, and millions, and millions of devices.

There’s always a constant rate of failure.

Hardware, network, software, something’s always broken. And this is the problem when we start looking at large enterprise solutions. It’s great when it’s small, but as soon as it becomes big, it’s hard to manage. It’s hard to secure. It’s hard to keep it up and running.

We talk about where you invest in your spend. If you’re spending 70% of your money keeping the lights on, then that’s not a good thing.  

So with Google, at their scale, with a constant rate of failure, how are they able to provide one of the most resilient internet services out there?

And it comes down to how they actually store and process data.  

How Google Stores and Processes Data

Now if you work at Google – it’s hard for them to say this without coming off as arrogant – but they’re really, really ahead.

They’re not on the cutting edge, they’re on the bleeding edge.  

They’re 10 years ahead.  

The technologies that they used 10 years ago are the ones that are being sold in the market.

You hear about big data. Google invented the NoSQL database. They invented these technologies and they’ve been iterating since then.

So let me explain how we store and process data, which is completely different from how everyone else does it. But it’s easy to get your head around.

So think of it like this: every single application that Google has, let’s say it’s Gmail, or Google Drive, or what have you, you have an instance per user.

Those are database associated with you – your email, your attachments, the index so that you can search that content. What happens when you actually store it at Google is the following.

I want to upload a file to Google Drive. I upload the file. It goes to the storage layer. It gets put to my personal database. I’m going to take that database. First, I’m going to break it into literally thousands of pieces. And then I’m going to run what’s called algorithmic encryption.  So this is running it through an algorithm.  

It makes it non-humanly readable. If I were to write it to a disk at this moment, I wouldn’t be able to tell who it belongs to or what application it goes to. After I’ve done algorithmic encryption, I’m now going to do key-based encryption.

So then I’m going to encrypt it with AES, as you’d imagine, normal standard encryption. Then I’m going to take the key that I used to encrypt it. I’m going to wrap that and encrypt it a second time, and keep it in an enterprise key management store.  

Now after I’ve taken the data, sharded it, obfuscated it, and doubly encrypted it, now I’m going to replicate it. So each tiny piece I’m going to take, I’m going to replicate it five times – data center number one – different drives, different servers, different racks, different connectivity to the internet.

Then bang – five more times data center number two, five more times data center number three, five more times data center number four.  

When it comes time to access this information, what am I going to do? I’m going to go out, the algorithm’s going to say, I want that file again. So it goes out. The algorithm gets every single copy, every single shard. It’s going to race it all back together. It’s going to reassemble it, de-encrypt it, deobfuscate it, and then present it to the user in real time. It’s like a computer science miracle.  

It’s very, very cool.  

And the reason that we do this is because this is the only way that we can get to this.

There’s always going to be a problem, and the idea is that the infrastructure is self-healing. It’s self-adjusting. If there’s an earthquake, or a power outage or something, your screen doesn’t flicker. You continue to be able to consume these services, and because of the way that we store the information, it’s not like we’re encrypting it at a file level.  

Google is taking it as a database, fragmenting it, obfuscating it, and then doubly encrypting it at multiple levels. So if there was to be some sort of breach, or internal actor, or someone trying to do something, they have a piece of a very large puzzle. Makes it very, very difficult.

If you really want to know about how Google does encryption, they’ve actually written and shared a very detailed encryption white paper. This is just one of the flows where we can talk about how we protect the data at rest.  

This is something that we can share with you guys, or you can send it to your security officer. And I’m happy to take questions on it. But we’re very, very open about that. Another thing that comes up is people are often concerned, where’s the data located?  

Now with us, first of all, we tell you. There’s a list of data centers. We have them all here. We share them with everyone.

But the thing to consider here is that your data is not in one or two of these locations. Your data is everywhere and nowhere at the same time. It’s fragmented, obfuscated, encrypted, and then replicated across our global data center network.  

Because of that reach of that network, latency is no longer a problem.

It doesn’t matter.  

I could keep it in Oklahoma, or I could keep it in Finland.

The performance is still going to be the same for you. Now because the way, again, in which this is stored, it makes it very difficult to attack you.

We use these data centers not just for providing services to enterprise customers, we use it for everything. So if someone wanted to attack your company, they need to literally attack all of Google. They need to be able to sort out and try to discover traffic, every YouTube video, cat video we’re showing, internet search, you name it. It’s all going through the same front ends.  

So it’s very, very hard to be able to attack you. Now Google encrypts all of their services while at rest.  

So Google made some huge strides here in engineering.

They used to only do algorithmic-based encryption. They’ve now upped their game. Now they’re not only doing algorithmic-based encryption, but now they’re doing multiple levels of key-based encryption for all of the services they have.

Some of these Google file formats, you can actually embed content from other data sources. So let’s say that you have a WordPress file in Google Drive that you want to put on your website. If you’re embedding third-party information, we’re not encrypting the third-party information.

But everything on our platform is encrypted.

It’s literally that simple.

Read part 2/3 here

Google Chromebit: What This Means for Digital Signage

You might have heard the good news…

Google released the Chromebit! Last month Asus, their original equipment manufacturer (OEM), released what is basically a computer on a stick.

Think: a Chromebox, but a little bigger than a flash drive that you can carry in your pocket and plug into any display, effectively turning it into a computer.

I participated in Google’s early Trusted Tester Program for the Chromebit and tried it out as a digital signage player for the Skykit digital signage service and as an end-user computing device.

I was very impressed.

What Does the Chromebit Mean for Digital Signage?

In the digital signage world, a player that’s truly enterprise-grade (security, manageability, scalability) can cost $800 each or more.

The enterprise-class Chromebit is a game changer at $85.

The Chromebit is a very capable device that performs as well as the larger Asus Chromebox. You can’t tell a difference in performance while playing any type of digital signage content (from videos to images). And it’s half the price compared to the Chromebox.

The Chromebit makes for the perfect digital signage player where wireless networking is a requirement. The low-cost, small form factor, and enterprise manageability make the Chromebit the clear leader in terms of price/performance/management/size.

The Chromebit includes both bluetooth and USB support which enables the connection of a keyboard/mouse combo. 

It is the least expensive stick-PC in history.


The Chromebit has 16gb of storage and 2gb of RAM (same as the Chromebox). It’s powered by a 1.8GHz Rockchip RK3288-C CPU with a separate ARM® Mali™-T624 GPU.

I tested the Chromebit side-by-side with the Asus M004U Chromebox with an Intel Celeron 2955U CPU and embedded Intel HD Graphics 4000/4400. The Chromebox is also configured with 16gb of storage and 2gb of RAM.

While not a true scientific performance analysis, the two devices running a digital signage application with the same content – still images, 1080p full motion video and stereo sound performed identically in terms of playback.

The Chromebit warmed up more than the Chromebox, most likely due to a smaller heatsink in the Chromebit form factor. Any performance differences were imperceptible watching both devices side-by-side.

Networking and USB Connectivity

The Chromebit includes 802.11 a/b/g/n/ac WiFi. Connectivity is rock-solid and there were no perceptible performance differences between the Chromebit and the M004U Chromebox unit. Networking performance was also very good when running the Chromebit as a computing device, browsing the internet and/or working with Google Apps.

The Chromebit was also tested with a USB Ethernet connection, turning off the WiFi through chrome management. Functionally, this worked just fine but the extended device may be more cumbersome to physically manage in this configuration.  

A keyboard/mouse combo connected with a small RFI USB adapter worked very well, as did the Bluetooth connection (Bluetooth V4.0 included).

Enterprise-Enabled Chrome Management

The Chromebit is an impressive computing device. But it truly stands apart from other stick-based PCs when it comes to enterprise management. The Chromebit is a Chrome OS device, meaning it can be fully managed, remotely, in enterprise environments via Google’s Chrome Management Console and enterprise enrollment.   

Power and Display Connectivity

The Chromebit plugs directly into a display’s HDMI port, or alternatively connects via included HDMI extension cable for tight connection locations.  

The Chromebit includes a small separate 18w power supply that requires an AC power connection. A USB-powered device would be ideal, but the Chromebit requires a little more power than that to operate.


All the features available in the Chromebit are matched by many other devices.  It’s the price and form factor that make the difference. This is an $85 stick computer that can be enterprise-enabled and managed as a computing device, or it can be used as an enterprise-class digital player for a your digital signage solution.  

That’s pretty hard to beat! For a more in-depth look at what to look for when evaluating hardware and software, you should check out the complete guide to digital signage

Written by: Jim Crowley
Sr. Director, Product Management

Giving Back: The Sanneh Foundation Learns Google Apps

Agosto had the opportunity recently to give back to the community through The Sanneh Foundation, a nonprofit that helps youth development and gender equity locally in St. Paul, and in Haiti.

The Foundation sends mentors to schools to meet with the students who are least likely to graduate. They tutor and mentor these kids to improve their grades and help them graduate. The program is growing, but they’re adding more schools in their program every year and seeing a huge improvement in their grades.

“There’s no way we could be that productive without a solution like Google Apps.”

And in Haiti, they have an after school program. The Sanneh Foundation helps develop the kids into leaders by teaching the importance of respect and equality. The kids have to meet minimum grade requirements in order to go to the program, which offers incentive for the kids to stay in school and study hard. About 300 kids come every day for soccer coaching. Soccer is used as a “carrot” to get them there, and then the coaches teach them skills that they will then take off the field and have for life.

The Sanneh Foundation was founded by Tony Sanneh from St. Paul. Coming from a single parent home, life was tough growing up. After years of dedicating himself to school and to his passion, soccer, the Minnesota Thunder signed him. Tony moved to Europe and played for club leagues. Going on to a very successful professional soccer career, he retired in 2011. Throughout his career, he had a desire to help kids from the inner city. That’s how the The Sanneh Foundation was born.

We were so excited to be able to help support the incredible mission of The Sanneh Foundation  locally and internationally. They had been on Google Apps for a couple of years, but had never gone through training. Many of their employees are millennials, and Gmail is what they use for their personal accounts. Most of the employees (locally, and in Haiti) knew how to use Google Apps in some capacity, but there had never been any written documentation to get everyone in the organization on the same page. As a result, many of the more complicated features were not used to their full potential.

We sent in our training expert, Mary, and our technical expert, Shane, to train The Sanneh Foundation to help them learn the full breadth of Google Apps so they can collaborate easier and faster.

The Foundation uses Gmail and Drive the most. They use it to collaborate with remote workers, even in Haiti. Google Apps enables them to help the community and continue to develop inner city kids.

“Mary and Shane were great. Mary was very in-depth. She kept it relevant for what we needed, and walked us through practical examples of the basic features with things we’ve never used before like Sites. We used the admin console very minimally, just to add users and make user groups. But Shane dove deeper into features like provisioning apps, which helped us grasp the product more holistically.”

7 Quick Google Docs Hacks & Tricks

When using a tool like Google Docs, no matter how long you’ve used it, there’s always something you’ve not yet discovered, or there’s always new features being released and improved.

Of course with such an innovative company like Google, there are so many fun easter eggs in everything they develop. There are some popular ones, like the konami cheat code in both Docs and Hangouts.

And there are actual shortcuts and productivity hacks collections to Google Docs, Slides, Sheets, Chrome, and the like.

Which is what this article is about.

I wanted to share 7 super quick things I find really helpful in Google Docs. You may know some of them, but I hope one or two Google Docs hacks are new to you!

  1. Paint Format
    With the Paint Format button on the left side of your toolbar in Docs, you can copy the format from one block of text to another. It’s especially useful when you create a custom header style and you want to quickly apply it to other headings.
  2. Publish online
    You can publish a document online so it’s easily accessible for anyone. Your servers won’t have to host the document, and it will give you a shareable URL to the new doc online. In a document, go to File > Publish to the Web.
  3. Searching for Docs in Chrome
    You can search your Google Drive files directly from the Chrome address bar. In Chrome, Go to Settings > Manage search engines and set the default to Google Drive. It’s useful if you’re a heavy Google Docs user.
  4. Link Between Google Docs
    When you highlight a word or phrase and right click to insert a link, you’ll see a list of suggested URLs based on what you’re highlighting. The cool part is that it will also suggest any documents in your Drive that use that word or phrase in case you want to link between documents.
  5. Working offline
    This one is critical. Traveling somewhere without wifi access? Here are the steps to take to work offline with Google Apps. Most people know that it can be done, but most don’t know how to do it.
  6. Edit Images
    Google Docs Hacks for images. You don’t need a graphic designer to edit an image’s transparency, brightness, contrast, or to crop it. You can do it in Google Docs. Select the image and double click (or go to “image options” in the toolbar). You can edit the image with the functions in the sidebar.
  7. Clear formatting
    Clear formatting is one of the most useful Google Docs hacks you need to know when copy and pasting content from a different document. If you ever paste text from a different document, chances are that you’ve had to reformat it. To quickly dismiss this nasty formatting, highlight the text, select “Format” in the menu bar and click “Clear formatting.” You could also highlight the text and use the keyboard shortcut, Command + \.

Do you have a favorite Google Docs hacks, shortcut or trick? We’d love to hear it, comment below!

How to Protect Against Phishing Attacks

I came across an interesting example of a phishing attack. Well, I’ve actually come across quite a few phishing attacks recently bearing striking similarities.

It brought up some big security concerns.

Here’s the story:

One day, a company’s CEO emailed a Director at their company asking to wire transfer a significant amount of money. It sounded urgent. After asking a few questions, he transferred the money.

A couple days later, the Director bumped into the CEO and said something like, “Oh, by the way how’d that thing turn out with the money I transferred?”

The CEO had no idea what he was talking about. He hadn’t requested a wire transfer.

They launched an investigation to see if they were hacked and if they were vulnerable in any other areas.

Once the dust had settled, I got a chance to be part of the investigation, starting with the email that began it all.

The original message appeared to have come from the CEO’s email, but looking at the logs it was actually spoofed from a 3rd party server. They knew exactly who in the company to contact to arrange a wire transfer, and they had even registered a domain that was very similar to the original to route the return messages to so that it would appear as normal when the Director hit the reply button. They had copied the CEO’s email signature. There were no visible red flags. 4 emails went back and forth before the wire transfer actually happened.

This was not a hack. This was social engineering, with maybe a bit of spear phishing. Through the logs, I could find no evidence that the perpetrator had ever actually accessed the CEO’s account.

It was likely that someone at a lower level had their account compromised through a targeted phishing attack, which yielded email addresses, names, and positions through their address list. The CEO probably sent out the occasional all-company email, or happened to have sent one to the person who was phished. This would have yielded his signature information and confirmed his email address.

With this information in hand, and some basic knowledge of email, it’s not terribly tricky to craft a message that looks like it came from someone else. Requests not just for money, but credentials or classified information can even more damaging.

So, interesting story right?

What can you do to protect your company from these sorts of attacks? There’s no silver bullet that can eliminate all phishing as a threat, but I have some steps that can greatly reduce your vulnerability.

The Human Part:

A large number of malicious attacks are simply social engineering attempts (duping users to do something they shouldn’t). Users must be educated and reminded about what not to do online.  If something seems fishy, it likely is (phishing). In the event that message slips through the cracks in the technical defenses, users need to understand threats, know how to identify them, and how to react when they do find them.

We can’t reasonably expect Larry from facilities to question every request to order more of that pink sawdust stuff. But making them suspicious of emails that may not make total sense, or lacking in details may help save your pink sawdust supplies.

And remember, this sort of threat reaches everyone from the CEO to Billy in the mailroom. Any user of an email system that gets compromised can provide inside information that can lead to significantly more targeted and harder to detect attacks down the road. Simple things like the global address book can deliver valuable information on active email accounts, organizational makeup, reporting structures, or phone numbers. Even finding an email from the CEO can provide a copy of their signature, making a targeted attack seem even more authentic.

No one should be exempt from security training. 

Looking out for the following red flags can help:

1. Badly written emails

In the age of mobile devices, these are getting harder to use as a red flag as everyone misspells and autocorrects, but be aware of a message that doesn’t read right. Simply reaching back out to someone before opening a link, document or other attachment can save the day.

This is an actual phishing attempt:



2. Are you expecting this?

I rarely get attachments or links to documents that I’m not aware of ahead of time. I would have heard about it in a meeting or in an email chain before it shows up. Getting a link with something vague like “take a look at this” or “I need your input” even if it’s from someone you trust can easily be an attempt to gather information. Replying with something quick like “What is it?” can be the difference between safe and compromised.

3. Use a lifeline: call a friend

If someone emails you to urgently transfer money, call them on a known number to confirm before you make the transfer — not the one listed in their email signature. The best way to thwart social engineering attempts is to refrain from doing as the scammer requests. Instead confirm the request is legit by contacting the requester over a different platform than they used to contact you.

4. Fake sites/bad urls

This is the most prevalent thing we see these days. Long gone are the days where attachments were the biggest threat thanks to Google’s excellent scanning and filtering. Instead, Hackers use links in emails to try and grab your data, specifically your login and password information. Thankfully, most of these scam sites have most of the same fatal flaws that the emails do. Badly written and poorly edited, but anyone questioning things will feel out of place as soon as the page loads. When in doubt, login to gmail.com. If going to Gmail.com loads, then you’re already logged in. If the link you’re clicking still asks you to login, it’s probably an imposter page trying to grab your information.

While these are strong basic tips, you can now effectively test your organization’s phishing readiness using services like PhishMe and ThreatSim who will run non-malicious phishing campaigns against your organization, offering results and additional training should anyone take the bait.

The Technical Part

Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are two methods used to authenticate that messages came from where they said they came from. SPF is easier to deploy of the two, and more widely accepted. But it’s also easy to improperly configure, allowing too much to get through due to soft rules.

Sender Policy Framework

I highly recommend reviewing SPF Syntax (here) and running your own SPF record through a validator like the one found here.

DomainKeys Identified Mail

DKIM is a little less widely supported, but for our case here, it’s well supported by Google Apps. So in the effort to protect yourself from people pretending to be you, it’s the most effective method by a long shot. Unlike SPF that operates entirely on the origin IP of the server sending the message, DKIM actually has a rolling key-based system with cryptography that can’t be replicated. Every time you send a message, there’s a secure check against that key to make sure the message truly came from where it claims it did.

It’s a bit more tricky to set up, as it involves generating some keys for your domain as well as some DNS records, but it’ll be worth for the times phishing attempts get blocked. Check out Google’s how-to article on setting up DKIM here.


The IPLock method is creating a mail rule on your own server (Google Apps) that says exactly who gets to send as your domain. It’s like creating your own SPF rule internally. In this rule, you’ll define all the servers that you as an admin permit to send on behalf of your domain(s) and block messages coming from other sources.

Trying to send a message as acme.com from a server that’s not whitelisted? Sorry, that’s not going anywhere. Google has a great help article on how to set this up here.

Setting up all three of these options will give your users the best possible protection you can have… from the technical side.

The Ultimate Safety: Two-Factor Authentication

You knew this was coming. You absolutely cannot have a security discussion without talking about two-factor authentication.

Two factor authentication is easily the most effective method of securing any account from intrusion. By using a separate authentication application, a physical key, or SMS messaging codes required at the time of login, it prevents anyone without physical hands-on access to a personal device get into an account, even if they do have the password. It’s the last line of defense, but it’s one of the most effective ones you can have.

Unfortunately, it’s also one of the most intrusive to end users. In the efforts to keep everyone happy, it’s rarely enforced.

Google helps to take some of the load off two-factor users by allowing specific machines to be remembered for up to 30 days. Having to pull a code from your phone a few times a month if you use multiple devices, seems like a small hassle when it offers the level of security this can offer.

At minimum, we recommend mandatory enforcement of two-factor authentication for any users in positions of authority or administration, as these are easily the most targeted users when it comes to phishing campaigns, but enforcing it across your entire domain will significantly reduce your risks.

Again, Google has an excellent article on setting up and using two-factor authentication here

If you have any questions regarding this article, please feel free to reach out to us.

How to Add Additional Domains to Google Apps

Hi there, I’m Shane. I’m a sales engineer, but today I’m blogging about how to add additional domains to Google Apps.

Let’s say you’re running your company Widgets.com on Google Apps. Thanks to unprecedented growth, it’s doing great. So great, in fact, that you’ve decided to launch a new brand, Bobbles.com.

Bobbles.com is going to be huge, and you need to look professional, unifying your new brand with your existing brand. Some existing employees are going to need @Bobbles.com email addresses, and your new Bobbles.com employees will need to be able to easily collaborate with everyone from both brands.

Don’t worry, you won’t need to set up a whole new Google Apps tennant just for these users. You can easily add Bobbles.com to the existing Widgets.com Google Apps tennant.

By adding an additional domain under your Widgets.com Google Apps tennant, you can assign Bobbles.com aliases to your existing Widgets.com users. Then your users can have just one mailbox for both brands, and you only need to use one additional license. In the future, users can be added as @Bobbles.com users from the start. All in all, every user is now part of the same Google Apps tennant, and has the same global address list and collaboration features as the existing users of Widgets.com

How to add additional domains in 5 steps


The first thing you need to do is register your new domain. Providers like enom.com, 1and1.com, and networksolutions.com can all help you with finding an available domain, and registering it for a small fee annually.


Open your Google Apps Admin panel, admin.google.com. In the admin panel, click on “Domains”. Then click on “Add a Domain or Domain Alias” at the top left of the page.


There will be a pop-up window prompting you to insert your domain, and whether you’d like to add it as an “alias domain” or an “additional domain”. Changing options down the road isn’t easy, so it’s important to choose the one that applies best.

Alias Domain vs. Additional Domain 

An alias domain is only used for aliases, and upon creation, automatically adds an alias to all users matching their primary email address. If I created Bobbles.com as an alias domain, bob@Widgets.com would automatically get bob@bobbles.com as well. 

If you select an additional domain, it would allow you to add Bob@bobbles.com to bob’s widgets account, but it would have to be done manually. Additionally though, you would be able to make Bob@bobbles.com his primary login, and not just an alias.

When in doubt, we encourage people to choose additional domain, as it offers more options for control that aliasing doesn’t.


Once you’ve added the domain, you’ll automatically be taken to verify the newly added domain. You need to prove to google that you own the domain before you can act on it’s behalf. You’ll see a dropdown menu with a list of domain registrars. Find yours on the list. Select it, and Google will give you a step-by-step on just how to complete this process, or in some cases, even an automated process.

If your registrar isn’t on the list…

Select “Other” towards the bottom. This will provide you with the contents of a TXT record that you’ll need to to your DNS records. If you’re unfamiliar with this process, check the help documentation available from your registrar or DNS provider. You can also call their support line.


Switch back to the google verification panel, and click “verify”. If you were successful, it will tell you, and return you to your admin panel. If it’s unsuccessful, be patient. DNS updates can sometimes take as long as 24 hours to propagate to where google can see them.

Congratulations! After you add additional domains, you’re ready to start creating aliases, users, and groups all using your new domain name. If you have any questions about this process, ask us in the comments below, or contact Google support.

Chanoyu Tea Ceremony at Agosto Space

The Tea Ceremony (Chanoyu or Chado) of Japan embodies all the artistic and cultural refinements of Japan. Patricia Katagiri began her studies of Chanoyu after her marriage in order to learn more about Japanese culture. Chanoyu includes not just the preparation and serving of sweets and tea, but also spiritual aspects found in Zen Buddhism and Taoism. It even has some Christian influences. One who has studied and is a “master” of Tea should know about history, calligraphy, architecture, flower arranging, gardening, and much more. Even after 45 years of study, Patricia describes that there is much she still needs to learn.

Patricia recently used the Agosto space for a Tea gathering (chakai). She described her time with her friends and family, and agreed to allow Agosto to share these interesting and intimate details of this ceremony in words and images.

“Its design was perfect for us… especially with the small room next to the large gathering space to use as a preparation/staging area. We were very happy that our many guests could see the ritual of making Tea for the main recipients and then be served their own sweet and bowl of tea from the preparation area. The use of your kitchen area made it very easy to stage and serve the light dinner after the Tea presentation.”

“About one-third of the 60 guests we had were my Tea students. The rest were family and friends, many of whom had never participated in a Tea gathering before. They were very happy to celebrate with me in your beautiful space. We were able to share a slideshow of my journey in Chanoyu through the years, and also to hang several Japanese scrolls on the pillars and on the glass wall (which was reminiscent of Japanese shoji).”

After 45 years of study, Patricia was given a Tea Name (Chamei) from the Urasenke School of Tea in Kyoto Japan. To study Tea is to put oneself into the present moment and to walk a “way” of “learning” so as to “act in truth.” This is the principle of “Do Gakku Jitsu” (or “Three in One”).

Agosto was honored to be able to have Patricia and the rest of the Katagiri family celebrate this special ceremony. We hope that sharing this interesting, ancient, tradition that transcends time and place gives our readers some insight.

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google