Technical Overview - G Suite

Data security in G Suite requires both adaptive access control and dynamic DLP. With these two elements working in conjunction, Bitglass is able to dynamically apply data protection based on access context, and the content being accessed. This allows IT teams to prevent high value data from traveling to high risk endpoints.

  • DLP & Access Control
  • Global Multi-level Visibility & Alerting
  • Identity & Access Management
  • Cross-app Extensibility
  • Architecture Overview
  • Deployment
DLP & Access Control
Bitglass provides a range of remediation options that can be automatically enacted upon data on a policy basis:

Bitglass enhances traditional role-based access control (RBAC) with adaptive access control. Policies can be defined based upon access method (browser or native app), device (type or profile), as well as geographic location and IP range. Intermediate access levels are enabled by Bitglass’ Citadel DLP engine, which can apply variable DLP policies via two methods: APIs and inline proxies. Citadel utilizes built-in APIs provided by Google to implement continuous scanning and protection of data-at-rest.

With Omni Multi-Protocol Proxies, Bitglass provides real-time data protection, overcoming the limitations of API scanning. Omni and Citadel govern the flow of sensitive data transiting to and from G Suite. Omni’s reverse proxy handles data flows to unmanaged devices, while the forward and ActiveSync proxies handle data flows to managed and BYOD mobile devices respectively.

Citadel provides a library of pre-built patterns to address common types of sensitive data: US SSNs, credit card numbers, etc. Citadel also allows for custom patterns via regex, keyword match, and advanced logic. Administrators can build DLP policies targeted at email subjects, bodies and attachments.

Bitglass provides remediation options that can be automatically enacted upon data:

Global Multi-level Visibility & Alerting

Bitglass provides full audit and logging for cloud activity. Via its admin dashboard, Bitglass provides insights into application usage from an organizational level down to an individual user basis. The dashboard can provide complete transaction audit trails with rapid incident analysis via search across keyword, user, application, and more. Bitglass provides customizable alerting for events including the detection of data policy violations, suspicious logins, and anomalous activity.

Identity & Access Management

Bitglass has an integrated single sign-on solution, enabling cloud-based identity management for organizations. Bitglass’ native identity system provides configurable step-up multi-factor authentication to protect against suspicious logins. Users are presented with a unified portal to access all of their cloud applications.

Bitglass can also be configured to work with existing enterprise identity systems. This includes SAML 2.0 compliant IdPs such as: Okta, Ping Identity, OneLogin, Azure Active Directory, and Active Directory Federation Services (ADFS). For organizations relying upon on-premises Active Directory, Bitglass offers a sync agent that allows for seamless identity portability.

Cross-app Extensibility
Bitglass provides cross-platform data protection, allowing IT teams to extend its data security policies from G Suite to the rest of its cloud application suite. This extensibility helps streamline IT’s cloud security operations. Bitglass works with a range of popular enterprise cloud applications including Salesforce, Box, Dropbox, Slack, and more.
Architecture Overview

Bitglass runs entirely on the cloud as a SaaS application and is hosted globally on AWS infrastructure with auto-scaling and replication. Its fully redundant architecture ensures constant uptime – a 99.9% SLA is guaranteed. Global load-balancing results in zero perceptible latency for users.

Omni’s reverse proxy provides complete data protection for all sessions of G Suite initiated on unmanaged devices through any browser - without additional software. Users login at the normal app or SSO portal and Bitglass, configured in Google Apps as the IdP, relays the SAML request to a 3rd party IdP, such as OneLogin, for authentication - redirecting app access through Bitglass. While traditional reverse proxies break dynamic client-side functions, Bitglass’ AJAX-VM technology rewrites links in static server-delivered content and automatically wraps browser-executed code.

For protecting data traveling to hard-coded apps – the Google Drive sync client, as well as Google’s mobile productivity apps – Omni offers a forward proxy mode. On Windows and Mac endpoints, this proxy can be implemented via Bitglass’ Device Profiling Agent. For mobile devices, Bitglass uses a configuration profile to implement data protection.

Bitglass provides a REST API for integration with an organization’s identity and security systems. The API enables complete external user management and governance. Additionally, it provides integration points for connecting Bitglass to SIEMs like Splunk and IBM QRadar.


Bitglass supports multiple deployment methodologies, tailored to the individual enterprise IT environment. Deployment of Bitglass for G Suite requires no hardware or software installation, just simple configuration changes. As a result deployment can occur in as fast as an hour – though Bitglass can also be rolled out in phases per organizational needs.

By default, Bitglass proxies and protects the enterprise-SSO enabled Google applications.