Wednesday, March 15, 2023

Improving your security with shorter Session Length defaults

What’s changing

To further improve security for our customers, we are changing the default session length to 16 hours for existing Google Cloud customers. Note that this update refers to managing user connections to Google Cloud services (e.g. Google Cloud console), not connections to Google services (e.g. Gmail on the web). 


For existing customers who have session length configured to Never Expire, we are updating the session length to 16 hours. See below for more information. 




Who’s impacted 

Admins, end users, and developers 


Why you’d use it 

Many apps and services can access sensitive data or perform sensitive actions. Because of this, managing session length is foundational to cloud security and compliance. It ensures that access to the Google Cloud Platform is finite after a successful authentication, which helps deter bad actors should they gain access to credentials or devices.


Additional details 

Google Cloud session controls 
For existing customers who have session length configured to Never Expire, we are updating the session length to 16 hours. This ensures customers do not mistakenly grant infinite session length to users or apps using Oauth user scopes. After the session expires, users will need to re-enter their login credentials to continue their access. This impacts the following: 

Settings can be customized for specific organizations, and will impact all users within that org. This is a timed session length that expires the session regardless of the user's activity. When choosing a session length, admins have the following options:
  • Choose from a range of predefined session lengths, or set a custom session length between 1 and 24 hours. 
  • Configure whether users need just a password, or require a Security Key to re-authenticate.


Third-party SAML identity providers and session length controls 
If your organization uses a third-party SAML-based identity provider (IdP), the cloud sessions will expire, but the user may be transparently re-authenticated (i.e. without actually being asked to present their credentials) if their session with the IdP is valid at that time. This is working as intended, as Google will redirect the user to the IdP and accept a valid assertion from the IdP. To ensure that users are required to re-authenticate at the correct frequency, evaluate the configuration options on your IdP and review the Help Center article to Set up SSO via a third party Identity provider.


Trusted applications
Some apps are not designed to gracefully handle the re-authentication scenario, which can cause confusing app behavior. Other apps are deployed for server-to-server purposes via user credentials — because they don’t require service account credentials, they are not prompted to periodically re-authenticate.

If you have specific apps like this, and you do not want them to be impacted by session length reauthentication, the org admin can add these apps to the trusted list for your organization. This will exempt the app from session length constraints, while implementing session controls for the rest of the apps and users within the organization.


Getting started

  • Admins: For customers who have their session length set to "Never Expire", your session length will reset to 16 hours. It can be turned off or modified at the OU level. Visit the Help Center article to learn how to set session length for Google Cloud services for your organization.  
  • End users: If a session ends, users will simply need to log in to their account again using the familiar Google login flow. 

Rollout pace

Availability

  • Available to all Google Workspace and Cloud Identity customers, as well as legacy G Suite Basic and Business customers