Google is constantly improving its products and services in an attempt to provide the best security practices and user experience on the market. As a result, Google has recently extended its Google DLP (Data Loss Prevention) services for Gmail and Google Drive for enterprise organizations.
Google Data Loss Prevention is a set of automated functions that monitor Gmail and Google Drive items for triggers (specific content defined by domain administrator), detect them, and prevent them from being maliciously or accidentally leaked or lost.
Table of Contents
Google Data Loss Prevention for Gmail
Google DLP scans Gmail messages for the triggers, and, if detected, takes the action predefined by the administrator.
What messages are scanned?
Depending on the company policy and required prevention level, the Google workspace administrator can set up the DLP policy for one or several types of messages:
- Emails received from outside the set of domains associated with the organization;
- Emails sent outside the set of domains associated with the organization;
- Emails received from within the set of domains associated with the organization;
- Emails sent within the set of domains associated with the organization.
What content is detected?
G Suite administrators set up the trigger the system will be looking for. This can be some exact content, context or message metadata.
There are three main types of triggers that can be set:
- Any specific expression – any words or phrases can be set up;
- Metadata attributes – such as the source IP, the item size, whether or not the message is authenticated, whether or not the connection is TLS encrypted;
- Predefined content match – the wide range of different countries and international detector patterns is available, such as CCN number, passport number, Social Security Number, IBAN, etc.
For these detectors, the system analyzes not only the content of the data (i.e., 9 digits of Social Security Number) but also the context (i.e., words “ssn”, “social”, “social security”, “taxpayer”). If admins wish to use a content detector that is not currently available, they must file a support case and ask for it to be added.
What happens when the content is detected?
When the system finds a message containing sensitive data in Gmail DLP, it takes one of the following actions depending on the administrator’s setup:
- Modifies a message – e.g., bypass spam filters, remove attachments, add more recipients or require secure transport;
- Rejects sending/receipt of a message;
- Quarantines message – quarantined messages will be sent to the admin quarantine panel where the admin can preview it and allow or deny it.
Google DLP for Drive
In addition to Gmail’s options of scanning items for specific data, Google DLP for Drive also includes the Sharing Files policy. It detects files shared with people outside the Google Workspace domain and takes the proper action according to the security policies predefined by the Google Workspace administrator.
What Drive items are scanned?
DLP policy can be set up for all Drive items or for the folders of a specific Organization Unit.
As part of the Sharing Files policy, DLP can detect files shared:
- Outside the domain;
- Outside the domain and the list of permitted domains.
What content is detected?
As with Gmail, DLP is searching for the content that was determined by the administrator to be sensitive. The same groups of content, as with Gmail, are available for Drive:
- Specific expressions;
- Predefined content match.
What happens when the content is detected?
When the system finds an item containing sensitive data or shared against the defined Sharing Policy, it takes one of the following actions depending on the administrator’s setup, ensuring network security:
- sends an email to super administrators,
- sends an email to the user who created, edited, or uploaded a file with sensitive content,
- blocks sharing of any file with sensitive content.
Additionally, super admins have the option of transferring file ownership to another user.
How Does Google DLP for Gmail and Drive Work
Google DLP for Gmail and Drive works in 3 phases:
- Admin sets a rule. Setting a rule means:
- defining the range of messages and items that must be monitored,
- defining the content or metadata attributes the DLP system will be looking for and the DLP sensitivity level,
- defining the action that must be triggered over the detected message or item in case a trigger occurs;
- DLP investigates all messages/files of a prescribed range and searches for the ones that correspond to the rule;
- Admin sets a rule. Setting a rule means:
- Action predefined by the administrator is taken over the message/file.
Google DLP for Gmail does not notify the Google Workspace administrator about rejected or modified messages, so the administrator has no full visibility over sensitive data security.
This gap is filled by SpinOne Data Protection that provides Google Workspace Administrators detailed data security reports and a lot of powerful tools that significantly increase the effectiveness of the organizational security systems.
If you want to get the most effective strategy for data security in your organization, try the Google Workspace and Spinbackup synergy effects.