How to enhance your security posture in your enterprise cloud emails: Case for Google Workspace

Episode 4: Data Loss Prevention (DLP) for Drive

In this episode of enterprise cloud security on Google Workspace we will take a look on how to implement  DLP for Drive which allows you to create complex rules that combine triggers and conditions. You can also specify an action that sends a message to the user that their content has been blocked.

DLP for Drive helps manage access to services based on:

• Identity and context
• IP Range
• Device Policy
• Disk encryption status
• Screen lock status
• OS Policy – min OS Version, as string
• Different OS – Windows, MacOS, Chrome OS
• Company-owned device
• Serial number
• Geographic origin

DLP for Drive rules and custom content detectors

Step 1: Plan your rules

• Decide on rule conditions – rule conditions determine what kind of sensitive content the rule will detect.  using AND, OR or NOT operators you can specify multiple rules
• Recommended rules – DLP rules recommended to you based on the results of the Data protection insights report.
• Rule’s scope groups – you can choose admin- or user-created groups in your Groups list in the Admin console. Examples: 
  • Dynamic groups— manage memberships automatically when users join, move within, or leave your organization.
  • Security groups— helps you regulate, audit, and monitor the group for permission and access control.
  • Migrated groups –use Google Cloud Directory Sync (GCDS) to sync groups you create in Microsoft AD or other tools with Google Workspace.

Step 2: Create a custom detector (optional)

• sign in to your super administrator account or a delegated admin account and go to:

• Click Manage Detectors then click Add detector. Add the name and description.
• You can select:
  • Regular expression— a method for matching text with patterns.
  • Word list— This is a comma-separated list of words to detect.

• Click Create. Later, use the custom detector when you add conditions to a rule.

Step 3: Create rules

• In the Admin console, go to data protection section shown in step 2 above.
• Click Manage Rules. Then click Add rule -> New rule or click Add rule -> New rule from template.  Select a template from the Templates page

• In the Name section, add the name and description of the rule.
• In the Scope section, choose All in <domain.name> or choose to apply this rule only to users in selected organizational units or groups then click Continue.

• In the Apps section, choose the trigger for Google Drive, File created, modified, uploaded or shared and Click Continue

• In the Conditions section, click Add Condition.
• Choose the Content type to scan:
  • All content: All of the document, including the document title, body, and any suggested edits.
  • Body: Body of the document
  • Drive label: Any labels applied to the document.
  • Suggested edits: Content added to the document while in Suggestions mode

• Choose What to scan for, then fill out the needed attributes for that type of scan.
• Click Continue.
• In the Actions section,  you can optionally select the action to occur if sensitive data is detected in the scan:
  • Want to test a rule before adding an action to it

• In the Alerting section, choose a severity level (Low, Medium, High).
• Click Continue and review the rule details.
• In Rule status, choose an initial status for the rule and click create.
  • Active—Your rule runs immediately.
  • Inactive—Your rule exists, but does not run immediately

Step 4: Communicate to users about the new rule – set user expectations as to behavior and consequences of the new rule.

Stay tuned, in our next episodes, we shall cover topics in the following areas:

1. Deleting Accidental Sent emails in your domain
2. Security Center: Investigation tool
3. Google EMM: Remote Wipe Devices: Windows, Android and iPhone