How to enhance your security posture in your enterprise cloud emails: Case for Google Workspace

Episode 4: Data Loss Prevention (DLP) for Drive

In this episode of enterprise cloud security on Google Workspace we will take a look on how to implement  DLP for Drive which allows you to create complex rules that combine triggers and conditions. You can also specify an action that sends a message to the user that their content has been blocked.

DLP for Drive helps manage access to services based on:

  • Identity and context
  • IP Range
  • Device Policy
  • Disk encryption status
  • Screen lock status
  • OS Policy – min OS Version, as string
  • Different OS – Windows, MacOS, Chrome OS
  • Company-owned device
  • Serial number
  • Geographic origin

DLP for Drive rules and custom content detectors

Step 1: Plan your rules

  • Decide on rule conditions – rule conditions determine what kind of sensitive content the rule will detect.  using AND, OR or NOT operators you can specify multiple rules
  • Recommended rules – DLP rules recommended to you based on the results of the Data protection insights report.
  • Rule’s scope groups – you can choose admin- or user-created groups in your Groups list in the Admin console. Examples: 
    • Dynamic groups— manage memberships automatically when users join, move within, or leave your organization.
    • Security groups— helps you regulate, audit, and monitor the group for permission and access control.
    • Migrated groups –use Google Cloud Directory Sync (GCDS) to sync groups you create in Microsoft AD or other tools with Google Workspace.

Step 2: Create a custom detector (optional)

  • sign in to your super administrator account or a delegated admin account and go to:

  • Click Manage Detectors then click Add detector. Add the name and description.
  • You can select:
    • Regular expression— a method for matching text with patterns.
    • Word list— This is a comma-separated list of words to detect.

  • Click Create. Later, use the custom detector when you add conditions to a rule.

Step 3: Create rules

  • In the Admin console, go to data protection section shown in step 2 above.
  • Click Manage Rules. Then click Add rule -> New rule or click Add rule -> New rule from template.  Select a template from the Templates page

  • In the Name section, add the name and description of the rule.
  • In the Scope section, choose All in <> or choose to apply this rule only to users in selected organizational units or groups then click Continue.

  • In the Apps section, choose the trigger for Google Drive, File created, modified, uploaded or shared and Click Continue

  • In the Conditions section, click Add Condition.
  • Choose the Content type to scan:
    • All content: All of the document, including the document title, body, and any suggested edits.
    • Body: Body of the document
    • Drive label: Any labels applied to the document.
    • Suggested edits: Content added to the document while in Suggestions mode

  • Choose What to scan for, then fill out the needed attributes for that type of scan.
  • Click Continue.
  • In the Actions section,  you can optionally select the action to occur if sensitive data is detected in the scan:
    • Want to test a rule before adding an action to it

  • In the Alerting section, choose a severity level (Low, Medium, High).
  • Click Continue and review the rule details.
  • In Rule status, choose an initial status for the rule and click create.
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but does not run immediately

Step 4: Communicate to users about the new rule – set user expectations as to behavior and consequences of the new rule.

Stay tuned, in our next episodes, we shall cover topics in the following areas:

  1. Deleting Accidental Sent emails in your domain
  2. Security Center: Investigation tool
  3. Google EMM: Remote Wipe Devices: Windows, Android and iPhone