Data Security in Google Drive using DLP
February 22, 2024If you’re using Google Workspace and security is a focus for 2024; this blog should be really helpful to you as we’ll cover just how to secure your data in Drive with instructions on how to implement it too. General Data Protection Regulation (GDPR) has been in place for almost six years in Europe and as such, ensures the protection of sensitive data, which remains a daily challenge for Data Controller companies. GDPR requires data controllers and processors to take “appropriate technical and organisational measures” to implement data protection principles. Despite these efforts, the human factor introduces the risk of simple errors that can compromise data security.
Google Workspace offers businesses and users a solution to address this challenge. Google allows your Workspace administrator team to create Data Loss Prevention (DLP) policies to safeguard the data you control or process.
Understanding DLP
DLP or Data Loss Prevention, involves setting policies to detect sensitive content and apply predefined actions. These policies allow administrators to create rules governing what content can be shared beyond the organisation by its users. DLP plays a crucial role in preventing both accidental and intentional exposure of sensitive information, such as credit card details, passport information, or personal identification numbers.
How DLP Works
DLP rules initiate scans of files for sensitive content, ensuring that potential risks are identified and addressed promptly. These rules can be configured at various levels within your organisation, capturing all user behaviour or focusing on specific organisational units or custom security groups.
The actions triggered by DLP rules include:
- Blocking External Sharing: Preventing sensitive data from being shared outside the organisation.
- Warning against External Sharing: Alerting users when attempting to share sensitive content externally.
- Disabling Download, Print, and Copy Permissions: Restricting non-editors from downloading, printing, or copying sensitive files.
- Applying Specific Drive Labels: Organising and labelling files based on their sensitivity.
Monitoring and Alerts
DLP actions that trigger a rule are logged in the security dashboard, providing administrators with a comprehensive overview of potential incidents. Additionally, alerts can be sent to the Admin Alert Centre for the admin team to review, while email notifications keep non-admin users informed within the business.
How to create a DLP rule
Following the steps to create a DLP rule:
From the admin Console navigate to Security>Access and Data control>Data Protection
From the “Data Protection rules and detectors” section select “Manage Rules”
Click “Add Rule”
Give the Rule a name and an optional description
In the Scope section you will be setting the users this rule applies to you can select to:
- Include all users on the Domain
- Include or exclude all Organisational units
- Include or exclude a group
Click continue to move to App selection, this allows the user to choose which applications the rule will scan for trigger content.
Options include Google Chat for messages sent or uploaded files OR Google Drive for drive files. Multiple options can be selected. Click continue.
Now you are ready to add conditions.
Firstly select the scope of the rule scan:
- All Content Scans all file content for rule triggers
- Body Scans only the file’s body content for rule triggers
- Drive Label Reviews files label for rule trigger condition
- Suggested edits scans content added to the document (in suggesting mode) for rule triggers
- Title scans only the file’s title for rule triggers
Next add what to scan for:
- Content matching a predefined data type
- Content containing a Test String
- Content matching a regulate expression
- Content matching words from a word list
Google recommends using a predefined data type and the user has different predefined options depending on their region, if supporting an Irish user base an admin can select from:
- Passport number
- Credit card number
- Eir Code
- PPS Number
If using a predefined data type, the panel will require the user to set a Likelihood Threshold, this sets the level of confidence the system needs to have in the data match before triggering a rule. For example, if a user wishes to pick up anything that could potentially be a credit card number they might set the likelihood to “low” so that the system does not need to be very confident in the number's veracity to take the action.
Lastly you can set the match minimums.
Minimum unique matches
The minimum number of times a matched result must uniquely occur in a document to trigger the action.
Minimum match count
The minimum number of times any matched results must appear in a document to trigger the action.
Now set the action that will happen when the conditions are met.
Here the User can select from four options:
- Blocking external sharing
- Warning against external sharing
- Disable Download, print and Copy permissions for non-editors
- Apply specific drive Labels.
By default any event that triggers the rule will be reported in the security dashboard. In the alerting section, select the severity level for the alert. Check the box to enable an alert to be sent to the Alert centre for the administrative team to view and even select an email notification to the relevant user in the organisation, perhaps in this case a Data protection officer.
Clicking continue will take the user to the review page. Take the time to review the rule scope, application, conditions and action. Click create and you can see that the rule is active.
Real world scenario!
So we’ve delved into the capabilities of Google Workspace's Data Loss Prevention (DLP) policies, allowing administrators to fortify data security. Now let's explore how these policies translate into the user interface, providing a seamless experience while handling sensitive information. This is covered more in-depth in the video, but below is a loose transcript.
User Perspective: Talent Acquisition Scenario
Consider the scenario where an individual working in talent acquisition needs to share applicant CV’s with a hiring manager. They have the CV stored in a shared drive and intend to grant the hiring manager access. Here's where what we’ve shown you so far in DLP comes into play.
Sharing with External Collaborators
Clicking the share button triggers a system pop-up, alerting the user that the document contains restricted content, preventing external sharing.
But don't worry if you need to share the document with an external user, simply delete the confidential information and give the system time to re run the rule and then share as normal
Document Editing with DLP Rule
If the user needs to collaborate with an external party, they'll notice a restricted content icon on the share button, indicating a DLP rule is in effect.
Upon editing and removing the confidential information triggering the DLP rule, the icon disappears, and the user gains normal sharing access after a brief scan confirmation.
DLP Rule Impact on External Collaborators
Now, let's explore the scenario where a DLP rule is triggered on a file that has been previously shared with external users:
DLP Rule Activation:
- Adding content that triggers a DLP rule initiates a sensitive content icon on the share buttonAlthough external collaborators are listed in the “people with access list”, the file won't open for the external collaborator. A message appears urging the user to remove the collaborator.
External Collaborator Experience
- External collaborators attempting to access the document are directed to a "Can't access Item" page.
- Collaborators can easily be removed, allowing the user to save the sharing settings and comply with DLP rules.
Combining DLP Rules for Enhanced Security
Google Workspace allows for the combination of DLP rules to create a robust data security policy. For Example a briefing document for a secret project might trigger a DLP rule that adds an "internal" drive label to the document automatically.
Then another s DLP rule could block external sharing on any document labelled "Internal."
Collaborating with DLP Rules in Place
Attempting to share the document externally invokes a pop-up, preventing the action due to sensitive material.
The user can navigate this seamlessly by adhering to DLP policies, ensuring a comprehensive and layered approach to data security.
Summary
So that’s how to implement DLP with instructions and how that translates into a real world scenario. As we’ve mentioned, GDPR has become increasingly difficult to implement throughout businesses and hopefully with this guide you’ll be able to better understand and potentially implement this in your business.
To get in touch with us about DLP or if you’d like to discuss working with a Google Partner to make solutions like this possible within your company, please do get in touch. You can subscribe to our YouTube channel for more videos or get in touch with us directly here.