The Ultimate Manual to G Suite Data Loss Prevention
Does your organization rely on Google Workspace? If so, keeping sensitive data as secure as possible needs to be a top priority.
One way to keep your G Suite data safe is with data loss prevention (DLP) strategies for Google Workspace, and this guide will teach you how.
What is G Suite Data Loss Prevention Anyway?
G Suite data loss prevention, also known as data leakage prevention, is a system used to monitor and detect data breaches. DLP for G Suite can also prevent unauthorized transfers of data from a company’s Google Drive account.
Company financial statements, intellectual property, customer information, and other personally identifiable information fall into the “sensitive data” category.
In a data leakage scenario, sometimes these types of files are sent externally by mistake. But in other cases, they could be leaked with malicious intent by someone on your team. That’s why it’s so important for organizations using Google Drive to educate team members on the potential consequences of data in the wrong hands.
Team members must follow basic data loss prevention best practices. Steps like enabling view-only access on files and avoiding sharing links externally can help prevent data leaks.
How G Suite Data Loss Prevention Works
G Suite administrators can control DLP settings from the admin console. This allows you to create and apply rules that control how users share Google Drive files with people outside your company. DLP gives admins full control over what can be shared while preventing accidental exposure of sensitive information.
Applying G Suite data loss prevention is as simple as defining rules and triggers for different actions. Your rules will establish the nature of various DLP incidents. Each incident would trigger an action, such as blocking certain content.
Here’s a simplified summary of a G Suite DLP flow:
- The admin defines DLP rules. The rules define what type of content is considered sensitive and needs to be protected. You can apply DLP rules to both Shared drive and My Drive in G Suite.
- DLP scans Google Drive for potential rule violations that would ultimately trigger a DLP incident.
- The DLP policy enforces the rules.
- The violations trigger an action, such as an alert to the admin.
G Suite has an integrated DLP system that you can take advantage of without adding any third-party tools or security systems. The system has gone through two significant updates in the past couple of years—once in January 2020 and again in March 2021.
Let’s take a closer look at some of the current G Suite DLP features and details.
Author DLP Rules with Scope, Condition, and Actions
In terms of scope, author policies can be based on organization groups or units. The rules will scan files based on users in a selected group. Conditions include:
- Scan of all files
- Scanned files contents
- Rule templates
- Content detectors
- Keyword and word lists
- Predefined detectors
- Nested conditions
- Detection and confidence threshold levels
- Extended match count
You can warn end-users, block externally shared links, and set the rules for alerts and notifications. These are all examples of actions.
Incident Management
Alerts can be set to the data loss prevention admins to quickly detect an incident. This can also help validate false positives.
DLP alerts are sent to the alert center whenever a rule gets triggered. This can be found on the G Suite admin console home page. Navigate to Security, Alert Center, and click View Alert Details for more. You can also use an investigation dashboard to see different DLP policy violations.
G Suite DLP lets you track incidents over time as well, which helps spot violation trends.
Rule Investigation
The security investigation tool has everything you need for rule investigations. You can View Metadata and Attributes under Rule in the Investigation Tool. Just navigate to the Security Center to access this.
The investigation tool can be used to identify and take action on both security and privacy issues in G Suite.
Administrator Privileges and Requirements
Certain admins can just view DLP rules while others can manage DLP rules. Manage access allows admins to create, edit, and investigate rules.
View and manage permissions must both be enabled to create and edit DLP rules.
Super administrators can set rules and contact detectors. Otherwise, you can grant a delegated admin these privileges as well.
Example 1: Scanning Email Traffic
Lots of emails contain potentially sensitive data. Admins can use G Suite DLP to create custom rules in Docs and other G Suite apps that contain specific keywords.
You can use these predefined content detectors to scan inbound or outbound messages. This feature was specifically designed to locate sensitive information like passport numbers, social security numbers, and credit card data.
Similar to standard Gmail compliance settings, you can use G Suite DLP detectors to trigger a response like quarantine, reject, or modify a specific message.
You also have the ability to pair keywords or regular expressions with predefined detectors. This will make it possible for you to create a compliance policy that’s a bit more sophisticated–for example, by making it so emails cannot contain credit card numbers.
Example 2: School District Cloud Data Protection (FERPA Compliance)
G Suite is a popular choice for K-12 school districts nationwide. It’s an easy way for educators and students to work collaboratively in and out of the classroom.
But lots of school districts are targeted by phishing schemes and ransomware. Schools must also comply with FERPA (Family Educational Rights and Privacy Act).
With remote learning and hybrid learning becoming the new normal in reason years, IT admins in school districts need to prioritize student data privacy.
The native DLP tools in G Suite can strengthen the DLP policies in a school district. There’s a free Google Education license that has basic DLP capabilities. But for advanced access controls, you should upgrade to an Enterprise license.
District admins should monitor the insider DLP risk indicators, as these are the most common G Suite data loss risk for schools. In most cases, the data loss indicators are triggered by accident. But in some cases, it occurs with malicious intent.
For example, maybe a student used school credentials to connect with a risky app. Or maybe an authorized user created a public link with sensitive data. These are both accidental examples.
A few years ago, there was a Chicago Public School contractor who illegally downloaded the personal data of different district employees. This is an example of malicious behavior.
In both instances, a G Suite DLP policy can help detect and prevent these scenarios. At the very least, an admin would be notified immediately so appropriate action can be taken quickly.
How to Get Started With G Suite Data Loss Prevention
Now that you understand the core concepts of G Suite data loss prevention and how it works, it’s time to apply these principles to your organization and unique use cases. These are the five actionable steps you must take to get started:
Step 1: Understand the Big Picture of Data Loss Prevention
First, take a minute to step outside of G Suite and look at data loss prevention as a whole. DLP can be applied to a wide range of use cases. Understanding how it works will make it easier for you to apply its concepts to G Suite and Google Workspace.
Here are some of the most critical elements of DLP that you need to comprehend:
- Prevent In Motion Data Loss — Sensitive data must be protected while it’s moving, whether from one user in an organization to another or while it’s being shared with a third party. A central management system can analyze network traffic patterns to locate moving data that violates IT security policies.
- Protect Data at Rest — You’ll also want to ensure data is secured while it’s being stored. Access control policies and encryption are the standard data security practices used here.
- Protecting In Use Data — Different users in your organization may need to access sensitive data for one reason or another. There are safe ways to do this and unsafe ways as well. For example, you could prevent or flag actions like copying and pasting, printing, faxing, or screen capturing of sensitive data.
Another general point about data loss prevention is identifying the data that must be protected. Not all of your data is created equal, and some information is undoubtedly more sensitive than others. So you’ll want to start by determining what data poses the biggest risk in the event of leakage.
Finally, detecting leaks is the final big-picture initiative of DLP. You must have rules in place to identify anomalies or suspicious behavior related to sensitive files.
Step 2: Segment Users Based on Access Needs
As a G Suite admin, you need to recognize how different user accounts are structured in your organization. Who needs access to what data?
The last thing you want to do is to “over privilege” different user accounts. This means you’re granting users access to data that they would never need to perform their jobs. Ultimately, this increases your risk, exposure, and the chances of a leak occurring.
For example, not every person in a school office needs access to files containing the social security numbers of students and parents. However, some roles might require the SSNs of school faculty for payroll processing.
So rather than making blanket rules relating to social security numbers, you can grant custom access to different files and data based on needs.
If you’re unsure and just getting started, it’s better to err on the side of caution. Start with strict permissions, and then open up the settings as needed. It can be a bit of a pain at first, as users will need to request access to files to do their jobs. But in the long run, it could save you from a major data leak or compliance breach.
Step 3: Set Sharing Permissions and Access Settings
Let’s look at some of the most basic ways that users can share files and folders in Google Drive:
- Public — Anyone can publicly search for your file. In theory, this means the file can be found in public search engine results.
- Anyone with the link — Any individual with the link can access the file or folder in question. Logging into a Google account is not required here, which means the document could be shared outside of an organization, group, or designated OUs.
- Within your organization — This is pretty self-explanatory and can be done in the entire drive or directly in an individual file. You can also share a link that’s accessible by anyone in the organization.
- Within groups of OUs — Only people in a specific group or organizational unit (OU) defined by the G Suite administrator can access folders, files, or links.
- Restricted — Only users with access to a file or folder have permission to edit, comment, or view.
If your company will never need a particular type of sharing, it’s in your best interest to turn those options off altogether. For example, most organizations don’t have a use for public files. So turning that off can prevent an internal user from making a file public by mistake.
Step 4: Define G Suite DLP Rules and Actions
There are lots of predefined rules built into G Suite.
Examples include credit card numbers, bank account numbers, social security numbers, names, birthdays, phone numbers, and more. These are good places to start, but you can always create your own rules using keywords based on your specific use case.
After you define the rule, set an action that will trigger if there’s a violation. Examples include sending an alert to the admin, warning the user, or blocking the link.
Step 5: Review Your Security Dashboard and Audit Logs
Even if you’re not getting frequent alerts, it’s still in your best interest to analyze the audit logs.
The dashboard can make it easier for you to define trends. This can help you verify whether or not your rules are working or adjustments need to be made.
You can also download rule audit logs directly from the G Suite admin console. The logs give you information like which events triggered a rules violation or which user caused the violation. In most cases, an entry in the log will appear within an hour of the trigger.
While Google has plenty of built-in tools for DLP, you can always work with a third-party partner for advanced DLP policies.