The Role of Drive Labels in Data Loss Prevention

Google Drive offers administrators and users the ability to add labels to their files, providing more insight into who has access to what information. Google labels were initially created to allow users to organize and streamline their work. Now, uses for labels have expanded to embrace cybersecurity methods through data loss prevention (DLP).

Admins are able to apply labels to Drive files to support company data security policies using automated classification. In the case of DLP rules, this refers to applying classification labels to Drive files based on the detection of sensitive content.

According to Google, this method can be scoped based on a user’s membership in an organizational unit or group. Organizational units and groups are often created so that admins can apply settings to a specific set of users. For example, you can have a group called Marketing that comprises members of the Marketing team. In this case, admins will set up classification labels based on these units or groups.

In this post, we’ll go over automated classification, how it relates to Drive ownership, and the difference between DLP rules and data classification settings. For further information, check out our full guide

What is automated classification and how does it relate to Drive ownership? 

Automated classification refers to categorizing and organizing files based on the ownership of the files within an organizational unit or group and the detection of sensitive content. The ownership of a file can be either of an individual (within their My Drive) or a shared drive. You can use automated classification as a way to apply labels to files created by a segment of users, for example, the Sales organizational unit.

It’s important to note that when a file’s ownership changes—for example, a file is moved from an individual’s My Drive to a team’s shared drive—the automatic classification settings are applied to the new owner. In this case, the shared drive’s labels would be applied. On the other hand, if the file is removed from the team’s shared drive, the user’s labels would now be applied. 

DLP rules versus data classification settings

Admins should understand the difference between DLP rules and data classification settings when applying labels in Google Drive. These terms complement each other but are not used interchangeably.

It may help to think of automated data classification settings as “default labels.” These labels provide complete coverage for all files created by a certain segment of users, for example, the Legal team. Although automated classification can protect an entire team comprehensively and consistently, it does not have as much precision as DLP rules.  

Meanwhile, it could help to think of DLP rules as a more “targeted method” to add labels and field values. DLP rules automatically apply labels when you need to use “specific conditions or actions for applying labels.” DLP rules are recommended when you need to protect sensitive data such as a passport number or social security information.

However, according to Google, because this method is more sensitive, it can result in false positives. For example, a false positive could happen when a document has a series of numbers that are mistaken for sensitive information like a credit card number. The number might be flagged as confidential based on DLP rules, even though the number was innocuous and not sensitive data that needs to be protected.  

Note: you can learn more about creating DLP for Drive rules in the Google Workspace Admin Help Center.

A quick review

When to use DLP rules 

  • Use DLP rules to automatically apply labels if you need to use specific conditions or actions for applying labels. 
  • Use DLP rules when you want to protect specific sensitive content such as a passport number, but be aware of false positives.  

When to use data classification settings 

  • Use data classification when you want to apply labels to new files only when they are owned by specific users or shared drives. 
  • Use data classification when you need blanket coverage for a certain segment of users (ex. Sales or Legal). 

Google Drive labels provide administrators with a robust method to classify content, enforce policies, and assist employees in locating and organizing documents. Labels can also boost information security by enabling administrators to identify sensitive or confidential documents quickly and enhance their protection.

Efficient management of Google labels requires a comprehensive understanding of the company’s data security, data loss prevention, and data classification policies. 

Administrators must establish guidelines for creating and applying labels to ensure uniformity across organizational units, groups, and the organization as a whole. Regular auditing and continuous monitoring will ensure that labels remain effective in safeguarding sensitive data.

Want to learn more about Google Drive labels, especially as they relate to data protection?

Download the full guide here: Maximizing Data Security with Google Labels.

Incredible companies use Nira

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
Former VP of IT at GitLab

Incredible companies use Nira