As companies increasingly rely on cloud collaboration, protecting sensitive information has become more critical than ever.
Google Workspace addresses this challenge for Google Drive documents by enabling users to label files, offering greater insight into data access.
The original concept behind Google Drive labels was to assist users in managing and optimizing their workflows. However, that role has since expanded to include cybersecurity measures, particularly when it comes to data loss prevention (DLP).
As a result, the labels feature now serves a dual purpose of enhancing productivity while also ensuring data protection.
Administrators have several available actions that they should be aware of when it comes to DLP and labels in Google Workspace.
First, when they configure a DLP rule, they can allow or prevent their end users from changing labels. They should also know that any labels that are related to DLP rules are instantly locked in their label manager and cannot be disabled or deleted. And lastly, if they accidentally apply a label to a broad range of files through a DLP rule, they can also use a DLP rule to clean up the issue.
We’ll go over each of these cases below. For more information, you can access our full Google Labels Guide.
How to allow or prevent users from modifying labels
When you configure a DLP rule, you can decide if you want to allow end users to be able to change labels and field values that are applied to their files. You’ll simply choose the “Select whether users are allowed to change label and field values applied to their files” option and click “Allow.” When this option is selected, the system won’t modify labels and field values that have been set by end users. Users are also able to change values after the DLP rule runs.
Here’s how to do it:
- In the Admin console, go to “Menu” > “Security” > “Access and data control” > “Data protection.”
- Click “Manage Rules.” Then click “Add rule” > “New rule.”
- Under the “Actions” section, select “Apply Drive labels.”
Under “User changes,” you can then select whether your users are allowed to change labels and field values that are applied to their files.
It’s important to note that an end user must have “applier” access to a label if they want to apply a label or set of field values to their files.
If you don’t want users to be able to remove labels or change field values applied by DLP, you should select “Don’t allow. Reapply rule labels and field values if users change them.”
In this case, if an end user tries to remove labels or make changes, the changes will trigger DLP rules to instantly run again and revert the removed label and changed field value to those originally applied.
Administrators should be aware of label locking. Any labels, fields, and field options that are associated with DLP rules are immediately locked in the label manager. According to Google, this is to prevent any edits that might disrupt business policies. You are only able to unlock labels, fields, and field options by removing them from all DLP rules.
In the label manager, you are able to make certain edits like renaming or adding new fields or field options. However, you are not allowed to disable or delete labels, fields, or field options that are used in DLP rules. You also cannot create DLP rules with disabled labels, fields, or field options, even in drafts of published labels.
Undoing a global change to Drive labels
What do you do if you accidentally apply a label to a broad range of files through a DLP rule? The good news is you can also use DLP to clean up those changes. For example, you can disable the DLP rule that made the change. You also have the option of editing the DLP rule to remove the “Apply label” action. Applying this change could take anywhere from a few minutes to multiple hours—it depends on the number of documents that need to be updated.
Google Drive labels are a solid way for administrators to classify content, apply certain policies, and help their employees better find and organize documents. Using labels can also improve information security by enabling admins to easily identify sensitive or confidential documents to better protect them.
With automated classification and DLP rules, labels have become even more vital to data security and classification. As the use of Google labels evolves, there is still much to learn about how to best manage them, particularly when it comes to data loss prevention and governance.
Management of Google labels requires a deep understanding of the company’s data security, data loss prevention, and data classification policies. Administrators must establish guidelines for creating and applying labels to ensure consistent practices across organizational units, groups, and the organization at large. Continuous monitoring and regular auditing will help labels remain accurate and effective in safeguarding sensitive data.
For more information, check out our full guide: Maximizing Data Security with Google Labels.