Data Loss Prevention

Detailed Guide for Data Loss Prevention (DLP)

___

Business Challenge
All organizations have a need for protecting sensitive data from leaving their organization.

The security of sensitive business data is becoming increasingly difficult for organizations to protect at
scale. 94%1 of malware was installed via malicious emails and attachments, and 80%2 of hacking
breaches involve brute force or the use of lost or stolen credentials. The lack of admin controls makes
remediation after these breaches occur difficult and time consuming. The accidental sharing of private
data may cause organizations to face serious privacy implications and incur substantial costs to correct
the leak. The protection of confidential information, like personally identifiable information (PII), is
critical to your business.

Solution
Data Loss Prevention actions within Gmail and Drive.
Help protect your organization’s email and file data Watch: How to stop data exfiltration with DLP
all in one platform. Create rules surrounding your
organization’s most sensitive content to make sure
it can only be shared with the correct people,
groups, or organizations. Data Loss
Prevention (DLP) works to stop data exfiltration in
prevents data leakage in Gmail and Drive
your company, and rules can be applied to selected

Benefits
_______
Native
Google-provided templates are
included to create rules for identifying
sensitive information in Gmail and Drive.
DLP creates a familiar experience for
customers to enable data protection
across content in Google Workspace. Our
user flows are embedded with the apps,
providing seamless end user experience.
_______
Automation
DLP stops users from sharing certain
types of data automatically after an
admin sets the rule, thus preventing data
sharing before it happens. It comes with
the ability to assign rules to specific users
or organizational units, limiting the need
to continuously alter, delete, or apply the
rule and saving the admin time.
_______
Visibility
Audit logs exist in the Admin Console to
track rule activity. Admins are able to see
exactly when the rules are triggered and
what data is prevented from being shared
through the Security Center and
Investigation tool. This provides detailed
insight into interactions with your
organization’s most sensitive content.

Learn More
01 02 03 04 05
What is DLP? Facts and Set up Incident Management Audit Log & Use Cases Resources

For more information visit workspace.google.com

What is DLP?

Cloud service designed to help you discover, classify, and protect your most sensitive
data

With Data Loss Prevention, admins are able to set policies to detect sensitive information in Gmail and
Drive files. These policies prevent users from sharing data when sensitive content is detected and
generate alerts for DLP rule violations. DLP offers the ability to gain visibility into the data you store and
process within your organization and to reduce the risk of data sharing for your business. Admins can
configure data inspection and monitoring for native Google documents and other popular file formats,
including pdf and Office files.

Gmail
DLP for Gmail includes the ability to set predefined content detectors for scanning inbound and
outbound email, which then trigger an automatic response—quarantining, rejecting, or
modifying a message. It also includes the ability to detect sensitive data within streams of
data, structured text, files, and images that are contained within the email body or
attachments.

Gmail confidential mode can be combined with Gmail DLP to offer advanced and specialized
email security for sensitive data. It allows users to send sensitive information via an email
message only if confidential mode has been activated, instead of being uniformly blocked from
sending the message at all. This allows users to continue their workflow and send permitted
sensitive information in a secure way. The requirement to turn on confidential mode for sensitive
data is enforced by leveraging the Gmail DLP rule to block sensitive email communication unless
confidential mode has been activated first.
Drive
DLP for Drive includes protection of both My Drive and Shared Drives. It can be configured to
alert and/or block the end user when sharing sensitive data by providing icons and warnings
about the presence of sensitive content. If a user attempts to share a resource with sensitive
information, the action can be blocked and the admin can be alerted of this activity. This
prevents unintended exposure and downloading of sensitive information for the organization,
helping to ensure that its most sensitive Drive data is available only to authorized users.

For more information visit workspace.google.com

What does it look like for your organization?

● While configuring your DLP rules, you have the ability to scope them to include or exclude specific
groups and organizational units, allowing admins the flexibility of applying the right rules to the right
users.
● With DLP for Drive, we provide you with proactive insights on your data shared externally. Coupled
with recommendations, you are able to block or warn users on external access. This ensures that
files with sensitive content detected are blocked from anyone outside of your organization, even if
they are added to a Shared Drive.
● DLP templates utilize predefined content detectors, which can then be fine-tuned with appropriate
threshold levels suitable for your environment. You can also create custom content detectors with
specific keywords or regular expressions.
● DLP rules can be configured to notify admins and others automatically whenever a user creates,
edits, or uploads a file with sensitive content, thus keeping your organization informed on your
users’ activity.
● DLP performs Optical Character Recognition (OCR) on images to help protect sensitive Gmail image
attachments and Drive images (driver’s license, insurance card, credit card, and more) from data
loss.
● Admins can define complex DLP rules leveraging a wide variety of conditions such as AND, OR, and
NOT nesting.
● Google Workspace offers roles-based access for administrators with the ability to assign delegated
admins for DLP functions in the Admin Console.

Set up DLP Rules

DLP Rule: An admin-managed configuration that specifies whose data to protect, when, and where to
protect it, what types of data to protect, and how to do it. Admins create DLP rules to automate and
enforce their organization’s data protection policies throughout Google Workspace applications.

For more information visit workspace.google.com

 Set the scope

● Whose data should be protected by the rule

● Apply based on domain, organizational unit, or group

Specify conditions to check for

● Predefined content detectors

● Custom content detectors
● Detection thresholds

Specify the appropriate action

● Gmail—Reject emails, quarantine emails, modify message

● Drive—Block external sharing, warn user, send
notification to admins, audit sensitive files
● Configure Alerts—notify the admin and others when the rule is triggered

Incident Management
● “Dry Run” for your data protection
rules—generate reports without having the rule
active so you can start monitoring your
environment without enforcing blocking actions
and impacting employee workflow
● New alert delivery options—choose who
receives alerts for specific rules, including
additional members of the organization outside
the super admin groups.
● Detailed incident reports —See more detailed
reports for all the DLP actions (block, warn,
audit).
● Integration with Security investigation tool—Help
DLP response teams dig deeper into violations
when needed for a security investigation.

For more information visit workspace.google.com

 Predefined Data Types (Content detectors)
Credit Card Number Social Security Number American Bankers
Association Number
Passport Number Driver’s License Number FDA Approved
Prescription Drugs
National Provider Identifier US State Vehicle Registration
Number
Individual Taxpayer Identification Number Toll Free Phone Number Drug Enforcement
Administration Number
Or any Custom type (using dictionaries, regular expressions, and contextual elements)

Rules Audit Log

Track attempts to share sensitive data

With DLP audit logs, you are able to review events triggered by DLP rule violations. Entries appear within
an hour of the user action, allowing the admin to quickly investigate a violation and take action. In the
audit log, you are able to see information about why the rule was triggered, including: event description,
user, rule name, resource, resource owner, recipients, and what trigger action was taken. When a DLP for
Drive rule is first created, all existing and future Drive content will be scanned by the rule and matching
content will appear in the audit log. If you want to customize the data in your audit log, you can use the
date range filter to view data from a specific day, week, or month.

The Rules audit log provides a central place for admins to investigate Data Loss Prevention alerts
happening within their organization.

Use Cases
● Audit the usage of sensitive content in Drive that your users may have already shared to gather
information on existing sensitive files uploaded and created by users
● Directly warn end users not to share sensitive content outside of the domain over email or files
● Alert administrators or others about policy violations or DLP incidents

Google Workspace SKUs

X Business SKUs ✔ Enterprise Standard (does not include investigation tool and security center charts) ✔
Enterprise Plus

For more information visit workspace.google.com

Additional Resources
Scan your email traffic using DLP rules
DLP for Drive
DLP incidents report
Rules audit log
Predefined content detectors
Data retention and lag times

Video Tutorials
How can I stop exfiltration with Data Loss Prevention?
Preventing, detecting, and fixing data exfiltration on Google Workspace

For more information visit workspace.google.com