If your organization uses Google Workspace, odds are you have sensitive information stored in your users’ individual or shared Google Drives. Sensitive information comes in all different shapes and sizes, including personal identifiable information (PII), financial data and access credentials. All these types of sensitive data have one thing in common: you don’t want anyone unauthorized interacting with them.
How do you protect your Google Workspace data from unauthorized access and interaction? That’s where Data Loss Prevention (DLP) comes into the picture.
What is Data Loss Prevention (DLP) in Google Workspace?
Data loss prevention is a set of strategies, tools and processes designed to mitigate the risk of data breaches by proactively identifying sensitive information and then preventing its unauthorized use, sharing or access.
Data Loss Prevention in Google Workspace is a built-in Google security tool intended to protect the sensitive data stored in your corporate Google Drive assets.
How Does Google Workspace DLP Work?
The ability to activate Google Drive DLP is relegated to your Google Workspace admin. The admin defines rules for sensitive information based on Google’s predefined detectors (e.g. a detector for Social Security Numbers), regular expressions or word lists. Based on these definitions, Google scans your Drive files for sensitive information.
What happens when Google Workspace DLP finds sensitive information according to these rules? This also depends on admin definitions. Potential instructions can include:
- Sending the admin an alert
- Taking specific Remediation Actions (e.g. blocking shares; disabling print, download or copy functions) for the files that include this information
The Role of AI in Google Workspace DLP
In April 2024, Google integrated an AI-based component into its Google Workspace DLP. Much of the power of Google DLP’s Remediation Actions is based on DLP labels. If a file is labeled as “Confidential” or “Intellectual Property” or “PII”, you can then use that as the basis to trigger a Remediation Action. But labeling ALL your past Google Drive assets takes a very long time, and making sure new assets are properly labeled requires constant vigilance on the part of your information security team. In short, labeling often doesn’t happen, thereby limiting the positive impact of Google Workspace DLP.
Into this vacuum came the idea of AI-based classification and labeling. If your Workspace admin enables Google Workspace AI Labels (it’s not enabled by default), Google will use AI to automatically generate labels for your Drive assets. Then, specific users designated by your admin review and respond to those labels. This trains the model and improves its accuracy for your data. Once the model is sufficiently trained, your admin can turn AI classification to automatic.
Like any AI-based assessment, Google’s AI classification labels aren’t 100% accurate, but it’s certainly better than not having it at all. The labels can also be used by more advanced tools, like DoControl’s platform, to trigger specific, granular actions.
Benefits of Implementing DLP in Google Workspace
Implementing Google Workspace DLP better safeguards your organization’s data from loss and exposure. The benefits of this are:
Financial
Ousting intruders from your SaaS systems and restoring lost data can cost millions of dollars. Repairing the consequences of data exposure can also require significant financial investment on the part of a company. If, for example, customers’ personal data is exposed, the standard practice is to offer anyone affected free credit monitoring for a year or so. Depending on the number of customers affected, that could entail a substantial outlay.
By implementing Google Workspace DLP, you are protecting your company from unnecessary financial expense.
Legal
Data protection regulations exist in almost every industry (e.g. HIPAA, GLBA) and geographic jurisdiction (e.g. GDPR, CCPA). Failure to comply with these regulations brings in its wake legal suits, penalties and other consequences.
By implementing Google Workspace DLP, you protect your organization from suffering the ramifications of legal non-compliance.
Reputational
If your organization has experienced a data breach, potential clients and partners are going to think twice about entrusting their data to you. After Microsoft suffered major breaches from two different hacker groups in the space of a year, organizations started to express concern about using Microsoft to handle their data. The UK Cabinet office, for example, took a step back from their planned migration to Microsoft. While they may still plan to migrate to Microsoft’s systems, they no longer want Microsoft itself as their migration partner.
By implementing Google Workspace DLP, you add a layer of insurance to your organization’s good name.
Strategic
Sometimes sensitive data is not that of customers or other parties that work with your organization, but rather the data of your organization itself. This is data like go-to-market plans, projected budgets, competitive analysis, and other for-our-organization’s-eyes-only information. If that information gets leaked, your company may lose strategic advantage, market share and potential revenue.
By implementing Google Workspace DLP, you protect your strategic business data from falling into the wrong hands.
Limitations of Google Workspace DLP
Google Workspace DLP isn’t perfect. Limitations include:
The size and type of file content that can be scanned by Google
Google Drive DLP can scan files in Docs, Sheets and Slides, and also files uploaded as Forms responses. They will not, however, check comments in the above kinds of files. They also do not scan audio or video files.
When it comes to file size, only the first 1 MB of each file is scanned, and the classification is made on that content. If sensitive information only appears after the first 1 MB of the content, the file will not be classified as sensitive. Files larger than 50 MB (and sometimes even larger than 10 MB) are not converted for scanning at all, so Google DLP cannot work with those files.
How long it takes to scan
New content in Google Drive is scanned almost immediately to check if it matches any of your rules for content you want to protect. Every time you add or change a rule, however, Google Drive DLP will need to scan all the files in your Drive to see if any contain content that matches the new rule. This can take hours, a day or even longer. And until a file is scanned and reclassified, the new rule will not be helpful in protecting that file.
An additional problem when it comes to the effectiveness of new or modified rules on data that already exists in Drive is that DLP will only scan the latest revision of existing files. So if you have sensitive data hidden in an earlier version, DLP will not classify it as sensitive, even though the data would be viewable by anyone the file is shared with.
How accurate (or not) its identifications are
DLP tools that use regular expressions to detect sensitive information, as Google Drive DLP does, tend to have a relatively high error rate. Regular expression matching often results in a high percentage of false positives, as well as a statistically significant percentage of false negatives.
Exact word match, also used by Google Drive DLP, has a tendency to produce false negatives, due to its very rigid, limited definitions.
What actions it can take based on the DLP labels
Google Workspace’s remediation actions are broad and general (e.g. “block all sharing”). They do not and cannot take into account additional business or HR context that might change the picture and the resulting appropriate course of action.
Intellectual property, for example, will usually be restricted to a small subset of internal users. But what if you have hired an external consultant to advise on a patent process? In that case, you would want to be able to share your “intellectual property”-labeled files with that external, third-party user without the friction of DLP rules trying to block the shares.
Or what if one of the internal users - who usually would have access to these intellectual property files - has given in their notice and is leaving for another company in the next month? If this user would suddenly start downloading these files or sharing them with their personal Gmail account, you would want action to be taken immediately to stop this potential IP leak.
Google DLP, however, does not have the capacity to be that discerning in its actions.
How to Circumvent Google Workspace DLP Limitations
Full protection of your Google Workspace data assets requires more than Google Workspace DLP. The following are potential courses of action you can take to enhance your Google DLP:
Add additional means of data classification
Regular expressions and exact match word lists are not the only means of sensitive data discovery and classification.
Natural Language Processing (NLP)-based methods, for example, can identify entities and extract other features from unstructured text. They can also understand context and sentiment, even if it doesn’t fit a pre-defined pattern, making them very useful for sensitive data detection.
Adding an NLP-based data classification tool to your Data Loss Prevention toolset can significantly improve its accuracy.
Use other information to enhance risk analysis
The ability to integrate more factors into the analysis process can be invaluable when it comes to identifying actual risk - in a timely fashion. Timely, when it comes to SaaS, is measured in minutes, if not seconds. SaaS environments move fast, and Google Workspace is not exception. An asset can be shared, downloaded and lost to your control within minutes. On the flip side of the coin, the legitimate parties with whom you share Workspace assets expect those assets to be available almost immediately. Lengthy risk analysis processes before granting access can lose you clients, partners and other potential work relationships.
Asset metadata is one type of information that can enhance accurate and speedy risk analysis. File names and “last date modified” stamps can give a quick idea of whether this document should be treated with care. And scanning an asset’s metadata takes milliseconds, so good first decisions can be made quickly - and then followed up with a lengthier decision process afterwards.
HR and business context is another type of information. Is the sharing user an employee in good standing vs. an employee who was given a bad performance report and let go? Is the user being shared with part of the company considering an acquisition of yours - or part of a direct competitor? That information can direct smart, accurate judgments of risk.
FAQs:
Can DLP in Google Workspace prevent data leaks via Google Drive?
Yes, Google Workspace's Data Loss Prevention (DLP) can help prevent data leaks through Google Drive by setting policies that identify and block sensitive information (e.g., credit card numbers, SSNs) from being shared externally or with unauthorized users, ensuring secure file sharing and compliance with company regulations.
How does Google Workspace DLP handle external collaborators?
Google Workspace DLP can restrict external collaborators by enforcing policies that block or warn users before sharing sensitive information outside the organization. It scans shared files in Google Drive for predefined sensitive data patterns and ensures external collaborators only receive approved content, enhancing security and compliance.
What types of alerts can I receive from Google Workspace DLP?
Google Workspace DLP provides alerts for policy violations, including notifications when sensitive data is shared externally or internally against set rules. Alerts can be sent via email or appear in the Admin Console, detailing the nature of the violation and enabling prompt corrective actions.
Does Google Workspace DLP protect data shared via third-party apps?
No, Google Workspace DLP does not directly protect data shared via third-party apps. It focuses on securing data within Google Workspace apps like Gmail, Drive, and Docs. For third-party app protection, organizations need additional security solutions or API-based integrations with those services.
SaaS Data Protection for Google Workplace
DoControl was designed expressly for the multiple layers and attack surfaces of Google Workspace: data, identities, configurations and connected apps.
DoControl’s Data Access Governance and Data Loss Prevention secure your data all across your Google Workspace ecosystem. Advanced data classification methods mean that no sensitive data goes undiscovered, and granular automated workflows mean that any detected threat can be mitigated in near real-time.
DoControl’s Identity Threat Detection & Response (ITDR) and Insider Risk Management secure your Google Workspace user identities, protecting you from external threat actors or insider threats. Data from multiple business-critical SaaS applications and behavior benchmarking for individuals and groups, along with important contextual information from HRIS, EDR and IdP systems enable smart differentiation between normal business activity and suspicious actions.
DoControl’s Shadow App Discovery & Remediation secure your third-party OAuth connected apps by monitoring app behavior and removing unnecessary apps and app permissions.
DoControl’s SaaS Misconfiguration Management secures your Google Workspace admin configurations, checking them against industry standards like CIS and offering remediation guidance.
Don’t Lose Your Data
Preventing data loss is key in any data security initiative. Google Workspace’s built-in Data Loss Prevention is a helpful tool in that effort, but it needs to be supplemented with other data loss prevention and data security tools in order to truly protect your Google Workspace sensitive data.