Google Drive DLP (Data Loss Prevention)

Google Drive has become an essential tool for organizations of all sizes, providing a secure and convenient way to store and collaborate on files in the cloud. However, as the use of Google Drive has become more widespread, so too has the risk of data breaches and security incidents. This is where Data Loss Prevention (DLP) on Google Drive comes into play, offering powerful tools and technologies to help organizations protect their sensitive data and prevent unauthorized access.

What does DLP mean for Google Drive?

Data Loss Prevention (DLP) is part of the overall company's strategy to prevent, protect, and secure against leakage, loss, or misuse of the company’s confidential, sensitive data (API keys, Personally Identifiable Information, credit card numbers, and PHI). DLP control typically works by identifying, monitoring, and controlling the flow of sensitive data across various channels including emails, file sharing, instant messaging, cloud services, and web browsing. DLP is important to protect data wherever it resides, whether in storage, transit, or use.

In the context of Google Drive, DLP refers to a set of security features that help organizations protect their sensitive data stored on the cloud-based platform. Specifically, DLP on Google Drive can help prevent data breaches by detecting and blocking the unauthorized sharing of sensitive data with people who shouldn't have access to it. DLP gives you control over what users can share and prevent unintended exposure of sensitive data such as credit card numbers or identify numbers. Google Drive DLP control scans files for sensitive contents and prevents users from sharing such files.

‎

There are several ways that DLP can be implemented on Google Drive, including:

• Set DLP Rules: These rules define which contents are sensitive and should be protected.
• Scanning files and folders for sensitive information: DLP on Google Drive can automatically scan files that violate DLP rules and contain sensitive data such as credit card numbers, social security numbers, or other personally identifiable information. If sensitive data is detected, the system can alert the user and prevent them from sharing the file with others.
• Enforce DLP Rules: DLP on Google Drive can be configured to enforce DLP rules by blocking the sharing of specific types of sensitive data, such as credit card numbers or social security numbers, to prevent accidental or intentional exposure.

Google Drive DLP Benefits

One of the main benefits of DLP on Google Drive is that it can help organizations maintain compliance with data protection regulations. For example, the General Data Protection Regulation (GDPR) requires organizations to take measures to protect personal data, including implementing appropriate security measures and ensuring that sensitive data is not shared with unauthorized parties. By using DLP on Google Drive, organizations can help ensure that they are meeting these regulatory requirements and avoid expensive data breaches.

Another important benefit of DLP on Google Drive is that it can be customized to meet the specific needs of each organization. For example, an organization may choose to block the sharing of certain types of data, such as credit card numbers or social security numbers, to prevent accidental or intentional exposure.

Additionally, DLP on Google Drive can be configured to provide notifications and alerts to users when they attempt to share sensitive data, helping to educate them about the risks involved and encouraging them to use best practices for protecting their data. DLP on Google Drive can also help organizations protect against internal threats, such as employees' accidental or intentional exposure of sensitive data. By detecting and preventing the unauthorized sharing of sensitive data, DLP can help organizations reduce the risk of data breaches and protect their intellectual property and confidential information.

Data breaches due to lack of Google Drive DLP

Google Drive has had several incidents of data breaches due to the lack of DLP. Here are a few of them:

• Wired UK, the tech publication, stumbled upon a UK Government Department of Health-owned public Google Drive. The Drive contained documents labeled: Official Sensitive. This should have been a private document. It contains the NHS Covid-19 contact tracing app.
• A New York City student found a Google Drive containing personal information (Academic records and other data) of over 3,000 students and academic staff members.

Does Google Drive have native DLP support?

Google Workspace Business Starter, Business Standard and Business Plus do not have DLP support.

Google Workspace Enterprise has DLP support.

Google Workspace Business Plans do not have native Data Loss Prevention (DLP) - what to do?

Although Google Workspace Business Plans do not have native Data Loss Prevention (DLP) features, there are several steps you can take to protect your account and sensitive information:

1. Use strong, unique passwords: Ensure all users within your organization use strong, unique passwords and enable two-factor authentication (2FA) to add an extra layer of security.
2. Limit sharing permissions: Be cautious about sharing sensitive documents and files. Limit sharing to specific individuals or groups, and restrict the ability to download, copy, or print sensitive documents.
3. Regularly monitor activity: Use Google Workspace's built-in audit and reporting tools to monitor user activity and identify potential data breaches or suspicious behavior.
4. Train employees: Educate your employees on data security best practices, including identifying phishing emails, avoiding suspicious downloads, and safeguarding sensitive information.
5. Use third-party DLP solutions: While Google Workspace Business Plus does not have built-in DLP, you can integrate third-party DLP solutions to add an extra layer of protection.
6. Regularly backup data: Regularly backup your Google Workspace data to protect against data loss due to accidental deletion or ransomware attacks.
7. Configure security settings: Review and configure security settings within your Google Workspace account to ensure maximum protection, such as enabling security alerts, managing API access, and implementing OAuth app whitelisting.

Downsides of implementing your own version of DLP

The major downsides of implementing the above section are:

1. Manual: Regularly monitoring any activity requires employees and their intelligence to find patterns on suspicious activity.
2. Time-Consuming: Training employees, making them aware of what is suspicious and not requires huge investment of time and money from organizations.
3. Error Prone: Even if employees are trained, actually detecting what is sensitive and not (at scale) is extremely error prone. Humans make mistakes. It is costly to let them go unnoticed.
4. Non-Comprehensive: New patterns emerge all the time. No one human can be trained to know all attack patterns.

Is Google Workspace Enterprise DLP support enough?

Although Google Workspace Business Plans do not have DLP support, Enterprise plan does have the DLP Support.

Even for Enterprises, Google's native DLP is not enough. It does not do the following:

1. Google Drive DLP will not prevent file sharing for a set of users: All DLPs today are all-or-none, i.e., either they will block configured sensitive files OR they will allow them. The blanket block or allow does not work in the practical world. For example: it is OK to share sensitive files between certain team members (e.g., customer success) and the end-user (e.g., customer); however, not all team members have the permission to send.
2. Google Drive DLP will not redact sensitive data elements in files: Not everyone needs to see customer PII or sensitive information in files; however, it is perfectly valid for users to see files without the sensitive information
3. Google Drive DLP will not have approval workflow: There is no customization on who can share with whom what file. Teams would want to share sensitive files with external parties only if a team admin grants permissions.

Strac DLP for Google Drive

Strac is a data loss prevention software that detects and redacts sensitive data across all communication channels. It has no-code integrations with Google Drive, Gmail, Slack, Zendesk, Intercom, Office 365, etc. 

A business using the Strac Google Drive DLP application can configure a list of sensitive data elements to mask or redact. The list below shows a list of sensitive data that can be redacted using the Strac Google Drive DLP application:

• Identity: Drivers License, Passport, SSN (Social Security Number), National Identification Number, etc.
• PII: Name, Address, Email, Phone, DoB, Age, Gender, Ethnicity, etc.
• PHI: PII data, Medical Record Number (MRN), Insurance ID, Health Plan Beneficiary Number, Biometric, Medical Notes, etc.
• Payments: Bank Account, Routing Numbers, Credit Card, Debit Card, IBAN, etc.
• Secrets: API Keys, Passwords, Passphrases, etc.
• Vehicle: License Plate, Vehicle Identification Number (VIN), etc.
• Physical Network: IP Addresses, MAC Address, etc.
• Crypto Secrets: Seed Phrase, Bitcoin, Ethereum, Litecoin Addresses, etc.
• Profanity: Curse words, abuse words, etc.
• Custom: Create your own rules or use regex

Now, let’s get down to how Strac protects your Google Drive workspace.

The following steps show how the Strac Google Drive DLP application protects your team's Google Drive workspace and saves your organization from data loss or leakage.

1. Strac Google Drive DLP application detects or discovers sensitive files. When integrated and turned on, the Strac Google Drive DLP application detects sensitive files shared.
2. It masks or redacts sensitive files or files containing sensitive data while giving authorized users access to those redacted contents in the Strac UI vault.
3.  If configured properly, Strac can prevent file sharing. Teams can build workflows around file sharing. E.g., send a file only if an owner approves it. If the owner rejects it, that file to an external party won't be sent.
4. To redact, a business can configure a list of sensitive data elements (SSN, DoB, DL, Passport, CC#, Debit Card, API Keys, etc.).
5. Compliance, Risk, and Security officers will get audit reports of who accessed what messages.

Learn more about Strac Google Drive DLP Integration here: https://www.strac.io/integrations/google-drive

Get Started

Click here to book a demo session and learn how to integrate Strac into your Google Drive workspace. Strac's unique redaction technology will improve your DLP techniques, and help you protect sensitive data while eliminating compliance risks. Read more here to learn how Strac integrates with other SaS apps.