Scan and Protect Drive Files Using DLP Rules

In addition to everything available in G Suite Basic and Business, G Suite Enterprise offers enhanced security, controls, and customization. DLP (Data Loss Prevention) rules is one of them. Rules is an in-built control of G-Suite Enterprise version that scans and protects Drive files for users.

This enables the administrator to prevent the domain users to share their sensitive data in Google Drive or Team Drive with people outside their organisation. For example, if a user shares a file with bank account or tax ID numbers, admin can send an email to other super admins to let them know the same. Admin could also warn users when they try to share a file/sensitive data or completely block anyone outside of their organization from accessing the file.

Defining a Rule -- A Rule can be defined in 3 parameters :

1.Triggers

The application files the rule scans (currently only available for Drive), which includes Team Drives as well.

2.Conditions: Customize rules to be applicable for users and content.

• Users — Admin can apply the rules to an organizational unit for a group to scan Team Drive files. The rule scans files owned by users in the selected organisations or groups. Desired groups can be exempted too. Add and exempt as many groups and organisations as you want.

• Content — This actually acts as content compliance in G Suite Basic. Admin can have the rule trigger if it matches content, a custom word from a predefined list or create a new content list.

3.Actions: What the rule does when it finds an issue.

Block external access -- Ensures that any files with sensitive content are blocked for anyone outside the organization, even if they're added to a Team Drive.

• Warn on External Sharing -- This informs a user whether they are sharing a file with sensitive content.

• Send email to super administrators -- Sends an email to super admins when a user creates, edit or uploads a file with sensitive content. An email is sent to the super admin after that. The maximum number of emails that can be sent is 25 emails in 2 hrs.

Even if the admin doesn't choose an action, matching files are always flagged and listed in the report data.

Here are the steps of creating DLP --

Creating Rules using predefined Templates :

1. Open Admin Console and select the control “Rules”

2. Then Click on “Add” or at the top click on “Template” in order to open the list of existing templates.

3. Under Data Loss Prevention, select one of the templates from predefined list.

4. Rule title and descriptions could be edited (optional).

5. Under the options Triggers, Conditions and Actions editing setting could possibly be done (if needed) and after that click on “Done” (optional).

6. Click on “Create and Activate”.

Creating Rules using new/blank Templates :

1. Open Admin Console and select the control “Rules”.

2. Click on “Add” as explained in the above points.

3. Under Data Loss Prevention click on “Blank Template”.

4. In the field, “Title” enter the rule name and add a description below.

5. Then add Triggers, Conditions and Actions as per requirement and click on “Done”.

6. Click on “Create and Activate”.