Use BeyondCorp Threat and Data Protection to integrate Data Loss Prevention with Chrome

BeyondCorp integrates DLP with Chrome

BeyondCorp Threat and Data Protection features are available only for customers who have purchased BeyondCorp Enterprise.

Using BeyondCorp Threat and Data Protection, you can integrate Data Loss Prevention (DLP) features to use with Chrome to implement sensitive data detection for files that are uploaded and downloaded, and for content that is pasted or dragged and dropped.

This integration gives you control over what data Chrome users can share, such as Social Security numbers or credit card numbers. It only applies to Chrome browser on Windows, Mac, Linux and the Chrome operating system. Other platforms are not supported at this time.

BeyondCorp and DLP

DLP integration with Chrome is included in the BeyondCorp suite of features, which is part of Cloud Platform Security. To configure the DLP integration, you will use Google Workspace features.

BeyondCorp includes:

  • Use of Chrome management features
  • Configuration of Chrome connectors
  • Configuration of DLP rules in Google Workspace security (described in this article)
  • Alerts and investigation of security events generated by Chrome (such as malware or sensitive data detection, phishing or social engineering, or password reuse)

For details on implementing BeyondCorp, go to Protect Chrome users with BeyondCorp Threat and Data Protection.

Steps to set up DLP for BeyondCorp

To implement and use the entire set of BeyondCorp DLP protections, you must:

After you create your DLP rules, when users upload, download, or copy and paste data into the browser, these actions can trigger events. You can:

DLP rule examples that support BeyondCorp integrations with Chrome

DLP and BeyondCorp integration - rule examples

Here are some examples of blocking file downloads, warning of downloads with multiple addresses, and blocking a GMail upload containing multiple addresses. The field type URL is featured in these examples.

Example 1: Block file downloads from drive.google.com

This example shows how to use rule settings to block file downloads. In this example, the download is blocked if it occurs from drive.google.com.

Before you begin, sign in to your super administrator account or a delegated admin account with these privileges:

  • Organizational unit administrator privileges.
  • Groups administrator privileges.
  • View DLP rule and Manage DLP rule privileges. Note that you must enable both View and Manage permissions to have complete access for creating and editing rules. We recommend you create a custom role that has both privileges.
  • View Metadata and Attributes privileges (required for the use of the investigation tool only): Security Centerand thenInvestigation Tooland thenRuleand thenView Metadata and Attributes.

Learn more about administrator privileges and creating custom administrator roles.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenData protection.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Click Manage Rules. Then click Add ruleand thenNew rule
  4. Add the name and description for the rule.
  5. In the Scope section, choose Apply to all <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to. If there is a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence.

    Note that organizational units can contain devices, users or a combination of devices and users. This is important to know, because rules apply only to devices for Chrome browsers and only to users for Chrome OS. Keep this in mind as you create your DLP rules for BeyondCorp.

  6. Click Continue. Under Triggers, for Chrome select File downloaded.
  7. In the Conditions section, click Add Condition and select the following values:
    1. Field—URL
    2. Value—Contains
    3. Content to match—drive.google.com
  8. Click Continue. In the Actions section, under Chrome, select Block content.
  9. Click Continue to review the rule details.
  10. Click Create and choose:
    1. Active—Your rule runs immediately
    2. Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Security and then Data protection and then Manage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
  11. Click Complete.
    It can take up to 24 hours for the rule to apply to all user accounts in the selected organizational units and groups.
Example 2: Warn of a Chrome download that contains more than 30 email addresses

This example shows how to use rule settings to trigger a user warning under certain conditions.  In this example, the user is warned if they try to download more than 30 email addresses at once.

Before you begin, sign in to your super administrator account or a delegated admin account with these privileges:

  • Organizational unit administrator privileges.
  • Groups administrator privileges.
  • View DLP rule and Manage DLP rule privileges. Note that you must enable both View and Manage permissions to have complete access for creating and editing rules. We recommend you create a custom role that has both privileges. 
  • View Metadata and Attributes privileges (required for the use of the investigation tool only): Security Centerand thenInvestigation Tooland thenRuleand thenView Metadata and Attributes.

Learn more about administrator privileges and creating custom administrator roles.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenData protection.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Click Manage Rules. Then click Add ruleand thenNew rule
  4. Add the name and description for the rule.
  5. In the Scope section, choose Apply to all <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to. If there is a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence.

    Note that organizational units can contain devices, users or a combination of devices and users. This is important to know, because rules apply only to devices for Chrome browsers and only to users for Chrome OS. Keep this in mind as you create your DLP rules for BeyondCorp.

  6. Click Continue. Under Triggers, for Chrome select File downloaded.
  7. In the Conditions section, click Add Condition and select the following values:
    1. Field—All content
    2. Value—Match the default detector
    3. Default detector—Global - Email Address
    4. Likelihood threshold—Possible
    5. Minimum unique matches—30
    6. Minimum match counts—30
  8. Click Continue. In the Actions section, under Chrome, select Warn user. The user is warned, but can proceed with the action if the rule is violated. If the user chooses to proceed after being warned, this action is recorded in the Rules audit log.
  9. Click Continue to review the rule details.
  10. Click Create and choose:
    1. Active—Your rule runs immediately
    2. Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Security and then Data protection and then Manage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
  11. Click Complete.
    It can take up to 24 hours for the rule to apply to all user accounts in the selected organizational units and groups.
Example 3: Block a Chrome upload that contains more than 30 email addresses

This example shows how to use rule settings to block file uploads.  In this example, the upload is blocked if the user tries to upload more than 30 email addresses at once.

Before you begin, sign in to your super administrator account or a delegated admin account with these privileges:

  • Organizational unit administrator privileges.
  • Groups administrator privileges.
  • View DLP rule and Manage DLP rule privileges. Note that you must enable both View and Manage permissions to have complete access for creating and editing rules. We recommend you create a custom role that has both privileges. 
  • View Metadata and Attributes privileges (required for the use of the investigation tool only): Security Centerand thenInvestigation Tooland thenRuleand thenView Metadata and Attributes.

Learn more about administrator privileges and creating custom administrator roles.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenData protection.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Click Manage Rules. Then click Add ruleand thenNew rule
  4. Add the name and description for the rule.
  5. In the Scope section, choose Apply to all <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to. If there is a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence.

    Note that organizational units can contain devices, users or a combination of devices and users. This is important to know, because rules apply only to devices for Chrome browsers and only to users for the Chrome operating system. Keep this in mind as you create your DLP rules for BeyondCorp.

  6. Click Continue. Under Triggers, for Chrome select File uploaded and Content uploaded.

    For the File uploaded and Content uploaded triggers, the blocking behavior depends on the Delay file upload setting specified in Set Chrome Enterprise connector policies for Google BeyondCorp Enterprise. If the Delay file upload setting is set to Allow immediate upload the file will upload during the scan. To prevent users from uploading files or content during a scan, the Delay file upload setting should be set to Delay upload until analysis is complete.

  7. In the Conditions section, click Add Condition and select the following values:
    1. Field—All content
    2. Value—Match the default detector
    3. Default detector—Global - Email Address
    4. Likelihood threshold—Possible
    5. Minimum unique matches—30
    6. Minimum match counts—30
    7. Click Add Condition.
    8. Field—URL
    9. Value—Contains
    10. Content to match—mail.google.com
  8. Click Continue. In the Actions section, under Chrome, select Block content.
  9. Click Continue to review the rule details.
  10. Click Create and choose:
    1. Active—Your rule runs immediately
    2. Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Security and then Data protection and then Manage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
  11. Click Complete.
    It can take up to 24 hours for the rule to apply to all user accounts in the selected organizational units and groups.

Related topics

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false