Beta: Prevent data leaks from Chat messages and attachments

Use DLP for Chat to protect data in Chat messages and attachments

Using DLP for Chat, you can create data protection rules to prevent data leaks from Chat messages and attachments (uploaded files). Attachments can include files and images that you upload.

Beta features are available for both web and mobile clients, with some exceptions outlined in this article. Key features supported by DLP for Chat include the ability of administrators to:

  • Manage Data Protection rules for Chat, for specific organizational units and groups
  • Define data sensitivity conditions.
  • Audit or block end users violating data sensitivity conditions
  • Investigate policy violations using the investigation tool (including viewing end user messages violating such rules).

There are limitations to the current beta outlined in this article. In general, links to external content are not scanned, and messages to and from chatbots are not scanned. Files shared through Drive are subject to Drive DLP rules. Go to Use DLP for Drive to prevent data loss for details.

How can I sign up for the beta?

Sign up for the DLP for Chat beta using this form.

Known issues for this beta

DLP for Chat beta features

Not all Workspace DLP features are available in the DLP for Chat beta.

Feature inclusions and exceptions

Supported condition values are:

  • Contains
  • Matches predefined data type

Condition values that are not supported in the beta: 

  • Regular expressions
  • Word lists
  • Equals

Actions that are supported in the beta: 

  • Block content 
  • Audit only

Actions that are not supported in the beta: 

  • Warn user

Chat and latency limitations

Chat is a latency sensitive application, and we have designed Chat DLP to not degrade the end user experience.

  • For messages, DLP is given a fixed window to perform scans. Depending on the complexity and number of detectors you have, some detectors may not complete in time, and won’t be enforced. DLP scan status can be added to the Google Chat audit log for messages sent and attachments uploaded.
  • The following predefined detectors might not complete in time:
    • Date of birth
    • Person name
  • Attachments are given more time for scans, and are not expected to time out.

We plan to address these time outs before GA.

Investigation tool limitations

  • You can't view the original violating message or attachment that was blocked from the investigation tool, unless the applied rule is set to Audit only. 
  • You can't look up violating attachments from the investigation tool (even for audit only rules) if the attachments were uploaded from mobile clients.

Tabular data serialized for scanning; might mask violations in columns

Files with tabular data, like Microsoft Excel files or comma-separated values (.csv) files, are serialized before scanning. As a result, DLP might not find violations in columns that are apparent when you review the data in the file.

Users need latest versions of Gmail and Chat

Ensure that your users' Gmail and Google Chat applications are up to date so they receive complete messaging for blocked Chat conversations.

Why use DLP for Chat?

DLP for Chat gives you control over the sharing of sensitive data in chat conversations. Using Chat for DLP,  you can:

  • Create data protection rules specifically for Chat
  • Create data protection rules for Chat and other apps (such as Drive or Chrome)
  • Create data protection rules that block Chat messages and attachments
  • Specify that the data protection rules cover a specific organizational unit or group, or for your entire organization
  • View audit log details in the Beta: Rules audit log

How does DLP for Chat work?

When the user sends a Chat message, DLP rules trigger scans of messages for sensitive content. Attachments are scanned when they are uploaded.

What is scanned?

DLP rules are applied to chat users, and impact the messages they send. Rules do not impact what a user or room can receive. 

  • Messages and attachments are scanned. Attachments include files and images. Links to external content are not scanned.
  • Messages in 1:1 chats, group chats, and spaces are scanned, even if Chat history is turned off.
  • Messages and attachments scanned can have violation events logged for them (in the Beta: Rules audit log) even when history is turned off in Chat.

When is the message scanned?

When a user sends a Chat message, Chat messages are scanned whether there are attachments or not.

DLP scans Chat messages and attachments

Summary of DLP for Chat flow:

  1. You define DLP rules. These rules define which content is sensitive and should be protected. DLP rules can apply to both Chat messages and Chat message attachments.
  2. A user sends a Chat message. DLP scans the contents for DLP rule violations that trigger DLP incidents. Attachments are scanned upon upload, and those with rule violations are blocked.
  3. DLP enforces the rules you defined and violations trigger actions.
  4. You are alerted of DLP rule violations in the Beta: Rules audit log, if alerts are on.

User experience for blocked messages

Before you implement DLP for Chat rules, tell your end users what to expect.  Explain that there are policies in place regarding what information can be shared, and that messages that violate these policies are blocked in Chat. Tell them what information is restricted, so they won’t be surprised when they receive messages about blocked content. 

Depending on the platform used for Chat (Mobile or Web), here are some messages users can receive when Chat content is blocked in a message or an attachment:

  • Message can’t be sent. Your message may contain information restricted by your organization’s admin policy. (For a blocked message.)
  • File upload failed, it may contain restricted information. (For a blocked attachment.)

When a message is blocked, the user can click Retry (to edit the message text) or Delete (to remove the message text). 

Attachments that violate security policies are not uploaded. There is no option to retry if the attachment upload fails, and in this case, the attachment is removed from the draft message.

How do I control what messages are blocked? What if I want to block messages to spaces or groups?

You can control the granularity of conversations that your DLP rules apply to. After you choose the Google Chat action, you can select when the action should apply -  to external conversations (meaning an internal conversation with guest access enabled, or that the conversation space is externally-owned) or internal conversations, and to spaces, groups, or 1:1 chats:

"Select when the Block message action in DLP should be applied for Google Chat."

DLP for Chat - rule examples

Here are examples of blocking Chat messages or attachments, (in Chat only, or in other apps as well) or logging details about Chat messages in the Beta: Rules audit log.

For general steps on creating DLP rules, go to Create new DLP for Drive rules and custom content detectors.

Block a Chat message that contains a Social Security Number - external and internal messages
In this example, you can block a conversation that contains a Social Security Number in the text or an attachment, both externally and internally.
  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. On the Admin console Home page, go to Rules.
  3. Under Protect your sensitive content, click Create rule.
  4. Add the name and description for the rule, such as Block when sharing SNN in chat.
  5. In the Scope section, choose Apply to all <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to.
  6. Click Continue. For Google Chat select Message sent and File uploaded (for attachments).
  7. In the Conditions section, click Add Condition and select the following values:
    1. Content type to scan—All content (note that All content is the only Field value available if a trigger is selected for Google Chat, no matter what other triggers are selected)
    2. What to scan for—Matches predefined data type (recommended)
    3. Matches predefined data type—United States - Social Security Number.
    4. Likelihood Threshold—Likely (recommended).  The confidence threshold for the condition. This is an extra measure used to determine whether messages trigger the action.
    5. Minimum unique matches—1. The minimum number of times a unique match must occur in a message or attachment to trigger the action.
    6. Minimum match count—1. The number of times the content must appear in a message or attachment to trigger the action. For example, if you select 2, content must appear at least twice in a message to trigger the action. 
  8. Click Continue. In the Actions section, under Chat, select Block content. Also select when the action should apply. For this example, select External conversations and Internal conversations. Leave Spaces, Group chats, and 1:1 chats selected.
  9. Click Continue to review the rule details.  The action for Chat is to block content for external and internal conversations.
  10. Click Create and choose:
    1. Active—Your rule runs immediately
    2. Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Securityand thenData protectionand thenManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
  11. Click Save.
    It can take up to 24 hours for the rule to apply to all user accounts in the selected organizational units and groups.
Block Drive external sharing and a Chat message attachment that contains a passport number - external sharing only
In this example, you can block a passport number specified in an attachment to a Chat message and the modification of a document in Drive in one rule.
  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. On the Admin console Home page, go to Rules.
  3. Under Protect your sensitive content, click Create rule.
  4. Add the name and description for the rule, such as Block when sharing a passport number in Chat and Drive.
  5. In the Scope section, choose Apply to all <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to.
  6. Click Continue. For Google Drive select File modified. For Google Chat select File uploaded only.
  7. In the Conditions section, click Add Condition and select the following values:
    1. Content type to scan—All content (note that All content is the only Field value available if a trigger is selected for Google Chat, no matter what other triggers are selected)
    2. What to scan for—Matches predefined data type (recommended)
    3. Matches predefined data type—United States Passport
    4. Likelihood Threshold—Likely (recommended).  The confidence threshold for the condition. This is an extra measure used to determine whether messages trigger the action.
    5. Minimum unique matches—1. The minimum number of times a unique match must occur in a document to trigger the action.
    6. Minimum match count—1. The number of times the content must appear in a message to trigger the action. For example, if you select 2, content must appear at least twice in a message to trigger the action.
  8. Click Continue. In the Actions section, under Drive select Block external sharing. Under Chat, select Block content. Also, for Chat, select when the action should apply. For this example, deselect Internal conversations only to select External conversations only.
  9. Click Continue to review the rule details. The action for Drive is to block external sharing. The action for Chat is to block content for external conversations only.
  10. Click Create and choose:
    1. Active—Your rule runs immediately
    2. Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Securityand thenData protectionand thenManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
  11. Click Save.
  12. It can take up to 24 hours for the rule to apply to all user accounts in the selected organizational units and groups.
Log the mention of the CEO’s or IT manager’s names in documents uploaded to Chat or Chrome
In this example, you can log when specific names appear in uploaded documents for both Chat (as an attachment) and Chrome in the Beta: Rules audit log but take no other action.
  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. On the Admin console Home page, go to Rules.
  3. Under Protect your sensitive content, click Create rule.
  4. Add the name and description for the rule, such as Log when sharing names in chat or Chrome.
  5. In the Scope section, choose Apply to all <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to.
  6. Click Continue. For Chrome select File uploaded only. For Google Chat select File uploaded only.
  7. In the Conditions section, click Add Condition and select the following values:
    1. Content type to scan—All content (note that All content is the only Field value available if a trigger is selected for Google Chat, no matter what other triggers are selected)
    2. What to scan for—Contains text string
    3. Enter contents to match—Mike Ceo
  8. Click Add condition to add an OR condition, and select the following values:
    1. Content type to scan—All content 
    2. What to scan for—Contains text string
    3. Enter contents to match—Viola Com 
  9. Click Continue. In the Actions section, under Chrome and Chat, select Audit only. Also, for Chat, select when the action should apply. For this example, select External conversations and Internal conversations.
  10. Click Continue to review the rule details. Under actions, note that the action for Chrome is audit only, and the action for Chat is also audit only, and mentions that the action occurs for external and internal conversations.
  11. Click Create and choose:
    1. Active—Your rule runs immediately
    2. Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Securityand thenData protectionand thenManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
  12. Click Save.
    It can take up to 24 hours for the rule to apply to all user accounts in the selected organizational units and groups.
Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false