Scan your email traffic using data loss prevention
As of January 31, 2017 Gmail data loss prevention (DLP) is available only with G Suite Enterprise. Customers who are licensed with G Suite Business on Mar 31, 2017 can continue to use Gmail DLP until Jan 31, 2020 provided they continuously renew their G Suite Business license during that time period.
Gmail data loss prevention (DLP) lets you scan your organization’s inbound and outbound email traffic for content, such as credit card or Social Security numbers, and set up policy-based actions when this content is detected. Available actions include sending the message to quarantine, rejecting the message, or modifying the message.
DLP uses a set of predefined detectors to evaluate message content. These detectors are available in the Content compliance setting, described below.
If you configure a DLP policy using predefined detectors, the email subject, message body, and attachments are automatically scanned. You can create more sophisticated content compliance policies by combining one or more predefined detectors with keywords or regular expressions to construct compound detection criteria.
Note: Similar to other email security settings, the Content compliance setting applies to all users in an organization, so you can apply distinct policies to a specific set of users. Learn more about the Content compliance setting.
To set up a predefined content detector in the Content compliance setting, click Add to add an expression in the Expressions section, and click Predefined content match. For more details, see the procedure below.
Although the Predefined content match option is useful, it’s not a 100%-accurate detection method. For example, it doesn’t guarantee compliance with regulatory requirements. As the customer, you can decide which data is sensitive, and how to best protect it. We recommend that you test your settings to make sure your configuration meets your requirements, and that you use the quarantine option to verify content matches.
Tip: To see examples of sensitive content and to test your own content, try the Sensitive Data Classification demo.
To configure predefined content detectors for your domain or organization:
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
From the Admin console dashboard, go to AppsG SuiteGmailAdvanced settings.
Tip: To see Advanced settings, scroll to the bottom of the Gmail page.
- (Optional) On the left, select an organization.
- Scroll to the Content compliance section:
- If the status is Not configured yet, hover over the setting and click Configure.
- If the status is Locally applied or Inherited, click Edit or click Add another to edit it or add a new setting.
- At the top, enter a short description, such as Credit card number detector.
- In the Email messages to affect section, select the required types of messages to affect. For example, to limit this setting to outbound mail, uncheck all boxes except Outbound.
- In the Expressions section, click Add.
- From the list, select Predefined content match.
- From the list, select the relevant predefined detector. For example, if you want to scan outbound messages for content that includes credit card information, select Credit card number.
- (Optional) Set the following options:
- Minimum number of matches—Set the number of times the detector must appear in a message to trigger the action you define. For example, if you select 2, this means that at least 2 different credit card numbers must appear in a message to trigger any action on the message. Duplicate appearances of the same credit card number don’t trigger the action.
- Confidence threshold—Set whether to trigger the action if the detector in the message meets a medium confidence threshold (default), or only if the detector meets a high confidence threshold. The confidence threshold indicates how likely the detected message content meets your compliance criteria.
- A medium threshold means that more messages trigger the action.
- A high threshold can result in fewer false positives (fewer messages being delivered that should have triggered the action), but also possibly more false negatives (more messages triggering the action that don’t require it).
Note: Not all types of data can be detected with high confidence. For example, credit card numbers can be detected with higher confidence by matching a well-defined pattern as well as a checksum. However, ABA routing numbers are detected with medium confidence, because detection relies only on a checksum on 9 digits. The detector descriptions below indicate the detectors that let you set a high confidence threshold.
- Click Save.
- Choose whether you want to modify, reject, or quarantine the message. To verify content matches, we recommend that you choose the quarantine option.
- Click Add setting or Save to close the dialog box.
Any settings you add are highlighted on the Email settings page.
At the bottom, click Save.
It can take up to an hour for changes to propagate to user accounts.
To set up a data loss protection policy in the Content compliance setting, select from the list of predefined detectors.
Predefined detectors are built using publicly available information. The principal detection methods are: pattern match, context, checksum, and word/phrase list. Multiple types of detection are often employed with and/or (all/any) logic in one detector:
- Pattern match—A specific alphanumeric pattern (not just string length), including delimiters, valid position, and valid range checks
- Context—Presence of relevant strings in proximity to a pattern, a checksum matching string, or both
- Checksum—Checksum computation and verification with check digit
- Word/phrase list—Full or partial match to an entry found in a dictionary of words and phrases
Learn about the predefined detectors, organized by country.