Search
Clear search
Close search
Google apps
Main menu
true

Scan and protect Drive files using DLP rules

This feature is only available with G Suite Enterprise.

As a super administrator for G Suite Enterprise, you can prevent users from sharing sensitive content in Google Drive or Google Team Drive with people outside your organization. You can define rules that protect privacy using Data Loss Prevention (DLP). DLP for Drive scans your organization’s Drive and Team Drive files for sensitive content. You set up policy-based actions that are triggered when any sensitive content is detected. Available actions include sending an email to super administrators, sending an email to the user who created, edited, or uploaded a file with sensitive content, or blocking sharing of any file with sensitive content.

Tip: To see examples of sensitive content and to test your own content, try the Data Loss Prevention Demo.

How rules work

You can work with a predefined template or create your own. You assign a rule to your whole domain, an organizational unit, or a group in Google Groups. Only whole domain level rules apply to Google Team Drive files. You can also exempt a group in Google Groups. 

If a sensitive item is detected, you determine what action to take. For details, see How to define a rule.

Create and edit rules

You must be signed in as a super administrator for this task.

Create rules using the predefined templates
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Rules.

    To see Rules, you might have to click More controls at the bottom. 

  3. Click Add Add or at the top, click Templates to open the list of templates.
  4. Under Data Loss Prevention, select one of the templates from the predefined list.
  5. (Optional) Edit the rule title and rule description.
  6. (Optional) Under Triggers, Conditions, and Actions change or add any settings and click Done. See How to define a rule for details.
  7. Click Create And Activate
Create rules using the blank template
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Rules.

    To see Rules, you might have to click More controls at the bottom. 

  3. Click Add Add or at the top, click Templates to open the list of templates.
  4. Under Data Loss Prevention, click Blank Template.
  5. In the title field, enter your rule name and add a rule description below.
  6. Add Triggers, Conditions, and Actions and click Done. See How to define a rule for details.
  7. Click Create And Activate
Edit rules
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Rules.

    To see Rules, you might have to click More controls at the bottom. 

  3. At the top, click Manage to see the list of DLP rules.
  4. Click the rule you want to modify.
  5. Edit settings under any of the Triggers, Conditions, and Actions sections and click Done. See How to define a rule for details.
  6. Click Save And Activate.
How to define a rule

Configure these three elements to define your rule:

  • TriggersThe application files that the rule scans.
    • Google Drive FilesCurrently, DLP rules are only available for Drive files and Google Team Drive files. 
  • ConditionsThe variables that affect your rule.
    • Users
      • Choose Apply to Organization Unit then choose an organization unit from the pulldown menu. DLP rules are only applicable to Google Team Drive files when they’re applied on the Root Organization Unit (OU).

        Click the Add button to add more. This rule will apply to files owned by users in the selected organization units. 
      • Choose Apply to group then enter a group name. 

        Click the Add button to add more. This rule will apply to files owned by users in any one of the selected groups.
      • Choose Exempt group then enter a group name. 

        Click the Add button to add more. This rule will be ignored for files belonging to users in any of the selected groups. 

        ​The default Users condition is that the rule applies to all users.
    • Content
      • Choose Matches sensitive content then add one of the items which are considered Personally Identifiable Information.
      • Custom WordlistChoose Matches custom Wordlist then select a previously defined wordlist or create a custom wordlist. Click the Add button to add more.
      • Custom Regular ExpressionChoose Matches custom Regex then select a regular expression from the list of previously defined regular expressions or create a custom RE2 regular expression. Click the Add button to add more.
      • Confidence threshold—Set whether to trigger the action if the detector in the file meets a medium confidence threshold (default), or only if the detector meets a high confidence threshold.
        The confidence threshold indicates how likely the detected file content meets your compliance criteria.
        A medium threshold means that more files trigger the action.
        A high threshold can result in fewer false positives (fewer files being shared that should have triggered the action), but also possibly more false negatives (more files triggering the action that don’t require it).
  • ActionsWhat the rule does when it finds an issue (it always flags the file).
    • Block external sharingEnsures that any files a user has created, edited, or uploaded with sensitive content are blocked from sharing with external users (anyone outside your organization can't see the file contents).  
    • Warn on external sharingDisplays a subwindow that informs the user that they have created or uploaded a file with sensitive content.
      ​They'll need to click OK to close this subwindow. 
    • Send email to Super AdministratorsSends an email to inform the super administrator that a user has created, edited, or uploaded a file with sensitive content. 
      An email is sent whenever the type of sensitive content in the file changes.
      The maximum number of emails sent is 25 emails in 2 hours.

Note: If you don't choose an action, any matching files will only be "flagged" and will be visible in Rules Audit. External members of a Google Team Drive can't access files flagged with "block external access".

Tip: If you notice a high number of false positives, as administrator, create a pair of rules: In your first rule, add a strong action such as "Block external sharing" with the confidence threshold set to high. Next, create a second rule with a medium confidence threshold. For this rule, add the "Warn user on external sharing" action.

Use rule audit data and templates

You must be signed in as a super administrator for this task.

View or export DLP rule flagged items data
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Rules.

    To see Rules, you might have to click More controls at the bottom. 

  3. At the top, click Audit to see the DLP rule audit report data.
  4. (Optional) To change the criteria that’s displayed, click Select columns Select columns . Any changes are saved and available the next time you sign in.
  5. To configure the table to only show certain elements, in the Filters section, enter the names or select the element in the following fields:
    1. Rule name—The rule the flagged item has broken.
    2. Flagged item name—The name of the file the rule flagged.
    3. Flagged item identifier—The name of the identifier in the file the rule flagged.
    4. Item owner—The email of the owner of the file the rule flagged.
    5. Team Drive ID—The number of the Team Drive where file the rule flagged resides.
    6. Matched content detectors—Select one of the custom or predefined matched content detectors.
    7. Date and time range—A start and end date and time for listing events.
      Each entry in the log is associated with a single event.
  6. To export the report data directly to a Google Sheets file within Drive or to download a CSV file with the report data, click Download Download . The exported Google Sheets file and downloaded CSV file both can contain a maximum of 200,000 cells. The maximum number of rows depends on the number of selected columns.
View or filter DLP templates
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Rules.

    To see Rules, you might have to click More controls at the bottom. 

  3. At the top, click Templates to see the DLP templates.
  4. (Optional) To change the criteria that’s displayed, click Select columns Select columns . Any changes are saved and available the next time you sign in.
  5. (Optional) To configure the table to only show certain elements, in the Filters section, enter the names or select the element in the following fields:
    1. Template name—The name of the previously defined template.
    2. Template description—The description of the previously defined template.
    3. Category—Currently, Data Loss Prevention is the only category type supported.
    4. App—The application files that the rule scans. Currently, DLP rules are only available for Drive files.

FAQ

Which predefined content detectors are supported?

Drive DLP supports a large number of predefined detectors. More will be added as the DLP platform evolves.

Is detection 100% guaranteed?

No. We can't guarantee that all sensitive data will get caught and flagged. The DLP detection system translates predefined templates into regexes (regular expressions) and uses additional content parameters to determine the probability of a match. There might be false positives and negatives, which are triggered by many factors.

How does a user know why sharing is being blocked?

Users will be shown a DLP specific message to communicate why sharing is blocked. In case of multiple violations, the message in the sharing policy violation screen will indicate the first detector that is matched.

When rules are modified or added, does the system scan previously created files?

Yes. All files are scanned anytime a rule is added or modified. Scanning the files can take a few hours, a day, or longer depending on a variety of factors including the number of files in the domain.

Was this article helpful?
How can we improve it?
Sign in to your account

Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.