Use new DLP for Drive

Prevent data loss using new DLP for Drive

Use new DLP for Drive with advanced features

This feature is available with G Suite Enterprise, G Suite Enterprise for Education, G Suite for Education, and G Suite Essentials editions. Compare editions

New DLP for Drive—why use it instead of the DLP I’ve been using?

G Suite introduces updates to data loss prevention (DLP) for Drive that allow admins to use advanced features and functionality that are not in the original, legacy DLP product you have been using. When you access legacy DLP, located under the Rules tab, you see a message that tells you that DLP rules and detectors are moving to a new location. That location is, from the Admin console Home page, Securityand thenData Protection. See Compare legacy DLP and new DLP rule management and new DLP features below.

This release refreshes DLP for Drive only. There is no change to DLP for Gmail scans at this time.

Migration from legacy DLP to new DLP for Drive

Now that we are launching the new DLP product, you have the opportunity to try the new DLP and compare it to the legacy DLP, for a period of time. During this time period, consider creating new DLP rules that use the extended functionality. You can try the new DLP and also manually migrate the existing DLP rules to the new product. After that time period is over, an automatic migration will occur to move DLP rules to  Security > Data Protection.  To accomodate this migration, there will be a period of time during which you cannot modify the legacy DLP rules. The legacy rules will continue to work, but they will be unmodifiable at that point. Expect more communication as this time approaches. 

What if I have rules in both legacy and the new DLP?

  • The DLP rules you created in legacy DLP are separate from rules you create in the new DLP. The new DLP rules coexist with those rules.
  • You can migrate legacy DLP rules to the new DLP by manually creating a new rule in the new Drive DLP and then deleting the legacy DLP rule.
  • If you created similar detection rules in legacy DLP and the new DLP with different response actions, the stricter action will prevail whether or not you defined the action in legacy DLP or new DLP rules. For example, if in legacy DLP you created a rule to warn users about documents that contain Social Security Numbers, and in the new DLP you created a rule to block sharing of documents containing Social Security Numbers, then the document sharing is blocked.

Use an audit-only rule to test the new DLP rules

One way to try out the new functionality is to create DLP rules that do not have an optional action, such as blocking or warning users. If these rules are triggered, data related to the incident is written to the Rules audit log. You can create these audit-only rule to test rules you create in the new DLP, to ensure that their functionality maps to the rules that you were using in legacy DLP. Go to Create new DLP for Drive rules and custom content detectors, "Step 1. Plan your rules, Use audit-only rules to test rule results" for details.

DLP rules and actions flow

Using data loss prevention (DLP), you can create and apply rules to control the content that users can share in Google Drive files outside the organization. DLP gives you control over what users can share, and prevents unintended exposure of sensitive information such as credit card numbers or identity numbers.

DLP rules trigger scans of files for sensitive content, and prevents users from sharing that content. Rules determine the nature of DLP incidents, and incidents trigger actions, such as the blocking of specified content. 

You can allow controlled sharing for members of a domain, organizational unit, or group.

Summary of DLP flow:

  • You define DLP rules. These rules define which content is sensitive and should be protected.
  • DLP scans Drive contents for DLP rule violations that trigger DLP incidents.
  • DLP enforces the rules you defined and violations trigger actions, such as alerts.
  • You are alerted of DLP rule violations.

DLP sample use cases

You can use DLP to:

  • Audit the usage of sensitive content in Drive that your users may have already shared to gather information on sensitive files uploaded by users
  • Directly warn end users not to share sensitive content outside of the domain.
  • Prevent sharing of sensitive data (such as a Social Security Number) with external users
  • Alert administrators or others about policy violations or DLP incidents.
  • Investigate details of an incident with information on the policy violation.

Compare legacy DLP and new DLP rule management

This table compares legacy DLP to new DLP.

Legacy DLP New DLP
Existing DLP product New DLP product with more features
DLP rules are found in the Admin console under Rules. DLP rules are found in the Admin console under Securityand thenData protection.
To set up DLP policies, you have to be a super Administrator. To set up DLP policies, there are specific administrative privileges for DLP rules and detectors. Managing DLP policies doesn't require permission to manage all Drive settings.
Match count is available only for predefined detectors. Match count is available in all conditions that use:
  • Regular expressions
  • Word lists
  • Predefined detectors
Two detection thresholds:
  • High
  • Medium
Detection thresholds with more granularity:
  • Very low confidence
  • Low confidence
  • Possible
  • Likely
  • Very likely
Reports are limited to audit logs and Drive-related reports. Reports include DLP Incident Management dashboards, available under Securityand thenDashboards.

Reports now include the shared recipients of the document.

New DLP features

The following table describes the new DLP features:

DLP Features Details
Author DLP rules with scope, condition, and actions

Scope 

  • Author policies based on organizational units or groups
  • Organizational unit and group inclusion and exclusion - define policy based on organizational units in the environment. See also New DLP for Drive FAQ
Conditions

Actions

  • Set alert and notification rules
  • Block externally shared links
  • Warn end users
  • Audit Drive file content violations
Incident Management
  • Sends an alert summary to DLP administrators to enable quick detection of DLP incidents validation of false positives. Go to View alert details for details.
  • You receive a DLP alert in the alert center when a DLP rule is triggered. From the Admin console Home page, go to Menuand thenSecurityand thenAlert center. Go to View alert details for details.
  • Reporting and investigation dashboard for policy violations (DLP incidents and Top Policy Incidents). Go to About the security dashboard for details.
Rule investigation
  • For rule investigation, use the security investigation tool. Go to About the security investigation tool for details. 
  • You must have the privilege Security Centerand thenInvestigation Tooland thenRuleand thenView Metadata and Attributes to access the investigation tool.
  • Use the Investigation tool to identify, triage, and take action on security and privacy issues in your domain.
Admin privileges
  • View DLP Rules—Allows delegated administrators to view DLP rules
  • Manage DLP Rules—Allows delegated administrator to create, edit and investigate DLP rules. 

Note that you must enable both View and Manage permissions to have complete access for creating and editing rules.

For the investigation tool only: Security Centerand thenInvestigation Tooland thenRuleand thenView Metadata and Attributes.

Applications and file types scanned by new DLP

Scanned applications

G Suite applications scanned include:

  • Sheets
  • Docs
  • Slides

Comments in Docs, Sheets, Slides, and Drawings and comment email notification are not supported by DLP, and they are not scanned.

Forms and Sites are not supported with DLP at this time.  Also, when you implement DLP, it prevents Forms file uploads.

Scanned file types

File types scanned for content include:

  • Document file types: .doc, .docx, .html, .odp, .ods, .odt, .pdf, .ppt. .rtf, .wdp, .xls, .xlsx, .xml
  • Image file types: .eps, .fif, .img_for_ocr, .ps
  • Compressed file types: .7z, .bzip, .gzip, .rar, .tar, .zip
  • Custom file types: .hwp, .kml, .kmz, .sdc, .sdd, .sdw, .sxc, .sxi, .sxw, .ttf, .wml, .xps

Video and audio file types are not scanned.

Administrator requirements

To create and set DLP rules and content detectors, you must be a super administrator or a delegated admin with these privileges:

  • Organizational unit administrator privileges. 
  • Groups administrator privileges.
  • View DLP rule and Manage DLP rule privileges. Note that you must enable both View and Manage permissions to have complete access for creating and editing rules. We recommend you create a custom role that has both privileges. 
  • View Metadata and Attributes privileges (required for the use of the investigation tool only): Security Centerand thenInvestigation Tooland thenRuleand thenView Metadata and Attributes.

Learn more about administrator privileges and creating custom administrator roles.

What’s next: create rules and content detectors

Create new DLP for Drive rules and custom content detectors

Related information

Was this helpful?
How can we improve it?