Stop data loss with DLP for Drive

Beta: Use automated classification with DLP for Drive

Use Drive labels as rule conditions and in rule actions

Supported editions for this feature: Enterprise; Education Fundamentals, Standard, Teaching and Learning Upgrade, and PlusCompare your edition

DLP for Drive is also available to Cloud Identity Premium users who are also licensed for Workspace editions that include Drive audit log.

Automated classification refers to an administrator's ability to apply document classification based on DLP rules. This capability is currently applicable for all files in Google Drive and uses drive labels and fields for the classification of files. DLP can help you perform an easy and visible classification of your documents, with DLP enforcing your data policy through rules that prevent data sharing.

You can create a DLP rule action that applies metadata (a Drive label) to files in Drive. Also, You can use Drive labels as rule conditions to define specialized rules that apply only to documents using a shared label or field. For example, you can use these features to classify your documents according to your company’s data security policy.

The examples shown in this article assume metadata has already been created. The labels of the metadata you encounter in your implementation will vary. The names shown in these examples are probably similar to names you will encounter, but are not actual data native to the DLP application.

Drive prerequisites for use with DLP conditions or actions

Before you can use Drive metadata with DLP rules, you must:

  • Have an understanding of the purpose and functionality of Drive metadata. Go to Manage Drive metadata (beta) for details.
  • Create labels, or know of labels that have been created and that you want to use. Go to Add metadata to files in Google Drive for details on creating labels. These are the Drive labels that you or others will apply when creating DLP rules that use Drive metadata.

Drive metadata interoperability in DLP rules (for conditions and actions)

Using Drive metadata in DLP rules you:

  • Cannot create a metadata action on a rule that has a metadata condition.
  • Can use a new rule that has a metadata condition based on the metadata you added as an action in a different rule.

If you try to create a rule with the first condition described above, you will see this error: This rule couldn't be created. Please refresh the page and try again. In these cases, edit the rule to remove either the action or the condition that is using metadata, and try again to create the rule.

DLP for Drive metadata rule condition example

Use Drive metadata in rule conditions.

Example: DLP rule condition with a drive label with one value

In this example, the Drive label is called Contract, and has a field Cost Center, and with the single Cost Center value, Finance. When DLP scans the drive and finds the Drive label Contract > Cost Center > Finance, it will match the files associated with that Drive label and the field value, Finance.

To configure this use case:

  1. In the rule configuration flow, you have come to the Conditions section. Click Add Condition
  2. Specify these values for the condition fields:

    Field—Drive label
    Value—Is
    Drive label—Contract
    Label Field—Cost Center
    Field option match type—Match any
    Field option—Finance

  3. Click Continue to continue configuring your rule.

DLP for Drive metadata rule action examples

Use Drive label metadata as an automatically-applied DLP action. When the DLP rule is triggered, DLP applies metadata labels to Drive files that meet the rule criteria as an action. 

How is conflict resolved when Drive metadata is applied as a DLP rule action?

When you use Drive metadata as an action, the result in Drive depends on whether the Field value is single-valued or multi-valued. And for multi-valued fields, there is an Overwrite field option(s) on the file checkbox that triggers data overwrites.

For rule conflict in the case of a single value: The label value in Drive is established the first time a rule runs. This value remains stable if:

  • Drive file do not change
  • DLP rules that use conditions or actions based on Drive metadata have not changed
  • No new DLP rule has been added that uses conditions or actions based on Drive metadata

For rule conflict in the case of multiple values: In general, all label values are merged across triggered rules, and with any label values already in Drive. However, if you check the Overwrite field option(s) on the file box, in at least one triggered rule, then the existing values are removed and replaced with the new values from the triggered rules. The table below shows how this works.

Original values in the Drive file

Values in DLP actions for metadata

Overwrite field option(s) on the file box checked?

Result in the file on Drive

Label: Data Classification

Field: Jurisdiction

Values: SOX, GDPR

Label: Data Classification

Field: Jurisdiction

Values: SOX, CCPA

No

Label: Data Classification

Field: Jurisdiction

Values: SOX, GDPR, CCPA

Label: Data Classification

Field: Jurisdiction

Values: SOX, GDPR

Label: Data Classification

Field: Jurisdiction

Values: SOX, CCPA

Yes

Label: Data Classification

Field: Jurisdiction

Values: SOX, CCPA

Example 1: DLP Drive label rule action with one value

In this example, the Drive label is called Purchase order, and has a field Department, and the value is Marketing-104. When the rule is triggered, the action occurs and all files associated with the Drive label Purchase order > Department > Marketing-104 are labeled.

To configure this use case:

  1. In the rule configuration flow, you have come to the Actions section. Click Apply Drive labels.
  2. Specify these values for the action fields:

    Drive label—Purchase order
    Label Field—Department
    Field option—Marketing-104

  3. Click Add Drive label.
Example 2: DLP Drive label rule action with multiple values

In this example, the Drive label is called Contract, and has a field Point person, and you can select multiple individuals to act as contacts. When the rule is triggered, the action occurs and all files associated with the Drive label Contract > Point person> multiple_individuals are labeled with the selected individuals added.

To configure this use case:

  1. In the rule configuration flow, you have come to the Actions section. Click Apply Drive labels.
  2. Specify these values for the action fields:

    Drive label—Contract
    Label Field—Point person
    Field option—multiple values based on who the contacts are

  3. Ensure the Overwrite field option(s) on the file is unchecked to retain the Point persons that are already in set in a Drive file.
  4. Click Add Drive label.
Example 3: DLP Drive label rule action with field options overwritten

In this example, the Drive label is called Data Classification, and has a field Jurisdiction, and the values are SOX, GDPR, and CCPA. When the rule is triggered, the action occurs and all files associated with the Drive label Data Classification > Jurisdiction> field_value are labeled. Any values that existed before are overwritten by this new value.

To configure this use case:

  1. In the rule configuration flow, you have come to the Actions section. Click Apply Drive labels.
  2. Specify these values for the action fields:

    Drive label—Data Classification
    Label Field—Jurisdiction
    Field options—SOX, GDPR, CCPA

  3. Click Overwrite field options on the file. See the table above for the behavior associated with this checkbox.
  4. Click Add Drive label.

FAQ: Rule conflict resolution when using labels as actions

I created a rule that incorrectly applies a label and a field value to all of my Drive documents. How can I undo this?

If you implement an overly-pervasive rule that includes the unintentional broad application of Drive metadata, the metadata in Drive can be changed by mistake, and the entire schema might have to be recreated in Drive. This could be a costly error, so use caution when implementing automatic change through DLP rules.

In this case, modify every rule to remove references to the label, and delete the label definition. Deleting the label definition will remove the label from all Drive files. Make a note of the rule or rules you modified. 
 

  1. For every rule that references the Label in the Condition:
    1. Note the rule as you will need to revisit in later steps.
    2. Disable the rule.
    3. Remove the reference to the Label to be deleted from the Rule Condition.
  2. For every rule that references the applying the label as an Action:
    1. Note the rule as you will need to revisit in later steps.
    2. Deactivate the rule.
    3. Change the Action to no longer apply the Label to be deleted.
  3. Delete the Label in the label Manager on Drive.
  4. Recreate and publish the label in the Label Manager on Drive.
  5. For every Rule that you modified in step 1:
    1. Recreate the Rule Condition by referencing the new Label created in 4.
    2. Re-enable the Rule.
  6. For every Rule in step 2:
    1. Recreate the Rule Action by referencing the new Label created in 4.
    2. Re-enable the Rule.
How is conflict resolved for two rules with the same label and different field values? What is the expected behavior?

In this case, there are two or more Rules applying Data Classification Label with different Field Values for the Sensitivity Level Field, for example Top Secret versus Confidential.

Note: The Sensitivity Level Field in this example is a single-selection Field.

For Beta, DLP ensures the conflict resolution will be consistent and stable. In other words, the result will not change if nothing else changes, such as rules or document content.

What happens when I use the Overwrite field options on the file checkbox?

For example, if you created two or more rules applying the label Data Classification, with different field values for the Jurisdiction field (for example, SOX and CCPA versus CCPA and GDPR).

Also, suppose one of the Drive documents that will be impacted currently has GDPR and EuroSOX as values for its Jurisdiction Field.

In this case:

  1. If at least one of the triggered rules has Overwrite field option(s) on the file for the Jurisdiction field checked.
    1. All Jurisdiction field values for triggered rules will be merged (for example, SOX, CCPA, and GDPR).
    2. The example Drive document’s Jurisdiction field will have its field values change from GDPR and EuroSOX to SOX, CCPA, and GDPR
    3. The EuroSOX value will be removed due to the overwrite directive set in one of the triggered rules.
  2. Else, if none of the triggered rules has“Overwrite field option(s) on the file for the Jurisdiction field checked.
    1. All Jurisdiction field values for triggered rules will be merged (for example, SOX, CCPA, and GDPR).
    2. The example Drive document’s Jurisdiction field will have its field values change from GDPR and EuroSOX to SOX, CCPA, GDPR, and EuroSOX.
    3. All the field values for the Jurisdiction field are merged across triggered rules and with the existing Drive document’s Jurisdiction field value.
What happens when a Drive document’s author changes a field value manually after a triggered rule has applied a different field value?

There are possible conflicts between labels that users add in Drive, and labels that DLP applies as rule actions. For example, a user might remove a label in Drive, that later a DLP rule reapplies. 

Or, as a result of a triggered DLP rule, a Drive document has Top Secret as its Sensitivity Level field value. Later, in Drive, the document author changes this field value to Confidential. What happens next?

In this case, on the next DLP evaluation scan, if nothing changes (for example, the triggered rule), the Sensitivity Level field value changes back to Top Secret.

DLP scans are taking longer than I expect. What's going on?

Using DLP to apply labels automatically gives you the power to make many changes to many documents at once on Drive. This can result in many more files being affected than you expect. Rules that update a large number of files can take longer to process than rules that only affect a small number of files. You might want to test a rule that applies a label on a small sample before applying it at large. 

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false