Drive DLP
Using data loss prevention (DLP), you can create and apply rules to control the content that users can share in files outside the organization. DLP gives you control over what users can share and prevents unintended exposure of sensitive information such as credit card numbers or identity numbers.
Using the data loss prevention (DLP) for Drive, you can create complex rules that combine triggers and conditions. You can also specify an action that sends a message to the user that their content has been blocked.
Create a Drive DLP rule
- From the admin console navigate to Security > Access and data control > Data protection.
- Click on Manage Rules
- Then click Add rule>New rule OR click Add rule>New rule from template.
For templates, select a template from the Templates page.
- In the Scope section, choose All in <domain.name> or choose to apply this rule only to users in selected organizational units or groups.
If there's a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence.
- Click Continue.
- In the Apps section, choose the trigger for Google Drive, File created, modified, uploaded or shared.
- Click Continue.
- In the Conditions section, click Add Condition.
- Choose the Content type to scan:
- All content: All of the document, including the document title, body, and any suggested edits
- Body: Body of the document
- Drive label: Any labels that are applied to the document.
- Suggested edits: Content added to the document while in Suggestions mode
- Title: Document title
- Choose What to scan for, then fill out the needed attributes for that type of scan, listed in the table below.
Note: What to scan for options vary according to the Content type to scan you chose in the previous step. For example, if you choose 'Title' as the content type to scan, the What to scan for options will include Ends with and Starts with.
What to scan for |
Attributes |
Matches predefined data type |
Data type—Select a predefined data type. Get more information on predefined data types here. Likelihood Threshold—Select a likelihood threshold. Available thresholds are:
These thresholds reflect the DLP system’s confidence in the match result. In general, the Very high threshold will match fewer content and will be more precise. The Very low threshold is a wider net expected to match more files but will have lower precision. Minimum unique matches—The minimum number of times a matched result must uniquely occur in a document to trigger the action. Minimum match count—The minimum number of times any matched results must appear in a document to trigger the action. How do Minimum match count and Minimum unique matches work? For example, think of two lists of Social Security Numbers: the first list has 50 copies of the exact same number, and the second list has 50 unique numbers. In this case, if the Minimum match count value equals 10, results will trigger on both lists since there are at least 10 matches in both. Or, if the Minimum unique matches value equals 10, and the Minimum match count value equals 1, results will trigger only on the second list, since there are 10 matches and they're all matching unique values. |
Contains text string |
Enter contents to match—Enter a substring, number, or other characters to search on. Specify if the content is case sensitive. In the case of the substring, the rule can contain the word key, and if the document contains the word key, there is a match. |
Contains word |
Enter contents to match—Enter the word, number, or other characters to search on. Specify if the content is case sensitive. |
Matches regular expression |
Regular expression name—a regular expression custom detector.Minimum times the pattern detected—The minimum number of times the pattern expressed by the regular expression appears in a document to trigger the action. |
Matches words from word list |
Word list name—Select a custom word list. Match mode—Select either Match any word or Match minimum number of unique words. Minimum unique words detected—The least number of unique words that must be detected to trigger the action. Minimum total times any word detected—The least number of times a word can be detected to trigger the action (for Match minimum number of unique words option only). |
Ends with |
Enter contents to match—Enter the word, number, or other characters to search on. Specify if the content is case sensitive. |
Starts with |
Enter contents to match—Enter the word, number, or other characters to search on. Specify if the content is case sensitive. |
Is (Drive label content type only) |
Drive label—Choose an available Drive label from the dropdown list. Label field—Choose an available label field for the selected Drive label. Field option—Choose an available field option for the selected field. |
- You can use AND, OR, or NOT operators with conditions. Go to DLP for Drive rule nested condition operator examples for details on using AND, OR, or NOT operators with conditions.
Note: If you create a DLP rule with no condition, the rule applies the specified action to all Drive files.
In the below screenshot, we have chosen to take actions on the drive files Contains text string “Confidential” in All content and shared externally.
You can choose the options according to your scenario.
- Click Continue.
In the Actions section, you can optionally select the action to occur if sensitive data is detected in the scan:
- Block external sharing—Prevents sharing of the document.
- Warn on external sharing—Share the document, but warn of the violation.
- Disable download, print, and copy for commenters and viewers—Prevents downloading, printing, and copying unless the user has editor privilege or greater.
- Apply Drive labels—Applies an existing Drive label to matching files.
Follow these steps to configure:
- Choose an available label from the Drive label dropdown list, then select an available Field and Field option for the label.
- (Optional) Click Add label to add additional labels.
- Choose whether to allow users to change labels and field values applied to their files.
- In the Alerting section, choose a severity level (Low, Medium, High). The severity level affects how incidents are plotted in the DLP Incident dashboard (the number of incidents with High, Medium or Low severity) over time.
- Optionally, check Send to alert center to trigger notifications.
- Click Continue and review the rule details.
- In Rule status, choose an initial status for the rule:
Active—Your rule runs immediately.
Inactive—Your rule exists but does not run immediately. This gives you time to review the rule and share it with team members before implementing it. Activate the rule later by going to Security > Data protection >Manage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
- Click Create.
Changes can take up to 24 hours but typically happen more quickly.
For more information please refer to Create DLP for Drive rules and custom content detectors