Google Workspace DLP Implementation Guide

Two team members discussing work on a laptop

What is Data Loss Prevention (DLP)?

Put simply, Data Loss Prevention (DLP) is a security feature that detects and prevents the leak of sensitive data. DLP policies are a key component of any enterprise’s Google Workspace environment.

Through proper implementation and monitoring, teams can safeguard their critical data, protecting their company, users, and partners. Read on to learn how to get started.


Who has access to DLP policies for Google Workspace?

Admins of Google environments using either Google Workspace Enterprise Standard or Google Workspace Enterprise Plus may set up and access Google Workspace DLP features. DLP is not available for Business or legacy G Suite editions. For more information about feature differences, see our Google Workspace edition comparison.


Best practices for setup

The first steps in creating your implementation plan are as follows:

  1. Identify a dataset of objects or rules to follow. Which type of data needs to be investigated? Which type of files or emails needs to be scanned?
  2. Work with your internal security team members to establish a measure of incident severity.
  3. Identify organizational units, groups, or users to implement the DLP rules. *Depending on their role, you might want/need to create different types of rules or audit and update the existing Drive sharing permissions.
  4. Review the existing DLP template and customize it as needed.


Implementation phases

Next, create a plan to gradually implement DLP. It is highly recommended to test the rules with a small group of users prior to moving to full production. You can try the following:

  1. Enact a test phase using the IT team or security team only.
  2. Move on to early adopters (5-10% of the total users). Choose a group of users that can provide feedback about the rules or workflows.
  3. Full implementation can be executed once you have a remediation and action plan established based on the feedback from the previous phases.


Best practices for actioning/remediation

Depending on the configuration, there might not be a need to action an alert. However, we recommended setting and filtering the incidents based on severity. Your team can create a remediation plan depending on the severity of the incident.

For example, for high severity incidents, you might have to immediately remove access from the affected files. For organizations using Google Workspace Enterprise Plus, this can be done using the Investigation Tool. However, for low-severity incidents, your team can follow additional investigation steps prior to removing access to the files. It is important to determine the severity according to your organization’s pre-established policies.

Below are the steps you should follow for incidents of different severity levels.


Low-severity incident:

  1. Audit the affected file/email to identify the usage of sensitive content. Classify it as a true or false incident.
  2. Instruct the user not to share sensitive content outside of the domain over email or files, or ask their manager to share this information with the user. The best way to communicate this feedback should be determined by the security team so it aligns with internal company policy. For example, you might send the following email to the user: Hello [name],The security team received an alert letting us know that you attempted to send [sensitive document type] to someone outside of [company name]. Our security policy prohibits this type of information from being sent to those outside of our company. In the future, please do not send this type of information to non-[company name] employees. If you have any questions, please email Best regards, [Company name] Security Team
  3. Alert administrators or other leaders about policy violations or DLP incidents as needed. If possible, keep track of the incidents in a separate report (Google Sheets) to identify recurrent violations.
  4. Remove access to the sensitive data as needed using the Investigation Tool (Workspace Enterprise Plus only).
  5. Audit the user’s Drive permissions, and if needed, move them to a restricted sub-organization where external sharing is not allowed.


High-severity incident:

  1. Immediately remove access to the file using the Investigation Tool (Workspace Enterprise Plus only).
  2. Alert administrators or other leaders about policy violations or DLP incidents as needed. If possible, keep track of the incidents in a separate report (Google Sheets) to identify recurrent violations.
  3. Audit the affected file/email to identify the usage of sensitive content. Classify it as a true or false incident.
  4. Communicate the incident to the security team so they can follow up accordingly.


Track attempts to share sensitive data using the Audit Log

Use DLP audit logs to review events triggered by DLP rule violations. Entries appear within an hour of the user action, allowing Admins to quickly investigate a violation and take action.

In the audit log, Admins can see information about why the rule was triggered, including:

  • Event description
  • User
  • Rule name
  • Resource
  • Resource owner
  • Recipients
  • What trigger action was taken

When a DLP rule is first created for Google Drive, all existing and future Drive content will be scanned by the rule and any matching content will appear in the audit log. To customize what data is shown in your audit log, use the date range filter. You can view data from a specific day, week, or month.

The Rules audit log serves as a central place for admins to investigate Data Loss Prevention alerts within their organization. It can be accessed by navigating to the Admin console and clicking Reporting > Audit and investigation > Rule log events.


Utilizing native investigation tools

The DLP dashboard is fully integrated with the Security Investigation Tool. The latter tool helps DLP response teams dig deeper into violations when needed without the need to ask end users to share access to the affected files.

For companies on the Google Workspace Enterprise Plus edition, we highly recommend making use of both of these integrated tools together.


How to export Google DLP alerts to other tools

At this time, there is no native tool allowing Google Admins to export DLP alert data to other tools. However, a connector to a third-party service can be developed using the Alert center API. That service can then export DLP alerts for your team. You can read more about the API here.

Optional: After an investigation has been started, its results can be exported using the Investigation tool.


In conclusion…

We hope this guide was helpful! While each organization has unique security requirements, these are best practices we have identified based on our customers’ experiences implementing Google DLP rules.

The bottom line is this: Make sure you have a defined implementation plan that is in line with company policy, and involve all key stakeholders whenever possible.

Google cloud plus Hiview logo

Need assistance?

Seeking the help of a Google Cloud Premier Partner? We provide Google Workspace licenses, data migration, support, training, and much more. Contact us to find out if HiView is a good fit for your team.


Additional resources: