Misdirected Email Prevention and Email Data Protection Blog | Preava

Data Loss Prevention (DLP) for Gmail

Written by Preava | Apr 15, 2021 10:00:00 AM

Data loss prevention (DLP) for Gmail provides a range of functions to protect enterprise emails from data loss and data leakage. DLP settings allow admins to define types of content as a trigger (something which requires examination), and to specify actions for when these events occur.

In this post, we’ll look at how data loss prevention for Gmail can monitor email communications, detect threats, and prevent accidental or malicious data loss and leakage.

How it works: data loss prevention (DLP) for Gmail

Google’s data loss prevention (DLP) for Gmail provides network admins more control over how data is received and sent across enterprise networks. Google DLP allows you to define specific content (triggers) for additional action, detect any threats to sensitive information, and prevent accidental or malicious sharing and destruction of data by unauthorized parties.

In Google Workspace: Enterprise (formerly G Suite) admins define the triggers (specific words, numerical patterns, metadata, etc.), and Google DLP automates the scanning, detection, and actions. When a trigger is detected, Google DLP takes the action predefined by the network admin. It might be placing an inbound email into quarantine, or denying a user’s attempt at communication outside of the network.

How Google DLP works and which rules it follows is determined on the administrator. Let’s look now at how it works, what messages it scans, and what happens when DLP for Gmail detects potential threats.

What messages does Google DLP scan?

What messages DLP for Gmail scans depends on the company policy and its desired level of prevention. The Google Workspace administrator sets this, choosing a DLP policy that covers one or several types of communication:

Inbound emails from outside the list of domains tied to the enterprise;

Outbound emails to outside the enterprise’s network;

Internal emails received from within the enterprise’s domain; and

Internal emails sent within the enterprise’s network.

What content is detected?

With DLP for Gmail, the Workspace admin sets what content is to be detected by the trigger system. In all, there are three types of content which can serve as triggers: exact, context, or message metadata. These include the following.

Specific expression triggers: any words, specific phrases, or combinations of words;

Pre-set content match triggers: item size, source IP, message authentication, and if the communication has TLS encryption; and

Metadata attribute triggers: countries and international detector patterns, including CCN numbers, passport numbers, Social Security numbers, and more.

For each trigger, the system runs an analysis on the content of the data (for example, scanning for 9 digits of a Social Security number). Then it analyzes the context (looking for specific words such as SSN, social, social security, etc). To add content detectors which are not currently supported, admins have to contact support and request the detector’s inclusion.

What happens when Google DLP flags content?

When DLP for Gmail detects sensitive information, it executes one of the following actions.

Modify message: this might be bypassing filters, deleting attachments, including additional recipients, or requiring secure (encrypted) transport;

Reject sending or receipt; and

Quarantine: send the message to admins who review, allow, and deny communications containing sensitive data.

How does Google DLP work with Google Drive?

Google DLP works with Drive in a very similar fashion to DLP for Gmail, only it also includes a policy for sharing files. Network admins define the security policy and automatic responses, and DLP then actively monitors files shared outside of the Google Workspace domain. 

As with DLP for Gmail, in Drive it looks to identify specific expressions and content matches. When detection occurs, it triggers automatic responses such as sending an email to admins; contacting the user who created, edited, or uploaded the file containing sensitive data; or preventing the sharing of any files with sensitive content.

Setting up Google DLP for Gmail and Drive

There are 3 steps to executing Google DLP for Gmail and Drive. They consist of:

1. Admin defines a rule. Rules include: setting the range of messages and files to monitor, defining content or metadata to scan for as well as setting DLP sensitivity, and defining automatic actions for when triggers are set off.

2. Google DLP analyzes all messages and items in the predefined range, searching for any incidents which correspond to its ruleset.

3. DLP then takes action, following any automatic responses the admins set for messages and files.

Take data loss prevention a step further with Preava Prevent for Gmail

Preava Prevent is an extension for the Gmail web interface, aiming to help companies prevent sending emails to unintended or unauthorized recipients in the first place. Employee-borne mistakes are one of the most common sources of data loss and leakage. Preava Prevent helps users of any technical proficiency ensure sensitive data never falls into the wrong hands.

Simply contact us today to prevent accidentally sending emails to the wrong people.