Protect and promote your Google Drive files (Get best practices for organizations, sysadmins, and users)

The Drive and Docs Settings

Drive&DocsSettings.png

We’ll start off with the Google Drive App, as it’s somewhat easier and faster to configure.

Click on:

Apps > Google Workspace > Drive and Docs

From here you’ll be presented with the following screen. However, we’ll be focusing exclusively on the “Sharing settings” section. Use the checklist and the screenshots in the upcoming section as guidance.  

Checklist for “Sharing settings”

(Disclaimer: This checklist must be adjusted accordingly to each organisation and its industry. Use this checklist as a guidance, but feel free to contact us if help is needed)

Screenshot 2021-08-24 at 11.12.28.png

Extra security measures (Optional)

Although we won’t be covering these extra measures, they are worth mentioning. Feel free to contact us if help is needed.

Screenshot 2021-08-24 at 11.14.09.png

Screenshots

Please note that this part could be adjusted accordingly to the different OUs, Groups, or Users. However, for the sake of simplicity, we’ll apply the following settings across the whole domain.

Sharing Options

Sharing options

Shared drive creation

Screenshot 2021-08-24 at 11.19.16.png

Link sharing

LinkSharing.png

The Security Settings

Still afraid that your users will leak any customer files, HR reports, business plans or any other sensitive data?

Data Loss Prevention (DLP) is a solution that catches emails and documents with sensitive data and prevents them from being leaked. In Google Workspace it’s called “Drive DLP” and needs to be configured via the Admin Console.


Click on:

Security > Data Protection

From here you’ll be presented with the following screen. Make sure to turn on the “Data scanning and report”.  

Data Protection Dashboard
Data Protection Dashboard

There are two key concepts you need to understand before getting started with Drive DLP - namely, rules and detectors.


We have written a more detailed guide about DLP in Google Workspace, which you can download here. However, here’s a quick 101 on DLP.

How the DLP engine works

Whenever a sender wants to share files, it must first go through a “DLP engine” before it gets sent to the recipient. The DLP engine detects if the file contains any sensitive data and reacts based on rules created by the admin e.g. block files with sensitive data from being shared.

This ultimately means that the DLP engine will only be as effective as what it has been configured to detect and react upon.

Screenshot 2021-08-24 at 11.32.24.png

DLP templates

Google has built 9 ready-to-use templates, which literally take less than a minute to configure. From the data protection dashboard - click on:

Manage Rules > Add Rule > New rule from template

Try using the “Prevent financial information sharing” template to stop credit cards, bank accounts and other financial data from being leaked with external parties.

DLPtemplate.png

DLP detectors

While the templates are great, they might not always suit your needs. That’s when detectors come in.

Detectors inform your DLP engine when a document contains one or more sensitive keywords (e.g. confidential, restricted, internal use only, copyright, etc). They can also be configured to detect more advanced patterns via regular expressions (e.g. employee and customer ID numbers). From the data protection dashboard - click on:

Manage Detectors > Add Detectors

DataProtectionDetectors.png

DLP rules

Once you have created your detectors, it’s time to enforce an action through DLP rules.

You can configure rules to:

  • Disable shared files from being downloaded, printed or copied
  • Warn users on external sharing
  • Block external sharing of sensitive data
  • Alert admins about external file sharings

From the data protection dashboard - click on:

Manage Rules > Add Rule > New Rule

DLPRule.png

Checklist for DLP

Screenshot 2021-08-24 at 11.38.44.png

We have written a more detailed guide about Drive DLP in Google Workspace. It covers everything related to configuring your DLP engine from scratch (with screenshots) and teaches you the basics of regular expressions. Download it here.

Extra Data Security Measures

Did you know that sysadmins can use GAM scripts and Tricent Compliance Tool to remove the file permissions of external collaborators?

Both methods help organizations to audit, protect and revoke any file that has been shared externally. In other words, files that have been distributed as email attachments, public links, or via a non-Google Drive environment cannot be remediated in the case of potential data leakage.  

Google Apps Manager (GAM) is a command-line tool that essentially carries out a series of operations in the Google Admin Console (see screenshot). It’s primarily used for automation and bulk operations, but it can also be used to audit your Google Workspace environment - for example:

  • View how many Google Drive files your organization has
  • Check how many of them are shared externally
  • Revoke some or all company files shared with 3rd-parties

… and much more


We have written a more detailed guide about GAM, which you can download here.

Screenshot of Google Apps Manager
Screenshot of Google Apps Manager

GAM gives the sysadmin the power to monitor and control all file sharing activities taking place inside and outside the organisation. While GAM is great for the sysadmin, it doesn’t help the non-technical people to understand and protect their file sharing activities.

The Tricent Compliance Tool is a web app that makes it simpler for everyone in the organisation to audit and clean up their shared files. It lets users collaborate externally, sysadmins to control the file sharing activities and organisations to comply with data protection policies.

Protect and promote your Google Drive files (Get best practices for organizations, sysadmins, and users)