How Data Loss Prevention (DLP) in Gmail Works

SADA Says | Cloud Computing Blog

By SADA Says | Cloud Computing Blog

Given that keeping data secure isn’t the most exciting process an employee ever performs, it has to be made simple, quick and reliable if it is to be followed. Google Cloud helps admins manage information security with tools like mobile device management, encryption, sharing controls and two-factor authentication. This of course cannot protect against simple user error, wherein a user may hit Reply All on a message with sensitive information like company strategy, HR issues or other sensitive data in it.
Data Loss Prevention (DLP) for Gmail can add extra security for Google Apps Unlimited customers, however.

Gmail Data Loss Prevention chart
Data Loss Prevention framework for admins

How G Suite DLP Works

“G Suite’s DLP protection goes beyond standard DLP with easy-to-configure rules and OCR recognition of content stored in images so admins can easily enforce policies and control how data is shared” (Reena Nadkarni, G Suite Project Manager). To keep specific types of information safe, admins can now easily set up a DLP policy by selecting the criteria, like “customer credit card information”, from a library of predefined content detectors. Gmail DLP will automatically check outgoing emails from specified internal departments to ensure that no outlined sensitive data leaves. It will take action based on previously outlined instructions from the admin—either quarantine the email for review, inform the sender to modify the information, or block the email from being sent with a notification sent to the sender. Basic DLP scans the email subject, message body, and attachments. However, users can create more sophisticated policies to detect certain keywords or specific phrases.

These security measures extend to attachment types as well, so documents, presentations, and spreadsheets can also be scanned for security.

G Suite DLP will also scan incoming email traffic to make sure all attachments and links are safe to open.

G Suite DLP Custom Rules

Admins can create custom rules with keywords and regular expressions to protect against phrases not already in Gmail’s predefined library of commonly protected data types. By logging into your administrator account, you can create a blank template and add triggers, condition, and actions you want to define rules for. So for example if your company is working on a big project codenamed Tron that must be kept under wraps, admins can create custom checks for Tron, confidential, etc. to protect against leaks. Not only can you reject outbound messages with sensitive information, you can set up a metadata match on a range IP address and quarantine addresses outside of the range. Users can also route the messages with sensitive information to your legal department rather than quarantining the email.

G Suite Loss Prevention Optical Character Recognition

Sensitive information doesn’t just live in text form. As sensitive data can reside in scanned copies and images, OCR enhancements allow Gmail to now analyze common image types and extract text for policy evaluation. OCR is able to scan GIF, JPG, PNG, and TIFF images, but is unable to scan images embedded in PDF or Word documents. OCR is also available in 34 languages, so you can convert and scan documents from contracts in other countries. Admins can choose to enable OCR in the Admin console at the organizational-unit (OU) level for both the content compliance or objectionable content rules.

OCR in Gmail
Email scanning with Optical Character Recognition bolster security in Gmail

Increased Content Detection Control Thresholds for G Suite Loss Prevention

For those admins seeking refined control over DLP policies to minimize false positives, the ability to take action commensurate with the level of perceived risk, Google is introducing two new detection parameters:

  • Count parameter – The count parameter allows customers to set up different DLP policies based on whether a message contains individual or bulk PII. For example, an email containing a single credit card number might be considered a low risk event, while one that contains 100 credit cards is clearly a high risk scenario.
  • Confidence parameter – The confidence parameter lets customers tighten or loosen detection criteria for the most commonly used detectors as per their needs.

G Suite Data Loss Prevention is now extended to Google Drive. This extension makes it easier for administrators to secure data, control what content is stored and prevent users from accidentally (or maliciously) sharing confidential information. While your email may be safe due to these features, other email servers may not be, which is why Google also allows users to bring their own certificates for S/MIMI encryption for improved email security. Currently, Gmail DLP is available only with G Suite Enterprise, and G Suite Business.

Learn more about G Suite or contact a Google Apps expert here.

Learn More about Google Apps


Our expert teams of consultants, architects, and solutions engineers are ready to help with your bold ambitions, provide you with more information on our services, and answer your technical questions. Contact us today to get started.

Scroll to Top