Safeguard Data with Data Loss Prevention (DLP) for Google Chat
There are many different types of end users in your organization. Some users practice better security habits than others. For example, a user may try to bypass company security or do so without realizing it. That’s why having the proper protections in place is essential. You can’t rely on your users to make the right decisions. In this post we'll cover how you can safeguard your data with DLP for Google Chat.
Let’s look at a common example. A user tries to share a file in Google Drive externally but receives an alert that the file contains sensitive information and cannot be shared. Some users will stop there; the file is sensitive, so it shouldn't be shared. Others may see the alert and decide to go to plan b, sharing it via email. DLP rules already created for Gmail will block this action as well. The user may even try to download the file. DLP rules for Google Drive will block this action too. The user’s final attempt: share via Google Chat.
Sharing files through Chat makes it easy to maliciously or inadvertently share content that has sensitive information. In the past, Google Vault handled eDiscovery needs for an organization. If an incident occurred, they could review the messages. Now organizations also need the ability to proactively prevent messages from being sent. This is where DLP for Google Chat can block the sharing of sensitive information.
In our recent series on security and privacy, we covered Google Workspace data loss prevention (DLP). We reviewed data loss prevention for Email, Drive, and Chrome. Today we will cover DLP for Google chat. DLP for Google Chat was on a beta release and has recently become generally available. The functionality is very similar to Drive and Chrome DLP. You create your rules in the same place, the data protection section of the admin console. If you haven’t already tested Chat DLP, we will show you what the new features look like for the Admin and the end user.
Google has created templates of commonly used rule types. Before the GA of DLP for Google Chat, the rule templates were only available for Google Drive. Now you can apply Drive and Chat DLP rules using the same template. However, you can still customize it as needed. You also have the ability to update any existing rules to include Chat.
Assigning Rules to Applications
It’s common for organizations to have separate rules for each application for auditing purposes. For example, you can create a rule specifically for Chat. See the screenshot below. For simplicity's sake, you may want to combine them all into one rule. Note unless you have BeyondCorp Enterprise, you will not see Chrome as an option, as shown in the screenshot below.
Applying Actions to Events
When the event matches the rule’s criteria, you can select one of the following actions: warn user, block message, or audit only.
You can then select when this action should be applied, i.e., if the event is internal vs. external via Spaces, Group chats, or 1:1 chats.
From the end-user perspective, when content is blocked in Google Chat, it is a similar experience to Drive DLP. They hit send on a message containing sensitive information and receive a pop-up notification stating their message cannot be sent. It is possible to see a slight delay in messages in order for the content to be scanned, but it typically isn’t noticeable.
If you are familiar with Drive DLP, you can see the setup and end-user experience are nearly the same. As an Admin, you will have the same alerting and reporting capabilities as Drive DLP. With the general availability with DLP for Chat, the three main applications for communication and collaboration have DLP capabilities. Even if you don’t have any compliance or regulatory requirements, you should still consider implementing DLP. Implementing it for audit purposes would be beneficial as it will provide insights into your user's behavior. For example, are they sending any sensitive content, and if so, should it be allowed?
Don’t let Chat DLP be another tool you’re not utilizing. As a Google Cloud Partner with a Specialization in Work Transformation, our seasoned team is available to help you implement DLP within your organization.