Supported editions for this feature: Business Plus; Enterprise Standard and Enterprise Plus. Compare your edition
With Security advisor’s data protection feature, you can block (or warn) your users when they try to share sensitive data outside your organization. You can protect against sharing of the following types of data:
- Personal identifiable information (PII)—email addresses, Social Security numbers, full names and addresses
- Financial data—Bank account numbers, credit card numbers
- Healthcare data—National insurance numbers'
- Global sensitive data—IMEI numbers, IP addresses
Security advisor for data protection also performs regular scans of your Drive files, identifies when sensitive files are being shared externally, and recommends the appropriate data protection settings to prevent sharing.
Admin privileges needed
Before you begin, sign in to your super administrator account or a delegated admin account with these privileges:
- View DLP rule
- Manage DLP rule
Note that you must enable both View and Manage permissions to have complete access for viewing and editing Security advisor for data protection settings. We recommend you create a custom role that has both privileges.
Default settings
Default Security advisor data protection settings vary according to your Workspace edition:
Business Plus
- For existing customers, app access protection is off by default. See View or change Security advisor data protection settings for instructions on turning protection on.
- For upgraded and new customers, data protection is on by default, with all settings in Warn mode.
Enterprise Standard or Enterprise Plus
Data protection is off by default.
- If you’re already using Data loss prevention to protect your data, review the default rules that are added as part of Security advisor data protection before applying any settings, to avoid conflicts with your existing rules. For instructions, see Edit default data protection rules.
- To change settings, see View or change Security advisor data protection settings.
View or change Security advisor data protection settings
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- In the Admin console, go to Menu
Security
Access and data control
- In the Security advisor section, click Go to security advisor for data protection.
The main settings page shows the four data type categories:
- Personal identifiable information (PII)
- Financial data
- Healthcare
- Global sensitive data
Each category contains a subset of data types. You can apply a setting to the category as a whole, or drill down into a category and make custom settings for each data type in the category.
Security advisor for data protection data types are a subset of the predefined content detectors that are available in Workspace’s data loss prevention (DLP) feature. For more information on a specific data type:
- Go to How to use predefined content detectors.
Content detectors are grouped by country or by category (such as Global).
- Locate and expand the category that matches the data type. For example, for Canada - Passport, expand the Canada section.
- Locate the specific detector in the table.
Apply a setting to a category as a whole
- Click the dropdown menu at right and choose an option: Warn users, Block users, or Off.
- A prompt confirms the update.
The setting at the category level applies to all the data types within the category and resets any customized settings you may have made to individual data types within the category.
Apply settings to individual data types within a category
- Click the pulldown menu next to a category and choose Customize.
The data types for that category open on a new tab.
- Next to a data type, click the pulldown menu and choose a setting: Warn users, Block users, or Off.
- Close the tab to return to the main settings page.
The setting for the category changes to Customized to indicate that you’ve made individual settings for that category. (You may need to refresh the main page to see the changed setting.)
Edit default data protection rules
Security advisor data protection settings have associated default data protection rules, which you can view and edit.
- For default rules, editing is limited—you can change the action associated with the data protection setting (Warn, Block), or turn the rule on or off.
- For Enterprise customers, we recommend reviewing the default protection rules to ensure that they don’t conflict with any existing DLP custom rules you may already have in effect.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- In the Admin console, go to Menu
- To display default rules:
- (Enterprise) In Data protection rules and detectors, click Manage rules.
- (Business Plus) In Data protection rules, click Manage rules
In the rules list, Security advisor data protection rules have a [Default] prefix.
- (Optional) To turn a rule on or off from the rule list, change the setting in the Status column (Active or Inactive).
Note: This is equivalent to turning the setting to Off in Security advisor data protection settings.
- (Optional) Click a default rule to open its settings page.
- Click the status pulldown menu at left to make a rule Active or Inactive.
- Click Actions to change the rule action.
- (If you clicked Actions) On the Edit rule screen, in Actions, set the action (block or warn), then click Continue.
- Review settings and click Update.
Any changes you make to the default rules are reflected in the rule status when viewed again in Security advisor data protection settings.
