Skip to content

DLP for Google Drive

Download our latest whitepaper: Protecting Google Drive Data: 5 Critical Requirements for Data Loss Prevention.

Google Drive Data Loss Prevention (DLP), also known as Data Leakage Prevention, refers to a system designed to monitor and detect potential data breaches and prevent unauthorized transfer of data from your organization’s Google Drive accounts. It is common for organizations to store sensitive data on Google Drive. Examples of sensitive data may include Personally Identifiable Information (PII), credit card numbers, patient health information, intellectual property, financial statements, etc. Because of the nature of these types of files, it is essential that they are secure. In data leakage situations, files may be disclosed externally either by mistake or with malicious intent.

Companies need to educate personnel on the consequences of the different sharing settings on Google Drive to mitigate data leakage. It is important that users avoid sharing files and links to files externally and publicly, allow view-only access to files when appropriate, and avoid attaching actual files to emails by using traditional attachment methods. Avoiding the use of traditional attachment methods on e-mail and simply sharing a link to a file, which is still securely stored in your Google Drive, allows you to have control on how the person receiving the file can view the file. You can also lock access to the file whenever it is necessary even after you have e-mailed out the link.

Companies should also restrict access to data to certain personnel by creating policies based on their roles in the organization. This will make personnel in the company more aware of the type of access they have and the sensitive nature of the documents in their Google Drives.

Monitor your Google Drive

Mistakes can happen at any time. This is why monitoring your Google Drive for sensitive data, and potential data leaks, is important. Unfortunately, Google’s Admin Console and Drive’s search capabilities do not allow you to search through the contents of your organization’s Drive accounts to view the contents of each document. The good news is there are third-party DLP solutions available that make monitoring your domain’s drive and preventing breaches very easy.

DLP solutions available for cloud applications like Google Drive can be either a Cloud-based proxy provider or API-based. It is important that you understand the differences between them, as it will help you evaluate the different options available.

Cloud-based proxy

Cloud-based proxy providers host and manage network proxies on the behalf of customers. They can route the flow of data, coming from any cloud application, through a secure proxy. This allows data access to that cloud app to be inspected and controlled. With a proxy acting as a ‘middle-man’ for third-party requests to connect with your data, organizations have all-inclusive visibility into the types of shared data.

The downside to cloud-based proxies is that if the provider’s servers go down, you organization will lose access to all documents and emails. Even if your organization can route the down proxy through an alternate path, any activity that occurs during downtime will not go through the DLP system.


An API, also known as Application Programming Interface, is a channel into a software or service, making communication and integration with third-party tools possible. For a cloud platform like G Suite, APIs allow third-party vendors to build upon functionality not natively offered, such as DLP. Unlike ‘middle-man’ proxies, API-based solutions connect with your data at the source. They also allow you make changes to your data and take corrective actions, whereas proxies simply block access to the data containing sensitive information. For example, if an employee shares a spreadsheet containing Social Security numbers, a proxy would detect the SSNs in real time and lock access to the document. An API-based solution will also detect the sharing, but go a step further to allow IT to change the sharing, owner, or edit the content of the document. API-solutions are also faster and easier and less costly to implement.

The downside to API-based solutions is that they usually do not scan your documents in real-time. They rely on once a day scans leaving your organization open to malicious activity during the time it is inactive. Real-time API-based solutions are very rare.

BetterCloud as DLP for Google Drive

BetterCloud for G Suite uses a real-time, API-based DLP solution for G Suite using Google’s Drive Activity Report and Push Notifications APIs. BetterCloud features a Drive Compliance Engine that enables your organizations to enforce acceptable use policies in real-time and identify exposures of sensitive information like PII, SSN and credit card numbers using both pre-built and custom regular expression strings. Check out how BetterCloud can secure your data at the source.