Google has updated the data loss prevention capabilities in Gmail for customers of the premium business version of Google Apps for Work.
The new functions, announced Feb. 29, include those that enable scanning of images in email attachments, enhanced detection of personally identifiable content in email messages and better control over data loss prevention (DLP) policies.
The enhancements build on the DLP capabilities for Gmail that Google introduced last December for customers of its Google Apps Unlimited service. At the time, the company described the initiative as part of a broader effort to implement rule-based security across Google’s entire suite of email collaboration and productivity apps for businesses.
Google has said the goal is to give enterprises a way to manage information security based on the rules and policies they use internally for data access, data handling and storage.
An organization, for instance, might have a policy that forbids members of the sales department from sharing customer credit card data externally via email. Gmail DLP would allow the email administrator to set a policy for scanning all emails from the sales department for credit card numbers and for blocking or quarantining emails that do contain them, Google noted last December when introducing DLP for Gmail.
Similar to many other DLP tools on the market, Google’s DLP for Gmail looks for prohibited content not just in the email text, but also inside documents, spreadsheets, presentations and other common attachment types.
The technology offers administrators a library of pre-specified content detectors that they can use to quickly specify a DLP policy. It also allows them to create custom rules for scanning emails for specific keywords and expressions. “If there’s a confidential new product your company is building code-named ‘Lochness,’ admins can create custom checks for ‘Lochness,’ ‘confidential’ and other keywords to help deter any leaks,” the company noted previously.
This week’s updates include a new optical character recognition (OCR) capability for scanning email attachments for prohibited and objectionable content in images and scanned copies of documents. With the OCR enhancement, an administrator can create a DLP policy for scanning and analyzing common image types and to extract text from them for analysis, Google said.
Google also has added new predefined content detectors to support the requirements of Google Apps for Work customers around the world. Organizations will be able to use the new content detectors to scan email for what would be considered personally identifiable information (PII) or protected patient health information in their specific country or region.
Also new are two content parameters that administrators can use for scanning email in such a way as to minimize false positives. One of them is a “count parameter” that allows administrators to set policies for distinguishing emails with individual PII and bulk PII. The other is a “confidence parameter” that lets administrators adjust their detection policies for commonly used content.
Organizations have used DLP tools for a long time to prevent sensitive data from exiting their networks in unauthorized fashion. The adoption of software-as-a-service and cloud delivery models in recent years has exposed some of the limitations of on-premise DLP tools and forced organizations to look at alternative ways of protecting data leaks in the cloud.
The trend has resulted in the emergence of a slew of so-called cloud access security broker, or CASB, tools for inspecting traffic flowing between enterprise networks and cloud providers. The need for better data leak capabilities in the cloud has also pushed cloud service providers to deliver services like those announced by Google this week and to offer APIs that let third-party DLP tools work in the cloud.