Google has plugged a key security feature hole in Gmail with the addition of DLP (data loss prevention) capabilities, in a move that should bolster its appeal among enterprise customers. An official Google blog post explains the move:
Google for Work already helps admins manage information security with tools such as encryption, sharing controls, mobile device management and two-factor authentication. However, sometimes user actions compromise the best of all of these controls; for example, a user might hit “Reply all” when meaning to send a private message with sensitive content.
The new DLP system uses rules to enforce company policies about data sharing:
Organizations may have a policy that the Sales department should not share customer credit cards externally. And to keep information safe, admins can easily set up a DLP policy by selecting “Credit Card Numbers” from a library of predefined content detectors. Gmail DLP will automatically check all outgoing emails from the sales department and take action based on what the admin has specified: either quarantine the email for review, tell users to modify the information, or block the email from being sent and notify the sender.
The system scans not only message headers and bodies, but also attachments. It uses a binary scan to accurately identify the file type, then applies algorithms to the contents in order to extract and analyze text, according to a Google whitepaper.
Administrators have some granular control over the rules. For instance, they can have a particular rule apply to only a single department, or only to outgoing messages. The initial rollout of DLP for Gmail includes a set of predefined content detectors, such as for U.S. social security numbers and bank routing numbers. It's possible for admins to create custom detectors as well.
The Bottom Line
Google plans to introduce rules-based security across the entire Google Apps portfolio. Next up will be Google Drive, early next year.
"This is an important step for Google as they fortify their offering to be more secure for enterprises," says Constellation Research VP and principal analyst Alan Lepofsky. "This puts them on par with the DLP features available in Microsoft Exchange Online."
"It's really good Google is building this kind of intelligence into email and other workflow processes in its Google for Work cloud," says Constellation Research VP and principal analyst Steve Wilson. "'Reply All' is one of the single greatest biggest sources of grief in enterprises. Information systems are so complex and so critical to everyday work, it's become a real problem that they're so unforgiving. You can metaphorically steer your organisation over a cliff with just a moment's inattention."
"DLP as Google describes it can really help head off these errors," he adds. "DLP adds a layer of reasonableness tests around routine information processing, to make the systems more forgiving of human error. You don't want to make these systems too smart, at least not yet. And they always need an override, so the human can tell the machine 'I really do want to send that email.'"
Indeed. Meanwhile, Google is not only catching up to Microsoft with respect to DLP for Gmail. A number of third-party vendors, such as Imperva and Virtru, have offered DLP for Gmail for some time.
While those players could argue they've got more mature solutions, the fact that Google's tools will be native and included at no additional charge to Google Apps Unlimited customers could provide a competitive edge.
Reprints
Reprints can be purchased through Constellation Research, Inc. To request official reprints in PDF format, please contact Sales.