5 Google Drive Data Loss Prevention Best Practices for K-12 Schools

April 22, 2021

Google Drive data loss prevention controls what you have access to with the free Google Workspace for Education Fundamentals

With more districts using Google Workspace for work and learning, leaders in charge of securing district data and achieving FERPA, HIPA, and CIPA compliance must understand Google Drive data loss prevention (DLP).

Cloud DLP is different from “traditional” network-based security, which focuses on securing access at the perimeter. Data loss risks coming from inside your cloud applications are notoriously difficult to detect. This is because these risks look like authorized activity.

Data loss in Google Drive can happen both accidentally and maliciously. It can be the result of “insider DLP risks”, meaning activity from authorized users. It can also be the result of malicious threats, such as in cases of ransomware, account takeovers, and malicious or compromised 3rd party apps.

Insider Google Drive DLP Risks

District Google admins need to monitor insider DLP risk indicators, which are the most common type of Google Drive data loss prevention risks. Most of the time, insiders trigger data loss by accident, but some instances can be malicious.

An accidental insider risk occurs when someone who is authorized to access sensitive data uses that data in an inappropriate way. The authorized user may share a public link to sensitive data, for example. Or, a student might use school credentials to connect to risky apps through OAuth.

Malicious intent is behind some insider risks. One example is the contractor who was working in the Chicago Public Schools (CPS) and had authorized access to sensitive data about thousands of CPS employees and vendors. The contractor downloaded data and may have deleted portions of some files. That person was charged with felony identity theft.

5 Google Drive Data Loss Prevention Tools Provided in the Fundamentals Version

Here’s the question we hear most often concerning Google admin tools: “Is this provided in the free version?” To answer that question, we’ll outline what you can do with Google’s native data loss prevention tools using just the Fundamentals version. Keep in mind that these settings apply to both Google Drive and Shared Drives.

[FREE DEMO] See How Google Workspace & Microsoft 365 Data Security Will Work For You >>

1. Organize Organizational Units (OUs) and Groups based on data access needs

If you haven’t done so already, it’s important to think about and structure your accounts based on who needs access to certain types of data. You don’t want “over privileged” user accounts.

For example, not everyone in the administrative office needs access to files that contain student and parent/guardian social security numbers. On the other hand, a specific set of admin employees need access to faculty and staff social security numbers to process payroll and taxes. Set access and sharing permissions based on OUs and/or Groups and the types of data those accounts need or don’t need access to.

If you’re just getting started, security and privacy experts always recommend starting with the most rigid restrictions, and then open them up as needed. This can be painful and frustrating for some, but it’s better than exposing data incorrectly and risking compliance violations or worse.

2. Set Access and Sharing Permissions

There are some basic ways that people can share Google Drive folders and files:

  • Restricted: Only people with access to the folder or file can edit, comment, or view it
  • Within a Group or OU: Only people in the Group/OU set up by the administrator can access the folder or file
  • Within Your Organization: This can be done either directly in Google Drive or in the individual file, or by sharing a link
  • Anyone with the link: Anyone who has the link can access the file or folder without logging in to a Google account; this means that the file can be shared outside of designated OUs, Groups, and your organization
  • Public: People can publicly search for your file and, in theory, find it in public search engine results

It is most effective to restrict your accounts’ ability to share documents publicly or to anyone with a link to only the least sensitive information, if at all. If that type of sharing isn’t needed, it’s best to have those permissions turned off completely.

Here’s a tip: You can restrict sharing outside your domain to ONLY trusted domains. This is popular with education users who often collaborate with different schools, districts, and/or organizations. This feature is provided in the Fundamentals version, and you can learn more about setting it up here.

3. Create Google Drive DLP Rules

The free license for Fundamentals gives you access to many predefined rules. You can also define your own rules. Some predefined rules include:

  • Credit card number
  • Bank account number
  • Name, date of birth, phone number
  • Social security number
  • And more

What you won’t find are predefined rules that are more specific to education, such as:

  • Student identification number
  • Individualized Educational Plan (IEP)
  • Behavioral and safety risks, such as cyberbullying, self-harm, etc.

But, you can create your own rules using keywords and other settings to help you identify these types of DLP risks in your district’s Google Drive.

When you activate one of the predefined rules or create your own from scratch, the system will automatically start scanning your district’s Google Drive for anything that violates (or “triggers” in Google-speak) that rule.

[FREE DEMO] See How Google Workspace & Microsoft 365 Data Security Will Work For You >>

4. Define DLP Actions

Google Drive DLP Rules include an indication of the action that should be taken when one of the rules is violated.

When you’re first getting started, you can create an audit-only action to see exactly how the rule is operating. After that initial test, you might want to set up your action to notify you (or someone on your team) that a violation has occurred. This gives you some time to make sure that the rule you created is working as expected.

Once you’re comfortable with how the rule is working, you can define several actions, including:

  • Sending you/your admin an alert
  • Block externally shared links
  • Warn end users
  • Audit Drive file content violations

5. Periodically Analyze the DLP Security Dashboard and Rules Audit Logs

While the Fundamentals version of Google Workspace doesn’t provide detailed reports, you can access the DLP Security Dashboard.

The Dashboard logs incidents where a Rule has been violated. Google suggests using the Dashboard to examine trends to see how well your Rules are working, and to review an incident’s details to respond to the alert. Just keep in mind that there is a delay between the event and when the log is updated.

You also have access to download rules audit logs from the Google Admin Console. This will show you information like which users and events triggered a rule violation. According to Google, entries will usually appear within an hour of the rule being triggered.

If you need to do more detailed Google Drive data loss prevention investigation, you must upgrade to Google Workspace Standard or Plus versions. Or, for more advanced and easily accessible data, protection, and control, you can work with a 3rd party Google partner.

Data loss prevention is typically at the top of the list of things districts need to address. Between student data privacy, safety, and regulatory compliance issues, it’s a critical undertaking for districts to master. Many districts are faced with the choice of upgrading their Google Workspace license or investigating other, often better alternatives with 3rd party vendors.

New call-to-action