Tuesday, December 7, 2021

Enhanced content classification, governance, and DLP with Google Drive labels

What’s changing

Earlier this year we announced a beta for three features which can help categorize content and enhance content protection at scale. Drive labels are now generally available, and automated classification with Workspace data loss prevention and labels-driven sharing restrictions will become generally available in the coming weeks. Check back on the Workspace blog for updates.

  • Drive labels: This renaming and update to the previously-announced Drive metadata feature enables admins to configure custom labels (formerly “metadata”) for a domain. Users can then apply these labels to files in Drive, helping ensure files are handled correctly. This feature is now generally available.
  • Automated classification with Workspace data loss prevention (DLP): Automated classification can help organizations automatically add Drive labels to content based on administrator-defined rules and predefined content detectors.
    • Using automated classification makes it easier to scale your use of labels while reducing the risk of manual classification errors. It also provides an added safeguard against unlabeled content.
    • Admins have the control to allow end users to change labels applied by DLP, to provide flexibility for their organization. This allows admins to balance their use cases between user choice and admin policies on a per DLP rule basis.
  • Labels-driven sharing restrictions with Workspace data loss prevention (DLP) integration: Admins can configure sharing restrictions to be applied to all files with a given label. For instance, DLP administrators could configure a rule that shows users a warning any time they attempt to share a file labeled as “Internal,” and another rule that blocks external sharing or prevents downloads and printing for all “Top Secret” files.

Read our announcement from Google Cloud Next ‘21 to learn more about this and other features that are helping Google Workspace deliver new levels of trusted collaboration for a hybrid work world.

Who’s impacted

Admins and end users

Why you’d use it

Special handling of sensitive data is an integral part of a strong information governance policy. That begins with labeling files which may contain sensitive intellectual property, personally identifiable information, data subject to special compliance regulations, and more. Additionally, labels can help admins prevent external sharing, downloading, and printing of classified files via an integration with data loss prevention (DLP). Moreover, admins can create labels to indicate department names, document types, document status, and anything else you can think of, to facilitate content discovery in advanced search.

When used in conjunction with automated classification, labels in Drive can be added automatically based on admin-defined DLP rules and predefined content detectors. This automated classification can help scale data classification and protection efforts by reducing the administrative burden and potential errors associated with manual labels.

Additional details

Once admins turn on the label feature and publish labels, users who are permitted to apply a given label can then apply it to files in Drive. They may do so via the Drive context menu, Drive detail pane, or the Labels option in the File menu of Google Docs, Sheets, and Slides. Users can search for all files that they have access to with a given label using Drive’s “advanced search” functionality.

Each company can have one “badged label,” which will be prominently visible as a colored rectangle in Google Docs, Sheets, Slides, providing a visual reminder to users to handle these files with care. Admins can also configure standard labels, which may still represent important information and can be used to enforce policy but will not have the same visual prominence.

Admins can define custom labels for their organization



Users can add labels to Drive files (if permitted by admin), or take advantage of automatic classification

Admins can set data loss prevention (DLP) rules for files with a certain label

Getting started


Rollout pace

Drive labels
Automated Classification and Labels based sharing restrictions with DLP integration
  • Launching in the next few weeks. Check back to the Workspace blog for updates

Availability

Drive labels
  • Available to Google Workspace Essentials, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Nonprofits customers
  • Not available to Google Workspace Business Starter, Education Fundamentals, and Frontline, as well as G Suite Basic and Business customers.

Automated classification & Labels based sharing restrictions with DLP integration
  • Available to Google Workspace Enterprise Standard, Enterprise Plus and Education Plus customers.
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as G Suite Basic and Business customers

Resources