Data Loss Prevention, Risk Mitigation & Compliance for Google Drive

Google Drive is Google’s cloud-based storage solution, available for both Google One (personal) and Google Workspace (business) users. OneDrive is a cloud-based storage solution offered by Microsoft and is available for personal use or as OneDrive for Business. Google Drive and OneDrive are part of Google’s and Microsoft’s suite of business SaaS application offerings. 

Google Photos is a photograph and video archiving solution that forms part of the Google family of applications alongside Google Drive. Both Google Drive and Google Photos have the ability to upload and store photograph and video files, and the total available storage for both applications comes from the same space. Google Drive supports other file formats other than photos and videos, while Google Photos includes some basic photo editing features. 

Google encrypts all files uploaded to Google Drive both in transit and at rest with AES 256-bit encryption. This level of encryption is extremely effective at repelling brute force attacks. 

Aware supports Data Loss Prevention (DLP) in Google Drive by pinpointing risky behavior associated with confidential information sharing and potential data breaches. Aware ingests Google Drive data continuously via API and analyzes content in near real time for faster, more effectively DLP. Aware supports robust Data Loss Prevention safeguards in unison with other data security best practices, such as retention policies, multi-factor authentication (MFA) and limited permissions. 

Google Vault is Google’s data retention and eDiscovery tool for Google Workspace. It is available to users with Business or Enterprise-level accounts. Google Vault enables customized retention and data holds for some Google apps, including Gmail, Google Drive and Google Chat. Aware enhances Google Vault functionality by deploying smarter data management workflows with greater accuracy for fewer false positive alerts. 

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines the requirements healthcare providers must follow to shield Protected Health Information (PHI) from data exfiltration or misuse. Out of the box, Google Drive is not HIPAA compliant. However, it does offer controls to be HIPAA compliant with the right configuration. Some of the steps required to make Google Drive HIPAA compliant include enabling two-factor authentication (2FA), turning off link sharing and disabling third-party plugins. Healthcare providers should also ensure their data retention and management policies meet HIPAA standards. 

As with HIPAA, Google Drive is not automatically GDPR-compliant, but it can be depending on how it is used. Google supports the EU General Data Protection Regulation (GDPR) across its cloud services by committing to comply with GDPR when handling personal data and providing companies with the controls to enforce GDPR compliance across Google Drive. 

Aware helps companies meet regulatory requirements by proactively analyzing uploaded content for noncompliance. Automated workflows backed by Machine Learning (ML) algorithms continuously ingest new data and scan for configurable regular expressions (RegEx) and keywords. 

By default, all Google Drive links are private unless the end user or custodian chooses to share them. Users can choose to turn a restricted link into a shared or public link and also define if people with the link can read-only or edit the file. 

Anyone who has the ability to view a file in Google Drive can also download, print or copy the file. To change this setting, file owners must disable those options in Google Drive Advanced Settings. 

Aware providing Data Loss Prevention (DLP) and compliance adherence features for file uploads in Google Drive, supporting use cases such as adhering to industry legislation and internal policies, identifying sensitive information sharing, and protecting against IP loss. Aware does not currently support Google Drive comments. 

Aware helps companies to detect unauthorized sharing of sensitive information in Google Drive, including:

• Personal Identifiable Information (PII) like date of birth
• Protected Health Information (PHI), e.g. test results
• Payment Card Industry (PCI) data such as credit card numbers

through automated workflows informed by regular expressions and keywords.

Aware contextual intelligence platform provides ediscovery, data security and business insights across a range of collaboration tools, including Slack, Microsoft Teams, Zoom and WorkJam. Aware brings centralized oversight and information governance to collaboration with industry-leading Artificial Intelligence (AI) and Machine Learning (ML)-infused metadata, giving business leaders 360-degree oversight of tangled collaboration datasets to mitigate risk and enhance operational intelligence.