Skip to main content

Take charge of your data: Scan for sensitive data in just a few clicks

Preventing the exposure of sensitive data is of critical importance for many businesses—particularly those in industries like finance and healthcare. Cloud Data Loss Prevention (DLP) lets you protect sensitive data by building in an additional layer of data security and privacy into your data workloads. It also provides native services for large-scale inspection, discovery, and classification of data in storage repositories like Cloud Storage and BigQuery. 
Originally released as an API, Cloud DLP now includes a user interface (UI), which helps extend these capabilities to security, privacy, and compliance teams. Using the Cloud DLP UI, now generally available in the Google Cloud Console, you can discover, inspect, and classify sensitive data in just a few clicks by creating jobs, job triggers, and configuration templates.
In addition, Cloud DLP now features simplified storage inspection pricing based on bytes scanned, making costs more predictable.

Interacting with Cloud DLP through the UI provides many of  the same features and benefits of the API. For example, you can:

  • Inspect Cloud Storage, BigQuery, and Cloud Datastore repositories for sensitive data using one-off jobs, or create a job trigger to automate and monitor resources on a schedule you define.
  • Detect and classify common infoTypes (sensitive data type detectors such as email addresses or credit card numbers) or custom infoTypes you define to protect internal identifiers or company secrets.
  • Create data inspection templates to re-use configuration settings across multiple scan jobs or job triggers. 
  • Publish Cloud DLP scan findings to BigQuery, Data Catalog, and Cloud Security Command Center for further analysis and reporting.
  • Include Cloud DLP as part of Google Cloud’s fully automated and scalable service suite to help meet regulatory compliance requirements.
Let’s take a deeper look at the Google Cloud Platform Console user interface and show how you can start to inspect your enterprise data with just a few clicks.

Getting started with the Cloud DLP UI 

The Cloud DLP UI lets you perform the most common data protection tasks: scanning Cloud Storage buckets, BigQuery and Cloud Datastore; configuring timespans, and setting up monitoring with periodic scans. Let’s take a closer look. 
Scanning Cloud Storage BucketsCloud Storage is a highly scalable object storage for developers and enterprises, which use it as an integral part of their applications and data workloads. These workloads can include sensitive data such as credit card numbers, medical information, Social Security numbers, driver's license numbers, addresses, full names, and service account credentials—all of which need strong protection. This is where using Cloud DLP with Cloud Storage can help. 
Using Cloud DLP with your Cloud Storage repositories lets you can identify where sensitive data is stored, and then use tools to redact those sensitive identifiers. Cloud DLP uses more than 100 predefined detectors to help you better discover, classify, and govern your data. With the DLP UI in Cloud Console, you can now discover and inspect your data in a few steps.  
1. Define what you want to scan, such as a Cloud Storage bucket, folder, or individual file.

2. Then, filter that data by adding include or exclude patterns to narrow down the files you want to inspect

3. Scale your scans, by turning on sampling to increase efficiency and reduce cost:
Sample storage objects
Sample bytes per object
You can also take advantage of our integration with the Cloud Storage UI, where you can select a bucket and simply click “Scan with DLP.” (More details on that here.)
Scanning BigQueryBigQuery is a serverless, highly-scalable, and cost-effective cloud data warehouse. It can help you analyze your company's most critical data assets and natively delivers powerful features like business intelligence (BI)-engine and machine learning. Similar to Cloud Storage, this data may contain sensitive or regulated information such as personally identifiable information (PII). Using Cloud DLP with BigQuery can help you discover and classify this information.  Here’s how.
1. Define the BigQuery table you want to scan.
2. Decide whether to perform an exhaustive or sampled scan... For BigQuery, you can sample a random percentage or a fixed number of rows:
3. Since BigQuery data is “structured” tabular data, your findings will include additional metadata such as column names. You can optionally specify an identifying field such as a row or record number so that you can pinpoint findings and map them back to your source tables.
You can also take advantage of our integration into the BigQuery UI, where you can select a table and click “Scan with DLP.” (More details on that here.)

Scanning Cloud Datastore
Cloud Datastore is a highly scalable NoSQL database for web and mobile applications. Cloud DLP enables you to inspect data stored in Datastore by simply specifying the namespace and kind.
Configuring timespansWhen managing data at scale, it’s critical that you can scan only what you need to scan. TimespanConfig enables you to narrow a scan based on the create or modify date/timestamp. For example, you might only want to scan data that was created within a two-week window or only scan data that has a create or modify date since the last scan.
Set up monitoring with periodic scans
Using DLP job triggers, you can configure inspection scans to run on a periodic schedule.
These job runs can scan all content,sample from all content, or be limited to content created or modified since the last run. Triggered jobs are collected together as part of a trigger and enable you to see trends of data over time (job to job).

Tailor data detectors to your needs 

Cloud DLP makes it easy to find sensitive data, with over 100 pre-defined infoTypes that you can turn on and use instantly from the UI. You can also take advantage of a rich set of customizations to tailor detection to your needs, help reduce false positives, and improve overall quality. 
Selecting built-in InfoTypesYou can select from a long list of built-in infoTypes.
Building custom infoTypes
You can create custom infoTypes based on patterns, word lists, or dictionaries.
You can also create word lists inline or pull dictionary lists from Cloud Storage paths.
Create inspection rulesetsRulesets can help tune results from both predefined and custom infoTypes. For example, maybe you want to find all EMAIL_ADDRESS infoTypes but exclude your own employees’ email addresses. With a simple exclusion list, you can do this.
Persist configuration with templatesFinally, you can also share inspection configuration across multiple jobs using templates. 

View findings and take action

Whether you want to generate detailed findings to power an audit report, conduct an investigation, or use summary findings to trigger automated actions and alerts, it’s easy to do so from the Cloud DLP UI. 
View job status and findings summaries directly in the UI.
Take actionWhen an inspection job is completed, Cloud DLP can automatically trigger actions.
  • Save to BigQuery: Write detailed findings (see more details below).
  • Publish to Cloud Pub/Sub: Emit a pub/sub notification when a job is completed. This can trigger custom logic in, for instance, a Cloud Function. See Automating the Classification of Data Uploaded to Cloud Storage for an example.
  • Publish to Cloud Security Command Center (currently only available for Cloud Storage scans)
  • Publish to Data Catalog (currently only available for BigQuery scans)
  • Notify by email: Send an email with job completion details.
Detailed Findings
Detailed findings can be turned on and written directly to BigQuery, enabling:
  • Cloud Storage object-level findings - Includes the object path for every finding
  • BigQuery column level findings - Includes the table field name with every finding
  • Run analytics in SQL
  • Generate custom dashboards or audit reports in tools like Data Studio (watch a demo of this from a recent Cloud OnAir webinar here).
  • Export findings to your SIEM
Include Quote

You can optionally turn on “include quote” when writing detailed findings. This writes a copy of the finding alongside the metadata in the BigQuery output. The quote can help you:
  • Do analysis of findings to help inform tuning rules and reduce unwanted results (e.g., inform exclusion rules).
  • Help build a customer or user  inventory so you know where data exists per subject, which can help inform your privacy and compliance processes for efforts like data access and deletion requests. 

Now, everyone can protect sensitive data 

Cloud DLP is a powerful, flexible service that brings state-of-the-art data protection capabilities to a variety of workloads and storage formats. And now, with an easy-to-use UI, those capabilities are available to broader security, compliance and legal teams. To learn more, visit our Cloud Data Loss Prevention page for more resources on getting started. 


Popular posts from this blog

People are going wild for a handy new shortcut that will change the way you use Google Docs

- Google has introduced new URLs that can open up blank Google Docs with the click of a button. - To try it out, simply point your browser to  or other Google URLs. - Here's an incomplete list of these new URLs, along with a way to take the shortcut to the next level. Last month, Google rolled out a new time-saving shortcut for anyone who spends a lot of time in Google Docs. To open a new, blank document — or spreadsheet, or presentation — all you have to do is go to one of Google's handy new URLs. So if you want to start a new document, you just have to type " " into your browser. Google Docs ✔ @googledocs Introducing a .new time-saving trick for users. Type any of these .new domains to instantly create Docs, Sheets, Slides, Sites or Forms ↓ 9:35 PM - Oct 25, 2018 4,550 2,812 people are talking about this Twitter Ads info and privacy Here&#

Set start times and import reminders in Tasks

Here comes one of the most awaited features. Tasks is one of the goals to follow what you have to do in G Suite. These new updates will help ensure the majority of your to-dos are in Tasks, and guarantee that you can monitor the due dates related with them. Moreover, importing reminders to Tasks can support your users if your association is at present changing from Inbox to Gmail. Set a date and time for your tasks and receive notifications - You’ll find a place to add date & time. Create repeating tasks - Also you can make an event recur. Import reminders into Tasks This import tool will pull your reminders (from Inbox/Gmail, Calendar, or the Assistant) into Tasks.When importing reminders into Tasks, we’ll copy over the title, date, time and recurrence of the reminder. Please note, reminders with locations associated will not be imported. Additionally, this is a one-time import and not a constant sync. - When you open Tasks on the web or your mobile app, you’ll se

Use Vault for Gmail Confidential Messages and Jamboard Files

Google vault will be supporting two new formats in the future, Gmail confidential mode emails & Jamboard files stored in Google Drive. Google Vault gives you a chance to retain, hold, search, and export data to support your organization’s retention and eDiscovery needs. This dispatch includes support for new information types with the goal that you can thoroughly oversee your association's information. What happens when individuals in your association sends confidential messages? Vault can hold, retain, search, and export all confidential mode messages sent by users in your association. Messages are constantly accessible to Vault, notwithstanding when the sender sets a termination date or denies access to private messages. Here’s an example of what will see in Vault when they search for and preview this email sent by . But It’ll not work vise versa. Admins can hold, retain, search and export message headers and s