This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

DLP - how do I stop users with edit access from downloading

Posted on 02-23-2024 09:39 AM
Miko
New Member
Reply posted on --/--/---- --:-- AM

Hi,

As a part of our DLP policy, I'm looking for a solution where we can stop users with edit access from downloading workspace files onto their devices.

Is there a way to stop users from downloading files onto their personal devices where they could then be transferred or uploaded somewhere else etc.

I did on my own research and I found that in a plan called:

"Business Standard"

thru Google Shared Drive,

>Manage members (itโ€™s a function for a whole Shared Drive โ€“ not a specific file, worth to mention โ€“ which is ok)

>Contributor (can: Add and edit files)

Despite he cannot delete a file, for instance a sheet with sensitive data

-Contributor still can print it out or even make a copy of a file or can save it on his computer.

What a waste! It makes no sense at all to meโ€ฆ

So I dig in and found a plan called:

Enterprise Standard (or Plus)

-it has some special features for DLP:

https://support.google.com/a/answer/9646351?sjid=10763456719104943914-EU&visit_id=638442258793053199...

I was wondering โ€“ can anyone help me and tell me if DLPs features in Enterprise Standard can prevent files from copying, printing, downloading? (files on a shared google drive)

If yes - how to do this?

PS

By comparison, I found out that in Microsoft Office 365 documents (Iโ€™m not a fan), you can make use of the Information Rights Management (IRM) feature. This feature lets you specify who can view, print, or copy the document. Does Workspace also have this function - Prevent Screenshots (somewhere)?

Miko

Google Shared Drive. - Contributor.png

1 2 275
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
icrew
Gold 3
Gold 3
Reply posted on --/--/---- --:-- AM

It seems to me, given what you describe, that a combination of company-issued devices (like Chromebooks) and Google's Context Aware Access capabilities (https://support.google.com/a/answer/12645308?hl=en) would be your best bet to keep things locked down. That would allow you to say things like "this person can only access their company Google account from a company owned device, in our company's location." (And you could configure the company devices to be very locked down and not allow access to outside accounts: https://support.google.com/a/answer/1668854?hl=en)

You could also restrict things so that users didn't have the ability to share files and folders outside your domain: https://knowledge.workspace.google.com/kb/restrict-users-from-sharing-outside-domain-000005684

But that said, even with all those precautions, and even if you were to find a way to block screenshots, there's little to prevent someone from taking their cell phone and taking a photo of the screen. So at a certain fundamental level, it's really about making sure that the people you provide access to are trustworthy (and if not, don't provide them access). I'm not a lawyer, but that's also what nondisclosure agreements and their associated financial penalties are for.

Hope that helps, at least a little,

Ian

 

0 Likes

Posted on --/--/---- --:-- AM
christiannewman
Gold 1
Gold 1
Reply posted on --/--/---- --:-- AM

Great suggestions by @icrew. I'd also say that if you don't already, your users should be signing an ethics/responsible use policy before they're giving access to your data.

0 Likes
Top Labels in this Space