Enterprises that do not have an extremely large IT operating scale or unique compliance requirements don't have much of a reason to operate internal email systems. Yesterday, Google announced Data Loss Prevention (DLP) for its enterprise Gmail service, eliminating one more compliance reason justifying the operation of custom email services within the enterprise. DLP checks email messages and attachments for sensitive data to prevent disclosure to unauthorized personnel. Sensitive data includes trade secrets or intellectual property or data regulated in industries like healthcare and financial services.
Innovation often takes a back seat to compliance; the more regulated the business, the more compliance becomes a roadblock to innovation. Before Google released DLP, the burden of data loss compliance standards prevented some enterprises from taking advantage of Gmail's 900 million mailbox scale. Few enterprises can operate email services with the redundancy, resilience, and security of Google's Gmail. DLP means that many enterprises running less-efficient email services for compliance reasons now have a Gmail option.
DLP applies content filters based on rules determined by company compliance policies. Google's DLP system has a library of predefined content detectors for common data types, such as social security numbers and credit card numbers, including pattern recognition. Custom detectors like project keywords and custom detector data patterns can be applied with regular expression (Regex) logic. Filtering works on both incoming and outgoing email.
Predefined detectors are available for the U.S., Canada, France, and the UK. Google said that they are working to broaden their identifier portfolio over time to include additional countries and target industries. No availability dates were announced.
DLP rules include the actions taken when an email conflicts with established compliance policy rules setup in the Gmail console by the administrator or delegate. Different rules can apply to different domains. The incoming or outgoing messages can be rejected or quarantined for later review by a manager or compliance expert to determine if the message should be sent outside of the company or delivered to an inbox. Messages that are detected to have confidential information can be modified. For example, internal messages sent between employees with confidential information can be modified to include an "internal use only" statement.
Google acknowledged that Gmail is a single service and that customers want to protect data, not individual services. The company said that it is working to expand its DLP offering to Google Drive and other services, but gave no estimate of availability. DLP will be included in the current $5 per user per month service fee.