Hi,
As a part of our DLP policy, I'm looking for a solution where we can stop users with edit access from downloading workspace files onto their devices.
Is there a way to stop users from downloading files onto their personal devices where they could then be transferred or uploaded somewhere else etc.
I did on my own research and I found that in a plan called:
"Business Standard"
thru Google Shared Drive,
>Manage members (it’s a function for a whole Shared Drive – not a specific file, worth to mention – which is ok)
>Contributor (can: Add and edit files)
Despite he cannot delete a file, for instance a sheet with sensitive data
-Contributor still can print it out or even make a copy of a file or can save it on his computer.
What a waste! It makes no sense at all to me…
So I dig in and found a plan called:
Enterprise Standard (or Plus)
-it has some special features for DLP:
I was wondering – can anyone help me and tell me if DLPs features in Enterprise Standard can prevent files from copying, printing, downloading? (files on a shared google drive)
If yes - how to do this?
PS
By comparison, I found out that in Microsoft Office 365 documents (I’m not a fan), you can make use of the Information Rights Management (IRM) feature. This feature lets you specify who can view, print, or copy the document. Does Workspace also have this function - Prevent Screenshots (somewhere)?
Miko
It seems to me, given what you describe, that a combination of company-issued devices (like Chromebooks) and Google's Context Aware Access capabilities (https://support.google.com/a/answer/12645308?hl=en) would be your best bet to keep things locked down. That would allow you to say things like "this person can only access their company Google account from a company owned device, in our company's location." (And you could configure the company devices to be very locked down and not allow access to outside accounts: https://support.google.com/a/answer/1668854?hl=en)
You could also restrict things so that users didn't have the ability to share files and folders outside your domain: https://knowledge.workspace.google.com/kb/restrict-users-from-sharing-outside-domain-000005684
But that said, even with all those precautions, and even if you were to find a way to block screenshots, there's little to prevent someone from taking their cell phone and taking a photo of the screen. So at a certain fundamental level, it's really about making sure that the people you provide access to are trustworthy (and if not, don't provide them access). I'm not a lawyer, but that's also what nondisclosure agreements and their associated financial penalties are for.
Hope that helps, at least a little,
Ian
Great suggestions by @icrew. I'd also say that if you don't already, your users should be signing an ethics/responsible use policy before they're giving access to your data.