Organizations using Google Workspace often utilize "Google Drive Labels" to categorize and classify sensitive data. Administrators may need to trigger Data Loss Prevention (DLP) incidents or enforce access controls based on these labels. Currently, Symantec CloudSOC and DLP support Google Drive Labels as a policy condition, allowing for granular detection based on file classification metadata.

• Symantec CloudSOC (CASB)
• Symantec Data Loss Prevention (DLP)
• Symantec DLP Enforce (On-Premise)
• Google Workspace (G Suite)

Standard DLP policies typically inspect file content or basic metadata (owner, size, file type). To leverage Google-specific classification systems like Labels, the policy engine must be instructed to look at specific contextual attributes passed via the API or Gateway metadata.

To detect files based on Google Drive Labels, you must configure a Contextual Attribute condition within your policy. This configuration is applicable to both CloudSOC native policies and DLP Enforce (On-Prem) policies integrated with CloudSOC.

Implementation via Deployment Type

For DLP Cloud (CloudSOC Protect)

1. Log in to CloudSOC and go to Protect > Policies.
2. Create a new DLP or Data at Rest policy.
3. Under Conditions, select Custom Profile.
4. Use the file.labels string as defined above. Reference the official documentation for creating custom profiles: CloudSOC Custom Profiles.

For DLP Enforce (On-Premise)

1. Log in to the DLP Enforce Console.
2. Navigate to Manage > Policies > Policy List and create/edit a policy.
3. Add a Compound Condition.
4. Select Content Matches Contextual Attribute.
5. Enter file.labels as the attribute name and provide the corresponding label value.

• Scope: This attribute tracks the label assigned within the Google Workspace environment. Ensure that the Google Drive Securlet is fully authorized and synchronized to ensure metadata visibility.
• Future Roadmap: If your workflow requires the CASB to assign a label automatically upon discovery of sensitive data, please submit a Feature Request via the Broadcom Support Portal. At the time of writing, applying or modifying Google Drive Labels as a response action is not supported.