Dataloss Prevention API


The current working environment is increasingly embracing a remote workforce that adds security challenges. For example, sensitive company data has to move between the company’s premises to on-site employees. Nowadays, employees use personal devices (BYOD) to navigate company websites; adherence to home office security measures is not universal, and VPNs fail to prevent internal threats. As a result, data security is vital to companies that handle clients’ private information, since a breach can permanently damage their reputation and credibility. Thus, mishandling clients’ personal information predisposes these companies to legal action. 

Google Cloud pays acute attention to these security challenges via their Data Loss Prevention (DLP) API. This service is primarily used to secure clients’ private information in the company’s cloud. Furthermore, various tools are incorporated to ensure that no sensitive data will be accessed, even in a security breach. Thus, this data is protected while still being used for daily business operations such as customer support or billing. 

Identification and Classification of Sensitive Data

Google Cloud DLP contains 120 predetermined InfoType and Optical Character Recognition (OCR) detectors for both text and images and a likelihood score. Using these detectors allows to search through raw data and identify sensitive information that needs to be protected within an organization. This allows personally identifiable information (PII), such as phone-, or credit card numbers, to be detected, which can be concealed using different de-identification protocols.. Besides this, InfoTypes and likelihood thresholds can also be defined outside of the predetermined ones. 

Thus, it gives you total control over which types of data are considered sensitive and need to be protected, hence removing the possibility of your remote employee’s misusing your customer’s private information. 

De-identification of Sensitive Data

Cloud DLP enables you to de-identify personally identifiable information (PII), which essentially means to hide parts of or complete information that can be attached to a specific customer. It works on the basic principle of hiding or transforming this data into useless characters to potential security threats. DLP provides mulitple de-identification methods to mask, redact, or replace sensitive data from which you can choose depending on the type of data. In addition, you will be able to make this information unavailable to your organization’s parts that do not require it.

Selecting a de-identification method will depend on the type of data you want to de-identify. For example, suppose there are important dates that need to be de-identified; Cloud DLP will propose Date Shifting. For images containing PII, Cloud DLP will use Optical Character Recognition detectors to identify this information and redact it. Some personal customer data is required to run the company’s activities, such as billing. Here, you must use a de-identification method that is reversible. Crypto-based tokenization assigns cryptographically generated encryption keys to sensitive data. Decryption privileges can be assigned to the billing department for re-identification when processing client payments. Masking replaces the sensitive values in client data with symbols (such as * or #), while replacement exchanges this value with the identity of the data type. For example, “[PHONE_NUMBER]” replaces an actual phone number. 

You can also generalize sensitive information, for example, by replacing actual employee names with the word ‘employee’ when generating periodic reports using bucketing.

Generally, Cloud’s DLP enables companies to protect sensitive client data from the risks that may accrue from a mobile workforce. CEOs do not have to worry about sensitizing this workforce to apply security protocols as DLP will hide sensitive data.

Sign up to our newsletter and stay up to date with the latest news!