SaaS Security Administrator's Guide
    : Google Drive Labeling
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. SaaS Security Administrator's Guide
    4. Data Security
    5. Secure Sanctioned SaaS Apps on Data Security
    6. Google Drive Labeling
    Download PDF

    SaaS Security Administrator's Guide

    Google Drive Labeling

    Table of Contents

    Google Drive Labeling

    Learn how to configure Google Drive labels in Data Security.
    Palo Alto Networks' use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements. For more information on how information may be captured, processed, and stored by and within the service, refer to the SaaS Security Privacy document. Data Security does not share your data with third-party tools, such as AI applications.
    Where Can I Use This?What Do I Need?
    • Data Security from Strata Cloud Manager
    		One of the following:
    • CASB-PA license
    • CASB-X license
    • Data Security license
    Data Security supports Google Drive Labeling for Google Drive connectors. As an administrator, you can define rules and apply Data Security settings to badged fields within labels on Google Drive files. This helps classify and protect sensitive information effectively.

    Configure Labeling for Google Drive

    Prerequisite: Create and Publish Drive Labels
    Data Security needs permissions to fetch the labels available in the Google Drive instance and their priorities. To grant permissions, perform the following steps.
    1. To configure labeling, select SaaS SecuritySettingsData Label Settings.
      The Google Drive instances which support data labeling are listed.
    2. If you have not fetched data labels for an existing onboarded Google Drive connector, choose your Google Drive connector instance and Authorize to fetch their labels.
    3. Ignore the following warning message and click Go to paloaltonetworks.com (unsafe).
      Ensure that the email address mentioned in the warning message is dl-datasecurity@paloaltonetworks.com.
    4. Select all and Continue.
      After authorization, labels with badged fields are fetched for the Google Drive connector immediately. Labels are refreshed every 24 hours.
    5. To fetch labels at any point in time, click Sync Data Labels Now.

    Apply Labeling with Data Asset Policies

    Perform the following steps to apply labeling with Data Asset Policies.
    1. Select Data SecurityPoliciesAdd Policy.
    2. Enter Basic Information.
    3. Choose the Match Criteria (including Label) as needed.
    4. Choose the Auto Remediation action.
    5. Enable Apply Data Label under the Other Actions section.
    6. Choose the Google Drive connector instance and the required label from the drop-down list.
      When you configure a policy, you cannot choose to quarantine and label at the same time.

    How Policy Driven Labeling Applies Labels

    After data asset policies are configured to apply labels, Data Security regularly scans files (folders cannot be labeled) and attempts to apply the label. A label is only applied if both the following criterion are met:
    1. The number of labels on the file should be less than the maximum number of manual labels permitted by Google (typically 5).
    2. If the file is already set to a different value from the same Badged label, then the value will be applied only if it is a higher priority label.
    For example, a label named Confidentiality has the following values (from highest priority to lowest):
    • Top Secret
    • Confidential
    • Internal
    • Public
    For a file with the Confidentiality label set to a value of Confidential, a policy that tries to apply Internal will notice that this is a priority downgrade, and so, will not change the value so as to keep the data secure. However, a policy that tries to apply Top Secret will be successful since the change is to a higher priority value. Additionally, a policy that tries to set a different label altogether (for example, Department) will not have any priority conflicts and so, will be applied successfully as long as the maximum labels limit has not been reached.

    View and Override Labels

    1. To view the assets labeled by their respective policies, select Data SecurityData AssetsLabeled by Policy. Use the various filters available at the top of the table to filter your results. As an example, the following screen shot shows a specific asset in a specific instance of Google Drive.
    2. To override an existing label, select the asset and override with a different label.
      • If you override the labels manually for an asset, those assets will not be labeled by Data Asset Policies in the future.
      • Select the Prevent Downgrade option to prevent users from downgrading the asset to a lower priority labeling.

    Quotas for Labeling

    Licenses
    Recent Files (< 24 Hours)
    Older Files (> 24 hours)
    All customers
    25000 labels per day
    5000 labels per day
    Important Things to Remember
    • Labels are available only for Google Drive connectors which have been onboarded.
    • Manual overriding of labeling is limited to 500 per day.
    • Files less than 24 hours old (file content change or label change) are prioritized and allocated to the Recent Files quota while files older than 24 hours are allocated to the Older Files quota.
    • If the number of files to be labeled are more than your daily quota, those extra files are added to the backlog. However, these extra files are allocated to the Older Files category.

    © 2024 Palo Alto Networks, Inc. All rights reserved.