Cloud DLP release notes

The COUNTRY_DEMOGRAPHIC infoType detector, which identifies when countries are used for place of birth, residency, or citizenship, is available in all regions. For more information about all built-in infoTypes, see InfoType detector reference.

The discovery service can now generate the following observation finding types in Security Command Center:

• Data sensitivity
• Data risk

These findings provide the calculated sensitivity and data risk levels of the BigQuery tables that you profile. Use this information to inform your response plans when you investigate vulnerabilities and threats involving BigQuery tables.

For more information, see Publish data profiles to Security Command Center.

The MARITAL_STATUS infoType detector is available in all regions. For more information about all built-in infoTypes, see InfoType detector reference.

You can assign a sensitivity level to a built-in or custom infoType. Cloud DLP uses the sensitivity levels of individual infoTypes to calculate the sensitivity levels of tables that you profile. For more information, see Manage infoTypes through the Google Cloud console.

To help you understand and test the discovery service, Cloud DLP has made it easier for you to test profiling on a single table. You can profile up to 25 tables at no additional charge, one at a time. Only tables that are less than or equal to 1 TB in size can be profiled for free. For more information, see Profile a table in test mode.

Data profiles generated at the column level include the following metrics:

• Estimated null proportion: an approximate proportion of null values in a column, categorized as high, medium, low, or very low.
• Estimated uniqueness: an estimate of how much of the data in a column is unique, categorized as high, medium, or low.

For more information on these metrics, see the Metrics reference.

The VAT_NUMBER infoType detector can identify Belgium VAT numbers.

For more information about VAT_NUMBER and other built-in infoType detectors, see InfoType detector reference.

To better understand the size and shape of your BigQuery data that's in scope for data profiling, you can run an estimation. Each estimate provides the approximate table count, data size, and profiling cost. For more information on running an estimation, see the following:

• Estimate data profiling cost for an organization or folder
• Estimate data profiling cost for a single project

For more information on data profiling, see Data profiles for BigQuery data.

The SSL_CERTIFICATE infoType detector is available in all regions.

The PORTUGAL_NIB_NUMBER infoType detector is available in all regions. For more information about all built-in infoTypes, see infoType detector reference.

The US_MEDICARE_BENEFICIARY_ID_NUMBER and MEDICAL_RECORD_NUMBER infoType detectors are available in all regions.

The NEW_ZEALAND_IRD_NUMBER infoType detector is available in all regions.

The VAT_NUMBER infoType detector is available in all regions. Currently, this detector identifies VAT numbers from France, Germany, Hungary, Indonesia, Italy, and the Netherlands.

For more information about all built-in infoTypes, see InfoType detector reference.

The ExcludeByHotword type was added as a type of ExclusionRule. With this new type, you can do the following:

• Exclude a column from inspect findings if the column name matches a regular expression.
• Exclude a finding from inspect findings if that finding is proximate to a string that matches a regular expression.

Previously, you could do these only by setting up a hotword rule that lowers the likelihood of the matching findings.

For more information on excluding findings, see Exclusion rules.

The OAUTH_CLIENT_SECRET infoType detector is available in all regions.

For new data profiles, infoTypes other than the predicted infoType will include the approximate percentage of non-null rows in which the infoType was detected.

Cloud DLP can profile BigLake tables. For more information on using Cloud DLP to profile your data, see Data profiles for BigQuery data.

Cloud DLP can de-identify sensitive data stored in Cloud Storage. This feature is in generally available. For more information, see De-identification of sensitive data in storage.

InfoType categories were added to built-in infoTypes.

To get a list of built-in infoTypes, call the infoTypes.list method.

The data profiler for BigQuery is generally available (GA). The data profiler is a fully-managed service that continuously scans data across your entire organization to give you general awareness of what data you have, and specific visibility into where sensitive data is stored and processed. For more information, see Data profiles for BigQuery data.

The dictionary replacement PrimitiveTransformation is generally available. The replacement dictionary replaces each detected sensitive value with a random value selected from a provided word list.

The data profiler for BigQuery is available in Preview. For more information, see Data profiles for BigQuery data.

Hybrid Jobs are now available for inspecting external data sources.

Added whole document classification support with the following infoType detectors:

• DOCUMENT_TYPE/FINANCE/REGULATORY
• DOCUMENT_TYPE/FINANCE/SEC_FILING
• DOCUMENT_TYPE/HR/RESUME
• DOCUMENT_TYPE/LEGAL/BLANK_FORM
• DOCUMENT_TYPE/LEGAL/BRIEF
• DOCUMENT_TYPE/LEGAL/COURT_ORDER
• DOCUMENT_TYPE/LEGAL/LAW
• DOCUMENT_TYPE/LEGAL/PLEADING
• DOCUMENT_TYPE/R&D/PATENT
• DOCUMENT_TYPE/R&D/SOURCE_CODE
• DOCUMENT_TYPE/R&D/SYSTEM_LOG
• DOCUMENT_TYPE/R&D/DATABASE_BACKUP

Risk analysis job creation is now available in the Cloud DLP UI in Cloud Console.

Added additional infoType detectors:

• STORAGE_SIGNED_URL
• STORAGE_SIGNED_POLICY_DOCUMENT

Added support for location-based processing. Learn more:

• Cloud DLP locations
• Specifying processing locations

Added infoType detector:

• VEHICLE_IDENTIFICATION_NUMBER

Added additional infoType detectors:

• IRELAND_DRIVING_LICENSE_NUMBER
• IRELAND_EIRCODE

Added infoType detectors:

AWS_CREDENTIALS

Added additional infoType detector:

• JSON_WEB_TOKEN

Added support for PDF and WORD FileTypes and PDF and WORD_DOCUMENT BytesTypes.

Added additional infoType detectors:

• IRELAND_PPSN
• IRELAND_PASSPORT

Added additional infoType detectors:

• AZURE_AUTH_TOKEN
• GCP_API_KEY

Added support for streaming data from external sources for inspection using hybrid jobs and job triggers. Hybrid jobs and job triggers in Cloud DLP enable you to stream data from virtually any source, whether on- or off-cloud, inspect it using Cloud DLP, and then save the results of the inspection scan as part of a job resource within Cloud DLP or to BigQuery.

Regex, WordList, and small Dictionary objects can now be loaded from metadata stored in Cloud Spanner using CustomInfoType.Regex or CustomInfoType.Dictionary. Doing this can be useful when sharing regexes or dictionaries for custom infoType inspection across multiple requests.

Added additional infoType detectors:

• GENERIC_ID

Added additional infoType detectors:

• AUSTRALIA_DRIVERS_LICENSE_NUMBER
• FRANCE_TAX_IDENTIFICATION_NUMBER

Added additional infoType detectors:

• AUTH_TOKEN
• BASIC_AUTH_HEADER
• ENCRYPTION_KEY
• HTTP_COOKIE
• PASSWORD
• WEAK_PASSWORD_HASH
• XSRF_TOKEN

The summary of a DlpJob findings can be published to Stackdriver using the new action PublishToStackdriver. Metrics on bytes inspected and transformed are automatically published for monitoring usage. For more information, see Monitoring with Stackdriver.

Added additional infoType detectors:

• ADVERTISING_ID
• ORGANIZATION_NAME
• SPAIN_DNI_NUMBER

Added additional infoType detector:

• SCOTLAND_COMMUNITY_HEALTH_NUMBER

The Cloud DLP user interface (UI) is now generally available (GA) in the Google Cloud Platform Console.

Added additional infoType detector:

• MEDICAL_TERM

Added additional infoType detector:

• SPAIN_SOCIAL_SECURITY_NUMBER

Added additional infoType detectors:

• GERMANY_SCHUFA_ID
• CREDIT_CARD_TRACK_NUMBER
• ITALY_FISCAL_CODE

Added additional infoType detector:

• STREET_ADDRESS

Support for structured scanning of Avro files, surfacing findings as rows and columns rather than byte offsets. Existing jobs will begin scanning Avro files as structured.

Added support for CustomInfoTypes and DetectionRules to the Cloud DLP Beta UI in the Google Cloud Platform Console.

Added additional infoType detectors:

• GERMANY_DRIVERS_LICENSE_NUMBER
• GERMANY_IDENTITY_CARD_NUMBER
• HONG_KONG_ID_NUMBER
• INDIA_AADHAAR_INDIVIDUAL
• INDIA_GST_INDIVIDUAL
• THAILAND_NATIONAL_ID_NUMBER

Added additional infoType detectors:

• INDONESIA_NIK_NUMBER
• AUSTRALIA_PASSPORT
• BELGIUM_NATIONAL_ID_CARD_NUMBER
• GERMANY_TAXPAYER_IDENTIFICATION_NUMBER
• PASSPORT
• SINGAPORE_NATIONAL_REGISTRATION_ID_NUMBER
• SINGAPORE_PASSPORT
• TAIWAN_PASSPORT
• TURKEY_ID_NUMBER

Added new crypto-based tokenization method: CryptoDeterministicConfig. For more information, see Transformations Reference.

Added new Cloud DLP Beta UI in the Google Cloud Platform Console.

Added an additional infoType detector:

• NORWAY_NI_NUMBER

Added support to Cloud Storage FileSet for using regular expression filters to specify which files to include or exclude from the scan. This is useful for cases where the set of files to scan cannot be concisely expressed with a path and wildcards, such as:

• Scan all files, but skip some specific files or folders that you are confident have no sensitive data.
• Scan only files whose endings are in some known set of file extensions - for example, only .txt, .csv, and .json files.
• Scan only files whose endings aren't in some known set of extensions - for example, skip .pdf files.

Added support for augmenting existing infoType detectors using exclusion rules and hotword rules.

Added an additional infoType detector:

• DENMARK_CPR_NUMBER

Added additional infoType detectors:

• CANADA_DRIVERS_LICENSE_NUMBER
• DATE
• DATE_OF_BIRTH
• FEMALE_NAME
• FINLAND_NATIONAL_ID_NUMBER
• GCP_CREDENTIALS
• GENDER
• JAPAN_BANK_ACCOUNT
• JAPAN_DRIVERS_LICENSE_NUMBER
• MALE_NAME
• NETHERLANDS_PASSPORT
• SPAIN_DRIVERS_LICENSE_NUMBER
• SWEDEN_NATIONAL_ID_NUMBER
• SWEDEN_PASSPORT
• TIME
• US_STATE

Added support for large custom dictionaries. Cloud DLP can now scan for dictionaries containing up to tens of millions of entries.

Added support to CloudStorageOptions for limiting the number of bytes to scan per file by percentage.

Added support to BigQueryOptions for limiting the number of rows to scan per file by percentage.

Added support for delta-presence estimation, a risk metric used when membership in the dataset is itself a piece of sensitive information.

Added sample_method flag to BigQueryOptions and CloudStorageOptions for limiting scans to a sample of content. This is useful to more efficiently scan large datasets where the intent is to only determine whether sensitive data may be located there and the exhaustive list of findings is not necessary.

Added row_limit flag to BigQueryOptions to allow for sampling tables instead of scanning all rows.

Dictionaries can now be loaded from files stored in Cloud Storage that consist of newline-delimited lists of phrases using the cloud_storage_path parameter in CustomInfoType.Dictionary. Useful when sharing dictionaries for custom inspection across multiple requests.

For customers using Cloud Security Command Center, the summary of a DlpJob can be published to Cloud SCC using the new action PublishSummaryToCscc.

Cloud Data Loss Prevention (DLP) General Availability (GA) Release

Launched the new V2 version of the API.

Newly added JobTriggers allow for scheduling regular scans of storage. Combined with the new TimespanConfig, scans can be limited to only re-scanning new or modified content in BigQuery and Cloud Storage.

Added support for regular expression-based custom detectors.

Added support for choosing a default likelihood for CustomInfoType detectors and for adjusting likelihood using a new DetectionRule, which looks for related content within the vicinity of a finding.

Job completion notifications for both risk analysis and inspection can now be sent to Cloud Pub/Sub.

Launched the new v2beta2 version of the API, which includes a number of new and improved features, including templates for persisting de-identification and inspect configurations, a simplified job API for inspecting storage and risk analysis, and more.

Tips for migrating:

• Content API methods now take a single ContentItem.
• InspectConfig now has a default likelihood, so when left unset findings below POSSIBLE will be excluded automatically.
• Findings from inspect storage are now always stored in your own BigQuery instance, giving you more control of where your sensitive data is stored.
• content.redact, was deprecated in favor of using content.deidentify, for redacting text, and image.redact, for redacting images.
• InspectConfig now requires at least one InfoType or CustomInfoType.
• Long running operations were replaced by DlpJob objects for risk analysis and storage inspection. inspect.operations.create was renamed to dataSource.inspect.

Added a new risk analysis metric, k-map estimation, to dataSource.analyze.

Launched support for searching for words or phrases from a custom dictionary provided by the user with the addition of CustomInfoType to InspectConfig. This feature is enabled in content.inspect, content.redact, content.deidentify, and inspect.operations.create.

Launched support to de-identify content with the addition of content.deidentify.

Launched support to conduct risk analysis on BigQuery with the addition of dataSource.analyze.

Added support to limit the number of findings per InfoType with the addition of InfoTypeLimit in InspectConfig.

Added support to limit the number of findings per file, Cloud Datastore entity, or database row with the addition of OperationConfig to inspect.operations.create.

Added support for scanning and redacting structured data in both content.redact and content.inspect by providing a Table in ContentItem.

BigQuery can now be scanned using inspect.operations.create.

Results can now be stored to BigQuery when scanning BigQuery, Cloud Datastore, and Cloud Storage using inspect.operations.create.

Added support for auto-redacting all text from images. You can now also choose custom colors when using content.redact to fill the bounding boxes during image redaction.

Launched support to filter findings by infoType and likelihood when using inspect.results.list.

You can now store results from scanning Cloud Datastore or Cloud Storage using inspect.operations.create. Results are stored in Cloud Storage.

Added support for auto-redacting findings in images. You can now use content.redact to fill the bounding box of a finding with a solid color.

Launch of Cloud DLP API to Beta. Cloud DLP API enables developers and data owners to better understand and manage sensitive data by providing a fast, scalable classification for sensitive elements. Scan small text streams and images or larger datasets in Cloud Storage and Cloud Datastore. The Cloud DLP API is currently available as a REST API.