Microsoft’s DLP is probably one of those products that many people have heard about. Some might even know it can solve their organization’s issues, but do not know where to start. Hopefully, the following can assist in getting DLP going in your organization. The focus will be on the Office 365 DLP and not the on-premises implementations.
This article is accurate as of the date published. However, things move quickly in this space; features, availability, and coverage will change.
What is Microsoft’s DLP?
Microsoft states the following:
“Data loss prevention (DLP) helps you protect sensitive information and prevent its inadvertent disclosure. Examples of sensitive information that you might want to prevent from leaking outside your organization include financial data or personally identifiable information (PII) such as credit card numbers, social security numbers, or health records. With a data loss prevention (DLP) policy, you can identify, monitor, and automatically protect sensitive information across Office 365.”
DLP is an essential tool in today’s digital world. Users have multiple devices and want to have connectivity at all times. Implementing DLP will increase visibility into the organization information, files, the flow of information and the methodologies used by users when sharing this information.
The take away from Microsoft’s description of what DLP is should be the last sentence: “identify, monitor and automatically protect sensitive information across Office 365.” DLP is part of E3 and E5 licenses suites which most enterprises either already have or are planning on utilizing.
What Office 365 workloads are protected by DLP?
At the time of writing, it covers the following:
*One thing to point out is that Exchange Hybrid does not apply DLP to emails sent from on-premises user to on-premises user because the emails never leave the on-premises Exchange environment.
How about the Office suite? Currently, DLP is available for the following Office 365 workloads:
- Excel 2016
- PowerPoint 2016
- Word 2016
Now, don’t be discouraged if DLP doesn’t stretch across your entire application portfolio. If your users take advantage of OneDrive for Business and/or SharePoint Online as the primary means to either store and or share files you are as they say, “Golden.”
Let’s think about another use case. Many users email files as attachments, routinely. Good thing DLP protects Exchange Online!
Well, how do I get started?
Getting started with DLP is simple. You can start by establishing a DLP policy. Microsoft provides policy templates, that include HIPAA, U.S. PII, PCI-DSS, etc. You want to add a condition to a template policy? No problem, you can use labels as a condition to a policy.
How can I accomplish any of this without affecting users?
Microsoft has thought of this and provides several ways to test without causing the help desk a flood of calls. It’s aptly called test mode. Test mode is accomplished by activating a simple option at the end of the policy creation, “I’d like to test it out first.” This option will also allow you to go from idea to research phase and to proof of concept quickly.
What about Notifications?
DLP provides several communication options and various combinations are possible.
- Policy Tips – Quick to the point and effective reminder for users.
- Email notifications to the offending users.
- Incident reports are emailed to Global Admins.
DLP reports will provide insights and allow you to tier certain critical policies to trigger emails notifications to both Global Admins and/or the offending user. In addition to notifications, content can also be blocked.
How do I handle management of DLP?
Microsoft understands that the IT department may not have (or want) ultimate responsibility of areas that implicate sensitive HR or government regulations that have the potential to become legal matters. Something like an organization’s security and compliance team may be the preferred administrators of DLP. The recommend approach is to create a security group and assign the appropriate permissions. This approach allows members to create and apply DLP policies, and not need access to the content being protected.
How will I gain management buy-in on this endeavor?
One of the best methods to prove to your managers, CIO, CTO, etc. that the protection DLP provides brings a lot of value and is worth investing the time and/or monies in is by providing reports generated during Test-Mode and invite them to a quick 30-minute demo. Ensure that the demo is based on a hypothetical data-loss scenario. What demonstrates more value than proof? By doing this, you can prove that if the policy you created was being enforced you could have prevented X from happening.
Additionally, the fact that you could test without unintended consequences provides value by removing the fear of a bad reputation for the IT department during a deployment of a new project.
Need help with Office 365 DLP?