15 Jan 2020 by Becci Velzian
Quadrotech is going to Microsoft Ignite the Tour 2020
Another year, another Microsoft Ignite the Tour! And there’s a multitude of reasons why we keep going back. Join us in London, Stockholm and Chicago this year.
This fourth instalment in our blog series explores Data Loss Prevention in the new Office 365 Security and Compliance Center. (Read the full blog series here First Impressions, Reports, Permissions, Data Loss Prevention, Data Management and Service Assurance, Search and Investigation, and Alerts)
No time to read the full series now? Download our white paper ‘Getting Started with the Security and Compliance Center’ which includes all the blogs on Office 365 Security and Compliance. Get your copy here
Data loss can occur due to a number of events: breaches, leaks, malware, hacking – the list goes on. But, surprisingly (and more often than not) user error is a much greater risk to an organisation’s data. While software and security solutions can be used to protect against the former, the latter is much harder to tackle – how can you stop someone in the organisation from making a mistake? To err is human after all.
In the new Security and Compliance Center, there is a section that deals with data loss prevention (DLP) policies. This feature enables you to set DLP policies in order to protect sensitive data and ensure that it is not accidentally or inadvertently exposed. Many organisation have very stringent policies on sensitive information such as financial data and personally identifiable information (PII), so policies can be used to remain compliant.
As you can see below, all policies can be set using the Security and Compliance Center apart from any email policies, which must be configured through the Exchange Admin Center. For more information on this, see Data loss prevention in Exchange Online.
According to Microsoft’s Support pages, with a DLP policy you can:
If you want to begin using Data Loss Prevention Policies, here’s what you’ll need to know before you get started.
What does a DLP policy contain?
The condition options available are shown in the screenshot below.
A policy example:
Location: An organisation’s ‘Sales’ sites, folders, documents and libraries in both SharePoint Online and OneDrive for Business.
Conditions: The content must match the organisation’s financial information. This includes at least one of the following: account number, sort code, account name. There must be an attempt to share these details externally in order to meet these conditions.
Actions: If the conditions are met, the individual will be blocked from completing this action. They will need to contact their organisation’s Compliance Officer in order to justify their action, then depending on their judgement, they may be permitted to continue.
While it is possible to block access to the particular action, a less drastic or obstructive option is by enabling notifications called ‘Policy Tips’. These pop up in a window within the interface and warn the user of the breach of policy. The Policy Tip offers an option to reconsider, ‘override’ the notification, or ‘report’ it as a false positive – if the user does not believe that the item in question conflicts with the policy. This allows for any extenuating circumstances, or errors in the DLP policy – to be individually considered by the policy-maker.
A false positive is when content appears to match a policy but does not actually contain sensitive data, and therefore should not be flagged by the conditions. It is possible to report on these to monitor the effectiveness of your DLP policy, and make any necessary amendments to avoid false positives. For more information on reports in the Security and Compliance Center, take a look at our previous blog.
The Data Loss Prevention section has a number of policy templates for common concerns, these are broken down into three areas: Financial, Medical, Privacy, as well as a custom template for other needs.
As you can see above, the templates already define what they perceive as sensitive information (Credit Card Number, EU Debit Card Number and SWIFT Code). The existing templates can be customised to your organisation’s needs, so if you need to include UK passport number into the ‘protect this information’ section, or want to remove Swift Code, you can do this very easily. You can also make larger amendments – perhaps if you need to change it completely to reflect another country altogether.
Microsoft explains the identification process as such:
When a DLP policy looks for a sensitive information type such as a credit card number, it does not simply look for a 16-digit number. Each sensitive information type is defined and detected by using a combination of:
This helps DLP detection achieve a high degree of accuracy while reducing the number of false positives that can interrupt peoples’ work.
If you want to test out DLP policies in your organisation, the best way to explore the functionality (without confusing or restricting your users in its initial stages) is by using it in test mode. This means that there will be no Policy Tips to notify end users, but you can collect the data and use the reports to assess your policy and its needs. As you refine the policy, you can then enable the Policy Tips for your users, this will also allow them to report any false positives or problems that they encounter.
If you have any issues, you can turn off a DLP policy at any time, you can also turn off certain rules individually to further refine your approach.
Want to find out more about security and compliance but don’t have time for a blog binge read now? Why not download our white paper on the Office 365 Security and Compliance Center here?
Cogmotive is the leading global provider of enterprise level reporting and analytics applications for Office 365. Find out more now.