Exploring the Security and Compliance Center – Part 4: Data Loss Prevention
This fourth instalment in our blog series explores Data Loss Prevention in the new Office 365 Security and Compliance Center. (Read the full blog series here First Impressions, Reports, Permissions, Data Loss Prevention, Data Management and Service Assurance, Search and Investigation, and Alerts)
No time to read the full series now? Download our white paper ‘Getting Started with the Security and Compliance Center’ which includes all the blogs on Office 365 Security and Compliance. Get your copy here
Data loss can occur due to a number of events: breaches, leaks, malware, hacking – the list goes on. But, surprisingly (and more often than not) user error is a much greater risk to an organisation’s data. While software and security solutions can be used to protect against the former, the latter is much harder to tackle – how can you stop someone in the organisation from making a mistake? To err is human after all.
In the new Security and Compliance Center, there is a section that deals with data loss prevention (DLP) policies. This feature enables you to set DLP policies in order to protect sensitive data and ensure that it is not accidentally or inadvertently exposed. Many organisation have very stringent policies on sensitive information such as financial data and personally identifiable information (PII), so policies can be used to remain compliant.
As you can see below, all policies can be set using the Security and Compliance Center apart from any email policies, which must be configured through the Exchange Admin Center. For more information on this, see Data loss prevention in Exchange Online.
According to Microsoft’s Support pages, with a DLP policy you can:
- Identify sensitive information across many locations, such as SharePoint Online and OneDrive for Business
For example, you can identify any document containing a credit card number that’s stored in any OneDrive for Business site, or you can monitor just the OneDrive sites of specific people.
- Prevent the accidental sharing of sensitive information.
Across all sites, you can identify any document containing a health record that’s shared with people outside your organization, and then automatically block access to that document for everyone except the primary site collection administrator, document owner, and the person who last modified the content.
- Monitor and protect sensitive information in the desktop versions of Excel 2016, PowerPoint 2016, and Word 2016.
Just like in SharePoint Online and OneDrive for Business, these Office 2016 desktop programs include the same capabilities to identify sensitive information and apply DLP policies.
- Help users learn how to stay compliant without interrupting their workflow.
You can educate your users about DLP policies and help them remain compliant without obstructing productivity.
- View DLP reports showing content that matches your organization’s DLP policies.
To assess how your organization is complying with a DLP policy, you can see how many matches each policy and rule has over time.
If you want to begin using Data Loss Prevention Policies, here’s what you’ll need to know before you get started.
What does a DLP policy contain?
- Location(s) – specifying where the content is, e.g SharePoint Online or OneDrive for Business sites – it is possible to select all sites or specific ones, and you can also apply the same policy for multiple areas.
- Rules, comprising of:
- Conditions: the content must match these in order for the policy to work effectively. These can be based around content rules, but also on who the document is shared with.
- Actions: when content matching the conditions is found, the specified action will be made automatically. These must be outlined by the policy-maker, and it is important to ensure that the framework of the conditions encompasses all of the content that needs to be found, and that the automatic action is applicable for all information and situation types.
The condition options available are shown in the screenshot below.
A policy example:
Location: An organisation’s ‘Sales’ sites, folders, documents and libraries in both SharePoint Online and OneDrive for Business.
Conditions: The content must match the organisation’s financial information. This includes at least one of the following: account number, sort code, account name. There must be an attempt to share these details externally in order to meet these conditions.
Actions: If the conditions are met, the individual will be blocked from completing this action. They will need to contact their organisation’s Compliance Officer in order to justify their action, then depending on their judgement, they may be permitted to continue.
While it is possible to block access to the particular action, a less drastic or obstructive option is by enabling notifications called ‘Policy Tips’. These pop up in a window within the interface and warn the user of the breach of policy. The Policy Tip offers an option to reconsider, ‘override’ the notification, or ‘report’ it as a false positive – if the user does not believe that the item in question conflicts with the policy. This allows for any extenuating circumstances, or errors in the DLP policy – to be individually considered by the policy-maker.
A false positive is when content appears to match a policy but does not actually contain sensitive data, and therefore should not be flagged by the conditions. It is possible to report on these to monitor the effectiveness of your DLP policy, and make any necessary amendments to avoid false positives. For more information on reports in the Security and Compliance Center, take a look at our previous blog.
The Data Loss Prevention section has a number of policy templates for common concerns, these are broken down into three areas: Financial, Medical, Privacy, as well as a custom template for other needs.
As you can see above, the templates already define what they perceive as sensitive information (Credit Card Number, EU Debit Card Number and SWIFT Code). The existing templates can be customised to your organisation’s needs, so if you need to include UK passport number into the ‘protect this information’ section, or want to remove Swift Code, you can do this very easily. You can also make larger amendments – perhaps if you need to change it completely to reflect another country altogether.
Microsoft explains the identification process as such:
When a DLP policy looks for a sensitive information type such as a credit card number, it does not simply look for a 16-digit number. Each sensitive information type is defined and detected by using a combination of:
- Internal functions to validate checksums or composition
- Evaluation of regular expressions to find pattern matches
- Other content examination
This helps DLP detection achieve a high degree of accuracy while reducing the number of false positives that can interrupt peoples’ work.
If you want to test out DLP policies in your organisation, the best way to explore the functionality (without confusing or restricting your users in its initial stages) is by using it in test mode. This means that there will be no Policy Tips to notify end users, but you can collect the data and use the reports to assess your policy and its needs. As you refine the policy, you can then enable the Policy Tips for your users, this will also allow them to report any false positives or problems that they encounter.
If you have any issues, you can turn off a DLP policy at any time, you can also turn off certain rules individually to further refine your approach.
Want to find out more about security and compliance but don’t have time for a blog binge read now? Why not download our white paper on the Office 365 Security and Compliance Center here?
Cogmotive is the leading global provider of enterprise level reporting and analytics applications for Office 365. Find out more now.