A key component of the Office 365 service for a long time has been the Data-Loss Prevention (DLP) tools. With the extremely powerful sharing and collaboration features available through tools like SharePoint, OneDrive, Teams and Exchange Online, protecting sensitive data is key to allowing users to safely share data with partners and customers.
The productivity gain from real time updates and collaboration on documents and is substantial, but we need to ensure that our sensitive corporate data such as financial data or GDPR related content is protected from accidentally being shared. DLP for Office 365 helps achieve this by classifying our data based on content such as financial data (credit card numbers, Bank Account Numbers) and personal information (Social Security Numbers, Passport Numbers).
How DLP Works
To achieve this Microsoft have predefined a list of “Sensitive Information Types” which cover most standard use cases. We can also create our own types which we can use a variety of string matches and regular expressions to meet corporate policy and detect data containing sensitive information.
Once we have selected our Sensitive Information Types we can create DLP rules in Office 365 to detect this content when data is shared externally and trigger an action such as a block or alert. We can also tailor the quantity of the data we detect before taking action, for instance, a single Credit Card Number may not be a worry but when someone shares a file with five, then we take some action.
Endpoint DLP extends the protections that are available to the Cloud apps into the Windows 10 Endpoint by using Windows Defender for Endpoint to enforce DLP locally. To prepare a machine for Endpoint DLP, ensure it has been enrolled in Windows Defender or via the Compliance Center.
Configure and Endpoint DLP Policy
To configure and Endpoint DLP Policy, we navigate to the Policies section of the Microsoft Compliance Portal and open the Data Loss Prevention module.
From the Endpoint DLP Settings tab, we can modify some of the tenant level settings for Endpoint DLP. We can exclude specific locations, block apps and control what browsers can be used and which public domains we allow or disallow information flowing to.
For this test, I’ve blocked all of the recreated non-Microsoft browsers.
Back on the Policies page, we’ll create a new policy and use the “PCI Data Security Standard (PCI DSS)” template to protect Credit Card Numbers.
We give our policy a name and description.
We can then choose where to apply our protection. For this test, we’ll just select Devices and apply to all users.
Next we’ll customize the advanced rules for our PCI Data template.
We can see the rule by default detects both a low and high volume of sensitive data and treats them differently. For the purposes of this demo, we’ll edit these rules and block any activities matching between 1 & 5 instances (Low Volume), but allow override. We’ll also just outright block high volume which we will set at 5 or more instances.
Finally I’m going to skip testing for this lab environment but I can’t recommend testing these policies before applying in production enough, Even when everything looks right, they can cause major problems if not tested and communicated enough.
Hit Submit on the final page to create the policy.
With our policy in place, when our user interacts with sensitive data on their device they will see some different behavior. For instance, I’ve created a file with a low volume of sensitive information, in this case, credit card numbers. The user can open and work with the file but when they try to copy content from it, the get a native Windows pop up letting them know that DLP has triggered and blocked the copy. As it is a low volume, they have the option to override as per our policy. If the user chooses to override, they can continue unhindered.
Now when the user tried the same copy task with a document containing a high volume of sensitive data, they are blocked outright without the option to override.
This behavior will apply to any of the actions we’ve configured in our policy such as uploading to the web, copy to a removable device and printing.
Each of this interactions our users have with sensitive data can also be alerted on and are reportable from an Admin Perspective to provide full visibility of data movement in the organization.
DLP is a great tool to add extra protection to your environment and extending the capabilities established in the cloud services to end user devices unlocks a ton of possibilities for helping organizations to protect their sensitive data. For more information on Microsoft DLP, check out the below links.