Setup Office 365 DLP rules for Exchange Online, SharePoint Online and OneDrive for Business

In this post we will look at Data Loss Prevention in Office 365. For those of you unfamiliar with DLP, I will also try to explain what this is and how it can be useful for us.

This is not really new, but since I got some questions about it, I thought maybe someone could be interested in a blog post on it. Also we will soon have the opportunity to use sensitivity labels in Office 365 DLP, so that should be interesting.

If you look around in the Exchange admin center, you may have noticed this message under Data Loss Protection in the compliance management menu.

One single DLP policy to protect SharePoint, OneDrive for Business and Exchange? This is not a very new feature as it has been around for a while, but a lot of the customers I have talked to did not know that and find it interesting. Hopefully you will find it interesting as well. I will try to cover how Office 365 DLP works, what the above message means, and how you can get started with your own Office 365 DLP.
First of all, let’s take a quick look at DLP, what it means and what it does. 

Data Loss Prevention (DLP)

DLP, or Data Loss Prevention is a term for software created to prevent, detect and react to data breaches. If you think that sounds kind of non-specific and that it doesn’t really explain anything, you are right. A lot of different software types detect and react to data breaches. Or try to prevent it. Antivirus and anti malware can do some of it. A firewall as well. But DLP is not designed to prevent people from gaining access to our network, or spreading malware in our systems, it is designed to identify and protect our sensitive information across many locations and stop it from leaving our organization. DLP uses rules to look for information that might be sensitive, or that we want to protect and by using those rules it protects the information from being leaked, either by accident or on purpose. Usually we talk about three types of DLP technologies:
  • DLP for data in use – Secures data that is being actively processed by an application or an endpoint.
  • DLP for data in motion – Secures data that is being transferred across a network
  • DLP for data at rest – Secures data that is stored on different types of storage mediums.
This post will look at Data Loss Prevention in Office 365. 

Office 365 DLP

Like we mentioned in the intro to this article we have the ability to create one single DLP policy and use it in Exchange Online, SharePoint Online, and OneDrive for Business. Previously we would have to manage DLP for Exchange Online in our Exchange admin center, while DLP’s for SharePoint Online and OneDrive for Business would be set up from Office 365 Security  & Compliance center. By going to our Office 365 portal, and expanding all our Admin centers, we will see Security as one of the choices. For those of you who has read some of my other blog posts, you might recognize this as the same place we configure our unified labels. 

As you can see here, we can create a new DLP policy here. To simplify a little we can say that the setup process will help us define what locations we should protect, what kind of information we should we look for, and what should we do when it is found.

If we decide to create a new DLP policy, we will see quite a few similarities to how we work with labels since we can choose to use the same info types as we have when we create a sensitivity label:

We could create a policy that looks for some standard stuff like a Credit Card number and so on.

But for this article we will choose to create a custom policy

Our next decision will be on which locations we want this DLP policy to protect. We can choose all locations in Office 365, or choose specific locations which could be one or several of these.  

We want our policy to protect all locations in Office 365 and press Next.
In the previous step, we selected the locations we wanted to protect, now we are going to specify what type of content we want to protect.

It asks us to select at least one classification type. We select Edit:
Here we can choose Retention labels, but we want to use Sensitive info types. Notice that right now you do not have the option to add sensitivity labels, but this is coming in the near future. 

This opens a (for those of us who has worked with sensitivity labels in Office 365) familiar window where we can choose one or more of the predefined Sensitive info types.

For this article I will select some different sensitive into types

When I select Add, I will be informed that I have added 7 sensitive info types.

When I add these, I will see what info types this policy will protect and a list of Match accuracy. Match accuracy means how much “evidence” is required to trigger the rule. Office 365 uses a combination of several factors to decide if it is a match or not. For instance, when looking for a Credit Card number, it won’t just look for just a list of 16 numbers, it will use a combination of several things to decide that it is indeed a Credit Card number. With a 85% confidence it will look for the same things as it would do with 65%, but it would add looking for a keyword or expiration date in the right format for instance. As you can see we get a match accuracy of 75-100 or 85-100 without having set anything our self. Having a lower percentage will give the opportunity for more false positives than a higher one, so setting the rule to 50-100 will require only a 50% confidence and can give a lot more false positives. 

Now we will have to decide when this rule should be applied. As you can see the default option is to detect when this content is shared with people outside my organization which often will be a sensible place to start.

If you don’t think that is good enough, you can use advanced settings where you will have a world of different conditions you can choose, exceptions you can define, if you want to restrict access or encrypt content etc. etc.  

We will choose the default option here. So now we have decided where to look, what to look for and now we want to decide what will happen when Office 365 DLP matches on any of the sensitive info we have asked it to look for. 

You may want to notify the users when content matches the policy settings. You can specify how many instances of the same sensitive info type before something is done. For instance you may accept one Credit Card number being shared, but not ten. You can choose to send an email when the sensitive info is detected, which can be very useful. Lastly, you may want to protect the content by encrypting it (works only for Exchange), or you could block people from sharing the content and restrict the access.  Our next choices will be to customize access and override permissions

It may be okay if people inside the organization accesses our sensitive info, but we want to block people outside. We can also give our users the ability to override the policy. Doing that at least makes them aware of the danger and makes them take an informed choice. If you allow users to override, you can require a justification for this, or just override automatically if they report it as a false positive. 

You will then be asked if you want to turn on the policy right away or test it first.Since this is my demo environment I will turn it on right away, but you may want to try it out first. 

When we are done, we are presented with a list of the settings we have configured and the opportunity to Edit some if we are unhappy with them

When we create our new policy, it will be in place instantly and will start to look for the info types we specified, in the places we asked it to, and if it matches it will take the actions we told it to. 

As you can see you have a lot of options here. Setting up a DLP policy rule is not hard, and can protect you from leaking sensitive data to people outside your company. 


Popular posts from this blog

Do not Forward and the protection of attachments

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label