Office 365 includes a range of information security and protection capabilities. This post focusses on the configuration and implementation of Data Loss Prevention (‘DLP’) capabilities in SharePoint Online and OneDrive for Business (ODfB).
Note: Microsoft have advised that the Office 365 DLP framework will apply to both Exchange and SharePoint/ODfB in the near future. For Exchange settings see https://technet.microsoft.com/en-us/library/jj200706(v=exchg.150).aspx and https://technet.microsoft.com/en-us/library/jj150527(v=exchg.150).aspx for more information.
Purpose of DLP
The purpose of DLP is to protect specific and definable types of sensitive company or agency information by preventing (or monitoring) its deliberate or inadvertent exfiltration from the organisation.
Examples of exfiltration methods where DLP can be used include:
- Attachments to emails.
- Uploads to web-based systems.
Examples of the types of sensitive information that can be protected with DLP include:
- Financial data. For example, bank account numbers, tax file numbers, credit/debit card numbers.
- Personal and sensitive information (PSI). For example, driver’s licence numbers, tax file numbers, passport numbers.
- Medical and Health records. For example, medical account numbers.
The requirement to protect sensitive information is the subject of legislation in a number of countries.
Enabling Data Loss Prevention in Office 365
DLP in Office 365 enabled through policies that are set in the Security and Compliance Admin Centre of the Office 365 Admin Portal, under ‘Threat Management’ > ‘Data Loss Prevention’.
DLP policies are set by the Office 365 Global Administrator, as well as the Compliance Administrator and/or the Security Administrator if these roles have been configured in the Security and Compliance Admin Centre.
To create a DLP policy, the Administrator clicks on the + icon in the Data Loss Prevention screen. This opens a new window with the following options displayed.
A custom policy is one that is defined by the organisation. It would normally be for content that contains specific values.
The options ‘Financial regulations’, ‘Medical and health regulations’, and ‘Privacy regulations’ include default Microsoft-provided policies. Each of these default policies includes a description, coverage (e.g., what information is protected), and where the information is to be protected (e.g., in SharePoint Online, OneDrive for Business, and Exchange Online).
Enabling and modifying default policies
After selecting a default policy, the authorised user must then identify the services that may store the information that need to be protected – SharePoint Online, OneDrive.
Note: The option to choose Exchange Online is (as of 13 March 2017) still unselectable.
The next option allows the Administrator to customise the rule that has been chosen. If a default policy has been selected in the previous dialog, options for that policy will display; these may include ‘count sensitivity’ (i.e., how many times the sensitive content is identified. Low count means high sensitivity to sensitive content.
The Administrator may add a new rule or edit one of the default options.
The Administrator may modify the conditions, actions and what happens when there is an incident for each of the default policies – see below for further details.
Defining custom DLP policies
If a custom policy is required, the Administrator clicks on ‘Custom Policy’ from the ‘Data Loss Prevention’ opening dialog screen, and then ‘Next’ at the bottom of the screen. The Administrator must define which services are to be protected (same as for default policies, above).
The next screen allows the Administrator to create a new policy, via the + icon.
In the new window that opens, the Administrator can then must define the new DLP rule through Conditions, Actions, Incident reports and General.
Conditions, Actions, Incident reports, General options
For either default or custom policies, the Administrator must set the following rules:
- Conditions – what will cause the policy to run?
- Actions – what will happen when the policy runs?
- Incident reports – how is reporting managed?
- General – any other points.
For default policies, conditions are pre-defined and are based on (a) the type of content (e.g., credit card numbers, bank account numbers) and (b) whether the content is shared internally or externally.
These pre-defined conditions may be removed or edited, and new conditions may be added. Editing options include the number of times the sensitive content is found (‘Min count’, ‘Max count’), and both maximum and minimum percentage-based ‘confidence levels’.
For custom policies, the Administrator must define which conditions are to be met:
- If you choose ‘Content contains sensitive information’, you must define the information through a + option. This brings up all the default choices provided by Microsoft.
- If you choose ‘Content is shared with’, it allows you define if the information is shared with people inside or outside the organisation.
- If you choose ‘Document properties contain any of these values’, you must define the values that would be found in a document. Note that, if this option is selected, the property must be configured in the SharePoint Online search settings.
For default policies, the actions to be taken are pre-defined and are based on sending a notification.
For custom policies, the Administrator must first decide whether the action will be to (a) block the content or (b) send a notification.
If ‘Block the content’ is selected the user will be unable to send an email or access the shared content.
If ‘Send a notification’ is selected it offers the same options as for custom policies. Note the ability to customise the email notification.
When ‘Incident Reports’ is selected for both custom and default policies, the following options are available. Incident reports should be sent to the Administrator/s.
Default policies are pre-named but the name can be modified. This is also where the policy can be disabled.
Custom policies must be named and a decision made whether to enable it, test it, or turn it off. As noted below it is possible to test the policy first, to collect data.
Reporting from the DLP policies is accessed from the Security and Compliance Centre > Reports > Dashboard.