Skip to main content

Cloud

Expanding Data Loss Prevention Across Office 365

Continuing from my previous post on Information Rights Management (IRM), today we will focus our discussion at yet another security feature which is essentially part of customer controls, known as Data Loss Prevention aka DLP.
DLP provides users with policy tips and detects sensitive information in the context of communication. DLP was first rolled out in Exchange and Outlook and then expanded into Outlook Web App (OWA). The only problem was that email is not the only way to share information. A ton of information in this digital age is shared via documents and keeping that in mind, DLP was expanded into SharePoint Online (SPO) and OneDrive for Business (ODFB). Until now eDiscovery allowed us to search sensitive content across SharePoint and OneDrive and now policy actions (restrict and block access) and email notifications are also being introduced.

Source: blogs.office.com

Source: blogs.office.com


With the advent of Office 365, the Microsoft community has become increasingly collaborative in nature, and product teams are now more agile and communicative in their approach than ever before. Building on that approach, recently Microsoft conducted a yamjam around DLP features. Some great scenarios, concerns, and solutions were exchanged. Here is my attempt to capture and summarize that for you.
—————————————————————————
Q: Will DLP be a supplement or replacement to IRM and auditing mechanisms in SharePoint? And in what way will it supplement to IRM and or auditing.
A: DLP is a great supplement for IRM today. Both of these functionalities work seamlessly in Exchange and we are extending that same experience for SPO/ODFB
Q: Will DLP have effect on the content that is shown, or not shown, in Delve
A: That is absolutely our vision. Delve adheres to the user permissions set by your admins and end users, and we will respect the same when it comes to DLP.
Q: Will DLP be a part of the announced Dropbox partnership? Extending to Dropbox for business
A: Currently DLP functionalities are planned only for ODFB/SPO and not Dropbox.
Q: Will DLP be able to enforce IRM on documents that match a policy? 
A: That is definitely in our plans and you can expect us to release that in the service in early 2015
Q: If I want to make sure my policy is enforced on all content all users should have a sufficient license?
A: Yes, you need as many DLP licenses as the number of users. DLP is licensed on per user basis.
Q: How can we protect documents that contain trade secrets or company plans from being uploaded to OneDrive and then downloaded to home computers? These are random documents that may not have specific information to search for. What is to keep users from uploading a mass amount of documents and then downloading them at home?
A: The next level is to apply Rights Management Service (RMS) policies for all content that lands in that area. You can further protect using IRM from within the client and establish a further depth of what can/can’t be done, and possibly further restrict who. Next up is setting policy rules with #dlp that again help to inform and enforce actions that are and are not allowed. In the future we’ll have additional tools via MDM to help protect and reclaim/delete content that can no longer be on devices. Additionally, we’re planning auditing and reporting capabilities so admins can run reports to understand better how content is being used (shared, modified, viewed, etc.).
Q: Is OneDrive for Business a supported application by Azure RMS?
A:  IRM works today for documents on ODFBso yes, Azure RMS works for OneDrive for business. There are some fixes we are making for IRM protected libraries so that it syncs seamlessly just like any other library
Q: ODFB Management : For ODFB and IRM, it seems to be cumbersome to turn on IRM and with certain policy settings like “Allow users to print”. Plus, it does not seem to reference centralized IRM policies like you would expect with Azure RMS because you just name your own policy and do not select from a dropdown list. Is this because IRM on ODFB is not really supported by Azure RMS yet? And is this expected to change sometime soon?
A: ODFB is certainly covered, and is a manual process today from the scope of an audit or configuration of IRM. The concern you have is valid and is something the teams are aware of for auditing, eDiscovery, DLP scenarios. We don’t have timing to share, but we do want to treat ODFB as included by default, not something you have to configure for broader application
Q: If we have 10 users on E3 and 40 users on Business Essentials, do the messages created by the 40 Business Essentials users get evaluated by DLP? What about the server-side processing? If a non-E3 user sent a message that violates a DLP rule, would it be blocked, or would it be sent to the recipient?
A: DLP does require E3, so the non-E3 users would not get a DLP experience, aka the tool tips coming early next year. No, you need to have DLP licensing to enable server side and client side processing for sensitive content. So for eg, in exchange today, every time you use the “the message contains sensitive information” predicate, you need DLP license.
Q: We have a system that generates PDF reports and emails them via SMTP. We use DLP to block the messages from being forwarded but we would like to apply document level IRM as it enters the system via SMTP?
A: Look at adding a document library into your solution. You could then add additional capabilities if above needs a little more.
Q: Can you please elaborate on the phrase “with additional policy controls and actions like Information Rights Management, coming in the first quarter of 2015” from the 10/28 blog post on DLP? What might this mean in terms of capabilities?
A: In our initial release for SPO policies, you will have actions such as block or request access when someone uploads a document. With RMS action, you will be able to automatically apply IRM action to the uploaded document if the document contains sensitive information.
Q: What will happen if a document is accessed through an API using custom coding? Will DLP apply?
A: If the content is stored in a location that is subject to a DLP policy, such as SharePoint – then yes the changes will be scanned and subject to the DLP requirements in the policy.
Q: Will Microsoft provide a way to automatically add ODFB sites (as they are provisioned) to DLP scope?
A: Yes, you can configure a DLP policy to apply to “all” OneDrive for Business sites, which will automatically include new sites as they are provisioned.
Q: <em?Will the fact that IRM is applied to a document be able to overwrite DLP actions? For instance if IRM is applied with ‘lower’ restrictions, van DLP apply more restrictieve restrictions? Consider this example: IRM can be configured by Site Admins, so a site admin makes a library for contracts. He configures very little restrictions. At company (DLP) level we have a very strict policy and want to override what the site admin on lower level set up.
A: We currently do not allow IRM policy override. This is an interesting feature request. will be available when our policy actions are available in early 2015.
Q: We found the mobility use case to be painful as iOS and Android devices cannot open IRM protected documents minus a few exceptions like PDFs with a purchased app. When is this targeted to change to where the Office Mobile apps will support IRM protected documents?
A: It works great today for email across OWA for devices, Outlook, Outlook for MAC, OWA etc and you can expect us to add the same functionality across Office documents. IRM works today for documents on ODFB so yes Azure RMS works for OneDrive for business.
Q: With an increasing number of non-technical small business users, what is the plan to give true user account management to Global Admins in O365? This weekend we had to terminate a long time employee who lives in a different state. I checked every source for clear guidelines and documentation surrounding this is nearly non-existent. There is no simple way to prevent loss of information other than resetting the user password. If “blocked” then we could not go into Exchange Online or ODFB to back up information. If we remove licenses, we lose all data. If we turn mailbox into shared, we lose auto archive folder/ability. We cannot backup to a PST due to auto archive as well. Four days after the fact, we learned that resetting the password means they can still have access to any sessions of mail, CRM, SharePoint that have not expired. How are we supposed to manage security under these conditions? Please advise when your 100% “cloud first/mobile first” O365 Online small business customers can expect to have the right tools to terminate an employee while preventing any data loss.
A: The scenario you describe is well covered in the enterprise, where we have additional value in the E1-E4 plans. And I’m guessing you know this, but want to be clear that all the compliance tools like RMS, DLP, eDiscovery … they are only offered to enterprise. It is very common to find smaller businesses using the enterprise plans when their needs require the more robust compliance capabilities. Consider upgrading your plan to enterprise. This article should get you started: I can tell you that you can recover documents. You would need to assign a secondary user who can then go into users’ ODFB. You can do this today here: SPO admin center > user profiles > Set up MySites > My Site Cleanup – and then add a secondary owner.
Here’s the text from in-product once you get to this admin setting, “My Site Cleanup”. When a user’s profile has been deleted, that user’s My Site will be flagged for deletion after fourteen days. To prevent data loss, access to the former user’s My Site can be granted to the user’s manager or, in the absence of a manager, a secondary My Site owner. This gives the manager or the secondary owner an opportunity to retrieve content from the My Site before it is deleted. Select whether or not ownership of the Site should be transferred to a manager or secondary owner before the site is deleted. Set a secondary owner to receive access in situations in which a user’s manager cannot be determined.
Q: Any plans to add DLP to Yammer? For instance if a user decides to share his credit card number on Yammer he will get a policy tip; Such as not allowing videos to be downloaded (but only to be viewed), to making sure that PII is not being shared inadvertently in healthcare or insurance companies. You can overcome these things with peer governance but it would be great to have some tech in place too.
A: Definitively something that we are thinking about. What kind of scenarios would you like to see if/when this would happen?
Q: When or will Data Loss Prevention (DLP) become available in the On-Premise version of SharePoint?
A: We’re not ready to discuss any portion of SharePoint Server vNext (on-premises) and what will be included. That said, there are a number of 3rd party solutions today that can be integrated with SharePoint already.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.