Introducing Data Loss Prevention in the New Exchange


The Data Loss Prevention (DLP) feature in the new Exchange will help you identify, monitor, and protect sensitive information in your organization through deep content analysis. DLP is increasingly important for enterprise message systems because business critical email includes sensitive data that needs to be protected. It’s the financial information, personally identifiable information (PII) and intellectual property data that can be accidently sent to unauthorized users that keeps the CSO up all night. In order to protect sensitive data without affecting worker productivity, the new version of Microsoft Exchange Server 2013 integrates DLP features so you can manage sensitive data in email more easily than ever before.

You can be comfortable getting started with DLP in Exchange because Microsoft has included a simple management interface that allows you to:

  • Start with a pre-configured policy template that can help you detect specific types of sensitive information such as PCI-DSS data, Gramm-Leach-Bliley act data, or even locale-specific personally identifiable information (PII).
  • Use the full power of existing transport rule predicates and actions and add new transport rules
  • Test the effectiveness of your DLP policies before fully enforcing them
  • Incorporate your own custom DLP policy templates and sensitive information types
  • Detect sensitive information in message attachments, body text or subject lines and adjust the confidence level at which Exchange takes action
  • Add Policy Tips, which can help reduce data loss by displaying a notice to your Outlook users and can also improve the effectiveness of your policies by allowing false-positive reporting
  • Review incident data in message tracking logs or add reporting by using a new generate incident report action

Using the Microsoft-supplied DLP policy templates are an easy way to get started. DLP policies are packages of transport rules with new features that you can customize. These rules include classification types that define the type of content you are looking for in the DLP policy. You can use the Exchange management shell or the Exchange Administration Center (EAC) or even your own XML file editor to start incorporating DLP policies into your messaging environment. The image here shows the data loss prevention management interface.

Screenshot: Data loss prevention (DLP) in the Exchange Administration Center (EAC)
Figure 1: Managing Data loss prevention (DLP) using the EAC

A number of new transport rule conditions and actions have been created in Exchange Server 2013 in order to accomplish new DLP capability. One key feature of the new transport rules is a new approach to detecting sensitive information that can be incorporated into mail flow processing. This new DLP feature performs deep content analysis through keyword matches, dictionary matches, regular expression evaluation, internal functions such as validate checksum on credit card numbers, and other content examination to detect specific content types within the message body or attachments.

Policy Tips to inform your workers in real time

With the new DLP features, you can inform email senders that they may be about to pass along sensitive information that is detected by your policies—even before they click send. You can accomplish this by configuring Policy Tips. Policy Tips are similar to MailTips, and can be configured to present a brief note in the Microsoft Outlook 2013 client that provides information about your business policies to the person creating a message. You can configure Policy Tips that will merely warn workers or block their messages, or even allow them to override your block with a justification. Policy tips can also be useful for tuning your DLP policy effectiveness, as they allow end users to seamlessly report false positives. Here’s a screenshot that shows the Policy Tip in action.

Screenshot: Mail tip for data loss prevention
Figure 2: A Policy Tip informs email senders about sensitive information before they send the message

Begin by establishing policies that protect your sensitive data

Three different methods exist for you to begin using DLP:

  1. Apply an out-of-the-box template supplied by Microsoft The quickest way to start using DLP policies is to create and implement a new policy using a template. This saves you the effort of building a new set of rules from scratch.
  2. Import a pre-built policy file from outside your organization You can import policy templates that have already been created outside of your messaging environment by independent software vendors. In this way you can extend the DLP solution to suit your business requirements.
  3. Create a custom policy without any pre-existing conditions Your enterprise may have its own requirements for monitoring certain types of data known to exist within a messaging system. You can create a custom DLP policy entirely on your own in order to start checking and acting upon your own unique message data.

Sensitive Information Types in DLP Policies

When you create DLP policies, you can include rules that include checks for sensitive information. The conditions that you establish within a policy, such as how many times something has to be found before an action is taken or exactly what that action is can be customized within your new custom policies in order to meet your business requirements. Sensitive information rules are integrated with the transport rules framework by introduction of a condition that you can customize: If the message contains…Sensitive Information. This condition can be configured with one or more sensitive information types that are contained within the messages.

To make it easy for you to make use of the sensitive information-related rules, Microsoft has supplied policy templates that already include some of the sensitive information types. An inventory of the sensitive information types supplied out of the box is provided on the TechNet Library. A brief sample can be seen here:

Information type Primary region Category
ABA Routing Number United States finance
Australia Bank Account Number Australia finance
Credit Card Number All finance
EU Debit Card Number European Union finance
France Social Security Number (INSEE) France PII
German Driver’s License Number Germany PII
Japan Passport Number Japan PII
SWIFT Code All finance
U.K. National Health Service Number United Kingdom health

Data loss prevention in Exchange 2013 is one of several new features that are focused on helping to solve compliance issues in email. Check out In-Place eDiscovery, In-Place Archiving, Retention policies, and the new additions to transport rules, and information rights management too. We hope you become more productive and safe with the new DLP features that help you protect your organization’s sensitive data.

John Andrilla

Comments (9)
  1. Joe says:

    It appears these "out of the box" templates use pattern matching and reg ex.  This detection method yields a large mount of false positives, in which one will never look to "enforce" these policies.

  2. John A -- MSFT says:

    @Joe You can certainly tweak the DLP policies after you've instantiated them. For example, you can fine-tune the confidence levels or change your rule sets. -John.

  3. @Joe, it isn't all simple RegEx matching. For example the credit card validation uses Luhn's algorithm to validate the number pattern is a valid CC number and not simply a pattern of numbers that matches 1111-2222-3333-4444 (en.wikipedia.org/…/Luhn_algorithm)

  4. RMS Guru says:

    I asked this question when the Azure RMS team shipped — does this support Mac?  What about OWA?  Most of my customers have >20% penetration of Macs.

    For user overrides?  Is that the screenshot?  The way you override is by "reporting"?  I'm really confused about this flow.

  5. Astrid McClean MSFT says:

    @RMS Guru — the screenshot was mis-labeled – the screen shot is the notification message. When the DLP policy is configured with an action of override, the Policy Tip includes a link to override the policy and when the user provides a business justification, the user is notified that the action will be audited and this is then sent as part of the incident report.

    The Policy Tips are only currently available to Outlook 2013 clients, but the DLP policies are enforced at the Exchange server. So all emails, whether or not the sending client receives the Policy Tips, will be evaluated against DLP policies.

  6. Carl J says:

    Hi all, is there any early indications of how this is likely to be licensed – is this simply going to be bundled into an existing plan like an E1, or is this likely to be an extra option which can be subscribed to?

    please advise if you can, or provide a link – struggling to find anything so assuming this will simply be bundled.

    Tks all.

  7. Astrid McClean MSFT says:

    @Carl. We haven't release any licensing information yet. You are welcome to try this feature as part of the Office 365 Enterprise Preview – http://www.microsoft.com/…/office-365-enterprise or the Exchange Server 2013 Preview – technet.microsoft.com/…/hh973395

  8. Herbys says:

    @Joe: it's more flexible than a simple regex, but despite that I think how false positives are addressed here is part of the beauty of this solution.

    With typical DLP solutions, if you get a false positive you have significant overhead or loss of productivity when things don't reach their intended recipients. With Exchange's DLP integration you can involve the user in the decision (without the user having to take the initiative) in real time as the content is being written, so you can avoid making the wrong call without much overhead (the user doesn't even get to send the message before finding out what's going to happen, and can potentially ask for an exception in real time). And even if you are overzealous in protecting content and end up protecting lots of content that looks suspicious, IRM policies allow you to get the data to its intended destination with certain usage restrictions applied, which significantly reduces the impact of a false positive compared to blocking content altogether.

  9. Venkat says:

    Thank you for sharing this post….This post is really useful to me because i have that much of interest about this post.Thank you.

Comments are closed.