Data Loss Prevention (DLP) in SharePoint 2016 Beta 2


Data Loss Prevention (DLP) has been available in Office 365 (including SharePoint Online) for some time now with the release of SharePoint 2016 Beta 2 this capability is also available On-Premises.

DLP provides the ability to identify content that is stored within SharePoint that contains sensitive information, for example Credit Card, Passport and Driving License details – basically the sort of information that needs additional controls and management to prevent data leakage!

A number of pre-defined policy templates are available out of the box that cover a wide range of Sensitive Information, each template is able to identify one or more pieces of Sensitive Information, for example the U.K. Financial Data template is able to detect the following:

  • Credit Card Numbers

  • EU Debit Card Numbers

  • SWIFT Codes


Details of exactly how SharePoint detects Sensitive Information for each type of data can be found in the Sensitive Information Type Inventory documentation, it uses a combination of pattern matching, keywords and checksums. For example Credit Card details are detected by:

  • 16 digits which can be formatted (dddd-dddd-dddd-dddd) or unformatted (dddddddddddddddd).
  • Must pass the Luhn test (checksum)
  • Specific keywords are identified within 300 characters of these digits, for example "Visa", "Amex" or "cvv2"

Here are some pointers on getting started with DLP in SharePoint 2016 Beta 2.

Pre-Requisites

  1. DLP relies on Search in order to use the functionality you need to have provisioned a Search Service Application within your farm.

  2. Two Site Collections need to be provisioned, these facilitate the configuration and identification of Sensitive Information

    • eDiscovery Center – This allows you to identify content that conflicts with any of the DLP policies that have been created

    • Compliance Policy Center – This is used to create and manage the actual DLP Policies


        

Creating a DLP Policy

  1. Browse to the Site that you created that uses the Compliance Policy Center template

  2. Select DLP Policy Management

  3. Click New Item

In the example below, I create a DLP Policy named UK Financial Data, this uses the U.K. Financial Data template, which will identify content that contains Credit/Debit Card Numbers and SWIFT Codes. The template is configured to identify content that contains at least 1 instance of any of this Sensitive Information, for example 1 x Credit Card Number. This can be increased to a larger value, for example 5. Whenever any content is identified that conflicts this policy an email will be sent to admin@company.com

End users will be notified by a policy tip in Office 2016 when they save or edit content that contains sensitive information (example below).


Finally, I have configured the policy to block access to the content (because I’m cruel like that!).  The only users that will have access are the Admin(s) of the Site, Creator and Last Modified User.

Click Save and our policy is complete, well sort of!


Assigning a Policy to a Site Collection

In the next step we need to assign this policy to one or more Site Collections, to do this:

  1. Browse to the Site that you created that uses the Compliance Policy Center template

  2. Select DLP Policy Assignments for Site Collections

  3. Click New Item

  4. Click First choose a site collection

  5. Enter the URL for a Site Collection you would like to protect, click the magnifying glass and then select the Site

  6. Click Save


We now need to assign the DLP policy to the Site Collection  that was selected above.

  1. Select Manage Assigned Policies

  2. Select the Policy you would like to apply to the Site Collection

  3. Click Save

Identifying Sensitive Content

Now that a policy has been created (UK Financial Data) and assigned to a Site Collection (http://intranet/sites/HR). We can now use three methods to identify content that conflicts with the policy.

  1. Wait for an e-mail that notifies us of any breaches of the policy (in my case, admin@company.com)

  2. Browse the Site and look for Content that conflicts with the policy (notice the warning sign on the document icon!). This document contains a Credit Card number, therefore has been flagged up.

     

    Clicking View Policy Tip provides further information on the conflict.

  3. Use the eDiscovery Center to locate content (interestingly this will also identify sensitive content for which there isn't a policy applied - presumably search identifies all sensitive content as it is crawled, rather than waiting for a policy to be applied and a crawl to be run)

    • Browse to the eDiscovery Center you created

    • Select Create DLP Query

    • Click New Item within the Search and Export section

    • Select the template to query against (in this case U.K. Financial Data)

    • Enter the minimum number of instances of this type of Sensitive Data to show results for – I’ve selected 1 which means that any content that contains at least 1 piece of data that conflicts with the policy will be reported.

    • Click Next

    • Give the Query a name and then select Search to return details of any documents that conflict with the policy, in this case a single document named "Sales Order.docx"

It is possible to narrow results by a specific date range, file type or managed property. You can also Save the Query for later usage and export the actual documents identified if required.

That’s a quick overview of DLP in SharePoint 2016, one thing to point out is that policy enforcement is only as accurate as the search index therefore it’s important to ensure that the search index is as fresh as possible by performing regular crawls - there are also a number of Timer Jobs that control policy enforcement (details below).


Brendan Griffin - @brendankarl

 

 

 

 

 



 

 

 



 




Comments (6)

  1. Hi Brendan,

    I configured the DLP Site Assignments, as You described. I forced to run the Crawls and also the regarding timer Jobs, but nothing happened on the docs or via Email - even after 24 hours. I've only one WebApp and regarding site with sensitive Content is also
    in the same Web App. eDiscovery is finding the files without any Problem, but only the Compliance does not work. Any ideas, what I could missed configuring in the Background? I would highlay appreciate your help. Thank You. 🙂

    1. Apologies for the slow response, did you manage to resolve this?

      1. Markus says:

        Same problem here, policy assignment does not work (search is finding the files - edisovery too).

        1. Stefan P says:

          Same problem here 🙁

  2. Deepak says:

    Hi Bren,

    Thanks for sharing this valuable information.

    Recently we have installed SP 2016 RTM with June CU. We have tried out all steps as mentioned in blog, However in our case on my POC site we are not able to see any new icon over the document?? I have checked with Test User credential as well. Waited for last 3-4 days.

    Also want to check Apart from “Default DLP query/template”, can we create our own query/template based on our Organization policy requirement??

    Appreciate your response.

    Regards,
    Deepak Singh

    1. Unfortunately at this time, it's not possible to create custom DLP templates.

      Are the DLP Timer Jobs working correctly, also has the content been successfully crawled?

Skip to main content