Data Loss Prevention (DLP) in SharePoint 2016 Beta 2

Data Loss Prevention (DLP) has been available in Office 365 (including SharePoint Online) for some time now with the release of SharePoint 2016 Beta 2 this capability is also available On-Premises.

DLP provides the ability to identify content that is stored within SharePoint that contains sensitive information, for example Credit Card, Passport and Driving License details – basically the sort of information that needs additional controls and management to prevent data leakage!

A number of pre-defined policy templates are available out of the box that cover a wide range of Sensitive Information, each template is able to identify one or more pieces of Sensitive Information, for example the U.K. Financial Data template is able to detect the following:

  • Credit Card Numbers

  • EU Debit Card Numbers

  • SWIFT Codes

Details of exactly how SharePoint detects Sensitive Information for each type of data can be found in the Sensitive Information Type Inventory documentation, it uses a combination of pattern matching, keywords and checksums. For example Credit Card details are detected by:

  • 16 digits which can be formatted (dddd-dddd-dddd-dddd) or unformatted (dddddddddddddddd).
  • Must pass the Luhn test (checksum)
  • Specific keywords are identified within 300 characters of these digits, for example "Visa", "Amex" or "cvv2"

Here are some pointers on getting started with DLP in SharePoint 2016 Beta 2.

Pre-Requisites

  1. DLP relies on Search in order to use the functionality you need to have provisioned a Search Service Application within your farm.

  2. Two Site Collections need to be provisioned, these facilitate the configuration and identification of Sensitive Information

    • eDiscovery Center – This allows you to identify content that conflicts with any of the DLP policies that have been created

    • Compliance Policy Center – This is used to create and manage the actual DLP Policies

        

Creating a DLP Policy

  1. Browse to the Site that you created that uses the Compliance Policy Center template

  2. Select DLP Policy Management

  3. Click New Item

In the example below, I create a DLP Policy named UK Financial Data, this uses the U.K. Financial Data template, which will identify content that contains Credit/Debit Card Numbers and SWIFT Codes. The template is configured to identify content that contains at least 1 instance of any of this Sensitive Information, for example 1 x Credit Card Number. This can be increased to a larger value, for example 5. Whenever any content is identified that conflicts this policy an email will be sent to admin@company.com

End users will be notified by a policy tip in Office 2016 when they save or edit content that contains sensitive information (example below).

Finally, I have configured the policy to block access to the content (because I’m cruel like that!). The only users that will have access are the Admin(s) of the Site, Creator and Last Modified User.

Click Save and our policy is complete, well sort of!

Assigning a Policy to a Site Collection

In the next step we need to assign this policy to one or more Site Collections, to do this:

  1. Browse to the Site that you created that uses the Compliance Policy Center template

  2. Select DLP Policy Assignments for Site Collections

  3. Click New Item

  4. Click First choose a site collection

  5. Enter the URL for a Site Collection you would like to protect, click the magnifying glass and then select the Site

  6. Click Save

We now need to assign the DLP policy to the Site Collection that was selected above.

  1. Select Manage Assigned Policies

  2. Select the Policy you would like to apply to the Site Collection

  3. Click Save

Identifying Sensitive Content

Now that a policy has been created (UK Financial Data) and assigned to a Site Collection (https://intranet/sites/HR). We can now use three methods to identify content that conflicts with the policy.

  1. Wait for an e-mail that notifies us of any breaches of the policy (in my case, admin@company.com)

  2. Browse the Site and look for Content that conflicts with the policy (notice the warning sign on the document icon!). This document contains a Credit Card number, therefore has been flagged up.

     

    Clicking View Policy Tip provides further information on the conflict.

  3. Use the eDiscovery Center to locate content (interestingly this will also identify sensitive content for which there isn't a policy applied - presumably search identifies all sensitive content as it is crawled, rather than waiting for a policy to be applied and a crawl to be run)

    • Browse to the eDiscovery Center you created

    • Select Create DLP Query

    • Click New Item within the Search and Export section

    • Select the template to query against (in this case U.K. Financial Data)

    • Enter the minimum number of instances of this type of Sensitive Data to show results for – I’ve selected 1 which means that any content that contains at least 1 piece of data that conflicts with the policy will be reported.

    • Click Next

    • Give the Query a name and then select Search to return details of any documents that conflict with the policy, in this case a single document named "Sales Order.docx"

It is possible to narrow results by a specific date range, file type or managed property. You can also Save the Query for later usage and export the actual documents identified if required.

That’s a quick overview of DLP in SharePoint 2016, one thing to point out is that policy enforcement is only as accurate as the search index therefore it’s important to ensure that the search index is as fresh as possible by performing regular crawls - there are also a number of Timer Jobs that control policy enforcement (details below).

Brendan Griffin - @brendankarl