by Michael Panciroli
The Office 365 Partner Community is led by National Partner Technology Strategists from the Microsoft US Partner Team. Partner Community activities include blog posts, discussions on Yammer, newsletters, and community calls.
This is part 2 of our series about security and compliance in Office 365. You can read part 1 here.
Data Loss Prevention in Exchange, Outlook, and OWA
In my introductory post for this series about security and compliance in Office 365, I shared resources to help you have the Microsoft cloud security conversation with your customers. I also introduced some protection controls and tools available in the service that keep customer data safe. In this post, I will take a closer look at the Data Loss Prevention (DLP) capabilities in Office 365, specifically in Exchange, Outlook, and OWA.
DLP in Office 365 helps identify, protect, and monitor sensitive information through deep content analysis. Each organization defines what it considers sensitive. A retailer, for example, wants to treat credit card information as sensitive, a healthcare organization must protect personally identifiable information, and a legal organization might be concerned with intellectual property and patents. Office 365 DLP controls help to configure sensitive information to prevent security breaches and accidental leakage. The controls are pivoted on the end user experience and engineered to educate employees to "do the right thing" to ensure compliance with corporate policies.
To enforce corporate policies in Office 365, you will need to create DLP policies. DLP policies are packages that contain sets of conditions, actions, and exceptions created in the Exchange Administration Center (EAC), that are activated to filter email messages and attachments. DLP policy conditions are built on transport rules, or the Exchange Transport Rule Engine (ETR). DLP policies can use the full power of existing transport rules, with over 50 rule predicates supported. Transport rule conditions can be very simple, such as detecting if the recipient is outside the organization or inside the organization. A relatively new feature of transport rules is the ability to classify sensitive information.
When creating a policy,you can look for what are known as sensitive information types, such as a credit card number, passport ID number, or bank account number. This DLP feature performs deep content analysis with its classification engine through keyword matches, dictionary matches, regular expression evaluation, and other content examination to detect content that violates organizational DLP policies. The analysis is sophisticated—it can detect contextual evidence, and analyze checksums for credit cards, for example, to decrease false positives. You can find a sensitive information types inventory here.
Once you have defined your rule, you decide the appropriate action to take based on the organization’s compliance policy or legal requirements. The DLP feature set provides the flexibility for the enforcement of policy based upon the risk assessment level.
There are a wide variety of actions to take. Earlier, I mentioned user education, and you see that realized with policy notifications inside of email called Policy Tips. Similar to Mail Tips, like an Out of Office notification, Policy Tips provides the sender real-time information about possible policy violations when creating a message, before it is sent. Below is an example of an email in OWA that contains a Policy Tip and Mail Tips.
Another action you can take is to encrypt the message. Moreover, you can redirect the message based on the risk assessment level for approval, or simply block the message. It is also possible to configure exceptions where the sender can override the Policy Tip warning, but it will trigger an auditable action that’s discoverable in an incident report sent to a designated mailbox.
Now that you have a basic knowledge of transport rules and sensitive information types, it's easier to understand the recent Office 365 DLP capability called Document Fingerprinting. Document Fingerprinting adds to the classification engine by being able to identify forms used in an organization that typically contain sensitive information.
For example, a tax firm may want to fingerprint tax return forms such as a 1040 received by email from a client, as it would contain social security numbers and other personally identifiable, sensitive information. A law firm may want to fingerprint legal forms such as patents. The way it works is that it uses a containment algorithm where it inspects the attachments and finds anything that is derived from the form fingerprint.
Setting up document fingerprinting is pretty straightforward:
- Upload a blank version of the form you would like to identify to create the document fingerprint
- Create a custom data classification out of it and use it in the DLP policy or transport rules to detect it in your operations and take appropriate actions
- Supported form types are same file types supported for transport rule content inspection (the list is published here)
The “Protect form data with document fingerprinting” article on TechNet includes a video demo that explains the steps for creating a document fingerprint.
DLP Reporting and Auditing
In the Office 365 Admin Center reporting section, you will find a comprehensive view of DLP policy application. With the out-of-the-box reports, you can drill into specific departures from policy to gain business insights. Detailed reporting data can be requested up to 90 days and you can export reports to Excel workbook and email incident reports.
Here is an example of the reporting for DLP policy matches by severity for email:
Any customer that needs to enforce organizational security policies or that has a legal department is a good prospect for you to deliver this service. The tools are there for you in the service to help enforce the policies, but defining what is sensitive and the policies that provide protection is unique by industry and organization. You can consult with your customer and configure the service so that the policies are being enforced appropriately. Custom DLP policies can be created, allowing you to establish conditions, rules, classifications, and actions that meet the specific needs of your customer, and which may not be covered in a pre-existing DLP templates.
- Other services you can provide around this include integrating incident reports with custom workflows or ticketing systems when there is a violation, or an approval or audit is required.
- Partners can create custom reporting solutions or provide remote PowerShell management. DLP policies can be managed by using the Exchange Management Shell cmdlets. More information about policy and compliance cmdlets.
- I will cover eDiscovery in my next post, but keep in mind that eDiscovery is only as good as the customer’s index, so there may be opportunities to ensure that it is tuned and all of the appropriate content sources are in scope.
- Testing and validation will be important in ensuring compliance and minimizing false positives. The tools provide a way for you to create a DLP policy, but choose to not activate it. This allows you to test your policies without affecting mail flow.
In my next post, I will explore the new DLP capabilities in SharePoint and the Office 365 eDiscovery Center, and wrap up the series with a screencast demo to show you show you the environments and scripts to help you sell these capabilities and your offerings.
Register to join me on the January 8 community call for a discussion about the topics of security and compliance in Office 365.