Microsoft’s Data Loss Prevention (DLP) solutions are deployed in thousands of customer environments where they play a vital role in our customer’s data protection strategy. DLP at its core is a set of technologies and processes that protect sensitive information and reduce risks by applying policies to govern and prevent the inappropriate sharing, transfer or use of this data across applications and services. Fundamentally DLP helps users make the right decisions and take the right actions when using sensitive data.
In addition to our Ignite announcement of the availability of DLP for macOS endpoints, Microsoft is also excited to announce today the addition of several new DLP capabilities designed to continue the enhancement and expansion of core DLP capabilities to address new workloads and provide new advanced protections:
- Extended content analysis support for region-specific content types
- New DLP policy controls to restrict access to sensitive files based on the file’s extension or filetype
- Monitor when sensitive files are added or stored in archives, and restrict access to archives when they contain sensitive files
- Automatically quarantine sensitive files when they’re accessed by restricted cloud-synch apps
- Fine-grained policy controls to define different access restrictions to groups of applications when they access sensitive files
- Customize the DLP Policy Tip notification that appears when users are affected by a DLP policy on an Endpoint
Extended globalization support
In our global world, customers need even more flexibility to detect the presence of sensitive data when it is stored in documents that have been authored using a region-specific character set. While Microsoft provided DLP support for content authored using double-byte character sets in service workloads, today we are happy to announce that we’ve extended support of this capability to Microsoft’s Endpoint DLP including Simplified Chinese, traditional Chinese, and Japanese.
DLP Policies based on file extension or type
In addition to scanning across even more types of files (see Microsoft Information Protection Ignite announcements at aka.ms/ Ignite2021MIP), we are adding support to identify when a file is sensitive based upon the file’s type or extension. This means you can now extend your endpoint DLP policy controls to detect and protect even more content types such as CAD drawing files, video and audio files, and custom file types used in your specific industry.
Figure 1: DLP policy protecting sensitive content based on a file extension
Protect sensitive files stored in archives
It is common practice for users to create and store sensitive files in archives like ZIP or ARJ as they use, access, and share sensitive files with their peers as part of standard business processes. It is also common for malicious users to attempt to exfiltrate sensitive data by concealing it in archive files. Endpoint DLP allows you to monitor when sensitive files are created and added to archives, and you can apply restrictions to archived files when they contain sensitive files, reducing the risk of inappropriate file transfer.
Figure 2: Enforcing a DLP policy on sensitive content contained in an archive
Quarantine sensitive files from Cloud-Synch apps
As we extend and add new controls to our policies, we also recognize that it's vital to ensure the user’s experience remains positive and friction-free. To assure this, you can now configure Endpoint DLP to automatically move or quarantine a sensitive file when it is accessed by an unallowed app, such as a file sync app, preventing repeated notifications that can sometimes occur when a sync app repeatedly attempts to access a blocked file.
Figure 3: Configuring a Quarantine policy for cloud-synch apps
Restrict app groups and customized restrictions
In the modern workplace, information workers rely upon a diverse set of applications and services that may require access or transfer of sensitive files between different sanctioned Line Of Business (LOB) applications. We’re excited to announce new Endpoint DLP controls that are designed to give organizations the flexibility to scope different access restrictions to sensitive files when they’re accessed by different applications and people. We’re currently rolling out this feature to our preview audience, and it will be available to all organizations in the next few weeks.
Figure 4: Restricting access to sensitive information using restricted app groups
Customizable DLP Policy Tips
Many organizations want to customize the text that appears in the policy tips when users are restricted. This new capability enables you to use language that is familiar to your users to inform them about your organization’s data use policies.
Figure 5: Creating a customized DLP policy tip for users
Microsoft’s DLP solution is part of a broader set of Information Protection and Governance solutions that are part of the Microsoft 365 Compliance Suite. You can sign up for a trial of Microsoft 365 E5 or navigate to the Microsoft 365 compliance center to get started today.
Get Started - Compliance Trial
We are happy to share that there is now an easier way for you to try Microsoft compliance solutions directly in the Compliance Admin Center with a free trial. By enabling the trial in the Compliance center, you can quickly start using all capabilities of Microsoft Compliance, including Insider Risk Management, Records Management, Advanced Audit, Advanced eDiscovery, Communication Compliance, Microsoft Information Protection, Data Loss Prevention, and Compliance Manager.
This trial is currently rolling out to tenants worldwide and you can learn more about it here.
Additional resources:
- To join the Ignite Public preview of DLP for macOS see this
- For a podcast on Microsoft’s Data Loss Prevention, see this
- For more information on Sensitivity Labels as a condition for DLP policies, see this
- For more information on Sensitivity Labels, please see this
- For more information on Predicates for Unified DLP, please see this
- For the latest on Microsoft Information Protection, see this
Thank you,
The Microsoft Information Protection Team