Blog Post

Security, Compliance, and Identity Blog
4 MIN READ

Announcing expanded DLP coverage to new file and content types and new friction-free user experience

EricEOuellet's avatar
EricEOuellet
Icon for Microsoft rankMicrosoft
Nov 02, 2021

Microsoft’s Data Loss Prevention (DLP) solutions are deployed in thousands of customer environments where they play a vital role in our customer’s data protection strategy. DLP at its core is a set of technologies and processes that protect sensitive information and reduce risks by applying policies to govern and prevent the inappropriate sharing, transfer or use of this data across applications and services.  Fundamentally DLP helps users make the right decisions and take the right actions when using sensitive data.

 

In addition to our Ignite announcement of the availability of DLP for macOS endpoints, Microsoft is also excited to announce today the addition of several new DLP capabilities designed to continue the enhancement and expansion of core DLP capabilities to address new workloads and provide new advanced protections:

  • Extended content analysis support for region-specific content types
  • New DLP policy controls to restrict access to sensitive files based on the file’s extension or filetype
  • Monitor when sensitive files are added or stored in archives, and restrict access to archives when they contain sensitive files
  • Automatically quarantine sensitive files when they’re accessed by restricted cloud-synch apps
  • Fine-grained policy controls to define different access restrictions to groups of applications when they access sensitive files
  • Customize the DLP Policy Tip notification that appears when users are affected by a DLP policy on an Endpoint

Extended globalization support

In our global world, customers need even more flexibility to detect the presence of sensitive data when it is stored in documents that have been authored using a region-specific character set. While Microsoft provided DLP support for content authored using double-byte character sets in service workloads, today we are happy to announce that we’ve extended support of this capability to Microsoft’s Endpoint DLP including Simplified Chinese, traditional Chinese, and Japanese.

 

DLP Policies based on file extension or type

In addition to scanning across even more types of files (see Microsoft Information Protection Ignite announcements at aka.ms/ Ignite2021MIP), we are adding support to identify when a file is sensitive based upon the file’s type or extension. This means you can now extend your endpoint DLP policy controls to detect and protect even more content types such as CAD drawing files, video and audio files, and custom file types used in your specific industry.

 

Figure 1: DLP policy protecting sensitive content based on a file extension

 

Protect sensitive files stored in archives

It is common practice for users to create and store sensitive files in archives like ZIP or ARJ as they use, access, and share sensitive files with their peers as part of standard business processes. It is also common for malicious users to attempt to exfiltrate sensitive data by concealing it in archive files. Endpoint DLP allows you to monitor when sensitive files are created and added to archives, and you can apply restrictions to archived files when they contain sensitive files, reducing the risk of inappropriate file transfer.

 

Figure 2: Enforcing a DLP policy on sensitive content contained in an archive

 

Quarantine sensitive files from Cloud-Synch apps

As we extend and add new controls to our policies, we also recognize that it's vital to ensure the user’s experience remains positive and friction-free. To assure this, you can now configure Endpoint DLP to automatically move or quarantine a sensitive file when it is accessed by an unallowed app, such as a file sync app, preventing repeated notifications that can sometimes occur when a sync app repeatedly attempts to access a blocked file.

 

Figure 3: Configuring a Quarantine policy for cloud-synch apps

 

Restrict app groups and customized restrictions

In the modern workplace, information workers rely upon a diverse set of applications and services that may require access or transfer of sensitive files between different sanctioned Line Of Business (LOB) applications. We’re excited to announce new Endpoint DLP controls that are designed to give organizations the flexibility to scope different access restrictions to sensitive files when they’re accessed by different applications and people. We’re currently rolling out this feature to our preview audience, and it will be available to all organizations in the next few weeks.

 

Figure 4: Restricting access to sensitive information using restricted app groups

 

Customizable DLP Policy Tips

Many organizations want to customize the text that appears in the policy tips when users are restricted. This new capability enables you to use language that is familiar to your users to inform them about your organization’s data use policies.

 

Figure 5: Creating a customized DLP policy tip for users

 

Microsoft’s DLP solution is part of a broader set of Information Protection and Governance solutions that are part of the Microsoft 365 Compliance Suite. You can sign up for a trial of Microsoft 365 E5 or navigate to the Microsoft 365 compliance center to get started today. 

 

Get Started - Compliance Trial 

We are happy to share that there is now an easier way for you to try Microsoft compliance solutions directly in the Compliance Admin Center with a free trial. By enabling the trial in the Compliance center, you can quickly start using all capabilities of Microsoft Compliance, including Insider Risk Management, Records Management, Advanced Audit, Advanced eDiscovery, Communication Compliance, Microsoft Information Protection, Data Loss Prevention, and Compliance Manager. 

 

This trial is currently rolling out to tenants worldwide and you can learn more about it here. 

 

 

Additional resources: 

  • To join the Ignite Public preview of DLP for macOS see this 
  • For a podcast on Microsoft’s Data Loss Prevention, see this
  • For more information on Sensitivity Labels as a condition for DLP policies, see this 
  • For more information on Sensitivity Labels, please see this 
  • For more information on Predicates for Unified DLP, please see this
  • For the latest on Microsoft Information Protection, see this 

 

Thank you, 

 The Microsoft Information Protection Team

 

Updated Mar 01, 2022
Version 2.0
  • MrK-123's avatar
    MrK-123
    Copper Contributor

    Has anyone successfully implemented Microsoft's DLP policy based on file extension and blocking the copy of the files to USB removable storage? We are losing confidence with the tool with the lack of inconsistency we are seeing. 

     

    1. When we add members to the policy either directly or through a mail-enabled security group, there are huge delays, some taking over 4 days. In some cases, they never get the policy applied to them while other DLP policies that target Exchange works perfectly.

    2. Admin alerts are soo inconsistent. Sometimes we get the alert, sometimes they are delayed, sometimes we don't get them at all.

    3. We have a policy that blocks .pst files from being transferred but we get an alert that a block occurred for a .pdf or .dotm file. WHY??

     

    No one from Microsoft has been able to explain these things. HELP!