Blog Post

Security, Compliance, and Identity Blog
6 MIN READ

Announcing public preview of Microsoft Endpoint Data Loss Prevention

Mas Libman's avatar
Mas Libman
Icon for Microsoft rankMicrosoft
Jul 21, 2020

UPDATE: We are excited to announce that Microsoft Endpoint DLP has finished rolling out in Public Preview to entitled customers! See the Get Started section in this blog post for links and instructions to get started, and visit our forum to share your questions & feedback at https://aka.ms/mip/yammer 

 

Ensuring that sensitive data is protected from risky or inappropriate sharing, transfer, or use has always been a top priority for organizations. The new reality of significant numbers of employees working from home or other remote locations indefinitely has created renewed emphasis on providing strong and coordinated protection on the endpoints they use every day. To help customers accelerate their deployment of a comprehensive information protection strategy across all their environments, we are announcing the public preview of Microsoft Endpoint Data Loss Prevention (DLP).

 

At Microsoft, we have long invested in developing cutting-edge information protection solutions for our customers. Microsoft Information Protection (MIP) is a built-in, intelligent, unified, and extensible solution that understands and classifies your data, keeps it protected, and prevents data loss across Microsoft 365 apps (e.g., Word, PowerPoint, Excel, Outlook), services (e.g., Microsoft Teams, SharePoint, Exchange), third-party SaaS applications, and more – on premises or in the cloud. Endpoint DLP now extends MIP classification and protection to devices.

 

Microsoft 365 customers only need to create DLP policies once in the Microsoft 365 compliance center. They can then apply the policies to Exchange, Teams, SharePoint, OneDrive for Business, and now – to endpoints as well. All that is required is for the endpoint to be onboarded in your environment using your established device management onboarding process.

 

Figure 1: DLP policy location choices (including ‘Devices’) in the Microsoft 365 compliance center

Endpoint DLP identifies and protects information on endpoints. Endpoint DLP does not restrict or limit the use of applications, web browsers, or other services when sensitive data is not present. It delivers three core capabilities: Native protection, seamless deployment, and integrated insights.


Native protection

Endpoint DLP is native to Windows 10 and the new Microsoft Edge browser. There is no need to install or manage additional DLP software on Windows 10 machines anymore. Providing DLP experiences natively on the endpoint has many benefits.

 

A familiar look and feel users are already accustomed to from applications and services they use every day is just the beginning. Endpoint DLP also reduces end-user training time and alert confusion, increases user confidence in prescribed guidance and remediations, and improves policy compliance – without reducing productivity.

 

Users are automatically alerted when they take an inappropriate or risky action with sensitive data and are provided with actionable policy tips and guidance to remediate properly. For example, in Figure 2, a user attempts to copy sensitive data from the Word document – Project Obsidian Spec.docx – which contains sensitive information about an updated engine chip design. In this example, the policy is set as ‘Block’ without the option to Override. When the user performs the activity – in this case, copying sensitive data, the event is recorded, and the user is notified that this action is being blocked because copying this data is not allowed, per the DLP policy.

 

Figure 2: User alerted not to copy sensitive data from a Word document

The user experience for third-party applications is similar. In Figure 3 below, a user tries to copy a document with sensitive data – Project Obsidian.pdf – to a personal Dropbox account using Microsoft Edge. In this example, the DLP policy is set as ‘Block with Override.’ The user is notified this action is blocked because copying the file to that specific cloud application is not allowed, and the event is recorded and available for review and analysis in the Microsoft 365 compliance center console.

 

Figure 3: User alerted in Microsoft Edge to not copy a file containing sensitive data to a cloud file service


Seamless deployment

Endpoint DLP is managed via the cloud and the Microsoft 365 compliance center, eliminating the need to deploy and operate additional consoles, event management systems, databases, and hardware on premises. As an integral part of MIP, Endpoint DLP leverages the same robust classification system to identify sensitive data accurately and consistently. It is easy to get started with data protection using our 100+ built-in sensitive data types and over 40 templates for common industry regulations. MIP policies can be deployed to Endpoint DLP without additional reconfiguration. Organizations that use MIP’s intuitive interface to create custom sensitive content identifiers and policies can deploy these to Endpoint DLP without any reconfiguration as well.

 

Figure 1: Easy policy configuration in the Microsoft 365 Compliance Center

Organizations also require flexibility when deploying policies to ensure they minimize disruptions to users and maximize policy effectiveness. Microsoft DLP solutions offer three different modes to monitor and restrict activities in each DLP policy to ensure the intended compliance objectives are achieved:

  • Audit: only records policy violation events without impacting end user activity
  • Block with Override: records and blocks the activity, but allows the user to override when they have a legitimate business need
  • Block: records and blocks the activity without the ability to override 

Endpoint DLP can enforce policies for a broad range of activities unique to the endpoint including:

  • Copying a sensitive file to an external USB media device
  • Copying a sensitive file to a network share
  • Uploading a sensitive file to a cloud service
  • Printing a sensitive file
  • Copying sensitive content to the clipboard
  • Accessing a sensitive file by an unallowed app

 

Figure 5: DLP policy enforcement options

The seamless deployment of Endpoint DLP reduces the strain of incorporating endpoints into existing DLP programs. It increases consistency of compliance across cloud and native workloads and ensures immediate value upon deployment. Device telemetry, for instance, is available in the Microsoft 365 compliance center without having to configure any policies.

 

Figure 6: Microsoft 365 compliance center view of sensitive data activity including device telemetry

Microsoft 365 compliance center’s Activity Explorer view filters events to identify risky activities and provides details on specific actions, user, and file details. This streamlines responses, and you can quickly remediate potential risks of unintended or intentional data breaches.

 

Figure 7: Activity Explorer view of sensitive data activity including device telemetry


Integrated insights

Microsoft Endpoint DLP integrates with other Security and Compliance solutions such as MIP, Microsoft Threat Protection, and Insider Risk Management in Microsoft 365. Endpoint DLP enriches the other solutions with precise insights about device activity of sensitive content. This provides comprehensive coverage and visibility of active data protections, device states and user actions required by organizations to meet regulatory and policy compliance.

 

Microsoft Threat Protection provides integrated protection against sophisticated attacks. It unifies a pre- and post-breach defense suite that natively coordinates detection, prevention, investigation and response across endpoints, identities, email, and applications. This is critical insight that can be used in addition to DLP findings to quickly assess if there are additional factors to consider, beyond the DLP policy violation itself and if a broader set of remediations need to take place.

 

Insider Risk Management in Microsoft 365 provides organizations with the ability to detect, investigate, and take actions on risky insider activities. Organizations can define a range of acceptable thresholds for a broad set of user and device activities beyond which an alert is generated and displayed in an interactive chart that plots risks and risk level over time for current or past activities. This critical insight can be used in addition to DLP event information to enhance the context of findings and quickly assess the scope of policy violations to help triage intentional versus accidental policy violations.

 

Endpoint DLP reduces the dependence on individual and uncoordinated solutions from disparate providers to monitor user actions, remediate policy violations, and educate users in context on the correct handling of sensitive data at the endpoint, on-premises and in the cloud.


Get Started

Endpoint DLP starts rolling out to customers’ tenants in Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, and Microsoft 365 E5/A5 Information Protection and Governance. To learn more about Endpoint DLP, visit our documentation. Endpoint DLP is part of a broad and comprehensive set of capabilities to identify, protect and govern your sensitive data. Get the latest version of Edge Chromium that’s integrated with Endpoint DLP, on the Microsoft Edge page. To learn more about our Information Protection and Governance solutions, on the documentation page. You can sign up for a trial of Microsoft 365 E5 or navigate to the Microsoft 365 compliance center to get started today.

 

Thank you,

Maithili Dandige, Principal Group Program Manager, Microsoft Information Protection and Compliance Engineering

Eric Ouellet, Senior Product Marketing Manager, Microsoft 365 Compliance

Updated May 11, 2021
Version 6.0