Microsoft Further Extends Unified Data Loss Prevention
Microsoft’s unified Data Loss Prevention solution provides a simple and unified approach to protecting sensitive information from risky or inappropriate sharing, transfer or use.
Since our last Ignite in September 2020, many milestones were reached, and new DLP capabilities introduced including:
- November 2020, Microsoft’s Endpoint DLP solution became generally available (link) which provided organizations with a broad set of capabilities to protect sensitive information on endpoints where information workers interact and use it.
- Enhancements to DLP policies that included MIP sensitivity labels as a condition, allowing organizations more flexibility and control over the type of content incorporated in DLP policies and new enforcement actions and locations that take into account the sensitivity context of information to better meet protection requirements.
- Public preview of advanced controls in DLP for email protection. This provides the ability protect emails using DLP policies instead of Exchange Transport Rules (ETRs)
- Improved capabilities for DLP policy definition to support complex DLP policies typically found in very large organizations.
- Public Preview of security group and distribution lists for Teams DLP policies, provide greater flexibility in creating DLP policies that are scoped to specific users identified in groups and distribution lists.
- Streamlined the effort required to review, manage and address DLP incidents and the introduction of a new alert management dashboard experience that enable detailed investigations of alerts
- The introduction of new classifiers and content types that can be used to facilitate the rapid creation of context-specific DLP rules.
- Microsoft Cloud App Security DLP General Availability
Figure 1: Microsoft’s unified DLP
Today, we are pleased to announce a continued investment in DLP with three new capabilities that further extend and expand the scope of DLP to a third-party browser and on-premises file repositories, and the introduction of a new DLP management and workflow experience.
Chrome browser DLP and Insider Risk Management extension
Many organizations use the Chrome browser to support sensitive workflows, and we are pleased to announce the public preview of the Microsoft Compliance Extension for Chrome available here. With this addition, customers now have Microsoft DLP and Insider Risk Management capabilities within the Chrome browser of their on-boarded endpoint devices so they can:
- Use Chrome as an approved browser in DLP, for working with sensitive data
- Create custom and fine-grained DLP policies for Chrome to ensure sensitive data is properly handled and protected from disclosure including:
- Audit mode: Records policy violation events without impacting end-user activity
- Block with Override mode: Records and blocks the activity, but allows the user to override when they have a legitimate business need
- Block mode: Records and blocks the activity without the ability to override
- Deliver new insights related to the obfuscation, exfiltration, or infiltration of sensitive information by insiders. For more information on Insider Risk Management, check out the Tech Community blog.
Figure 2: Chrome DLP block with an override for printing
Figure 3: Chrome DLP allowing upload of a sensitive file to a sanctioned service domain
Figure 4: Chrome DLP blocking upload of a sensitive file to an unsanctioned service domain
With the Microsoft Chrome extension, users are automatically alerted when they take a risky action with sensitive data and are provided with actionable policy tips and guidance to remediate properly.
As with other Microsoft DLP and Insider Risk Management capabilities, the Microsoft Chrome extension provides the same familiar look and feel that users are already accustomed to from the applications and services they use every day.. This reduces end-user training time and alert confusion and increases user confidence in the prescribed guidance and remediations offered in the policy tips. This approach can help improve policy compliance – without impacting productivity.
On-Premises DLP
Speaking with customers, we know that organizations have transitioned many of their operations to the cloud. However, they also tell us that even with this transition well underway, they continue to have a significant presence of data within their on-premises environments.
One of the big challenges they face is that much of their data on-premises is “dark” -– meaning it has not been classified, protected or governed -– which makes it very difficult for them to assess what it is, how it should be protected, and where it should go.
This lack of visibility is impacting their ability to pursue the migration of data to the cloud because they cannot take the unknown risks of moving, what could be sensitive data, in an inappropriate a way that could have unintended consequences. This lack of visibility also impacts their ability to properly protect their on-premises sensitive data from inappropriate access or use.
Microsoft’s on-premises DLP was developed specifically to assist customers to gain the visibility they need for their on-premises data and build a comprehensive and actionable data security and compliance framework to help them better manage and protect their sensitive data by offering:
- A scalable and integrated capability that leverages DLP and Microsoft Information Protection policies to discover sensitive data and identify unknown and over-exposed repositories containing sensitive data.
- An automated means to label sensitive data using Microsoft Information Protection (for example, Secret, GDPR, HIPAA, etc.) so that users, applications, and services are aware of the proper handling procedures.
- Ability to change access permissions to on-premises file stores to properly reflect the appropriate access controls.
- Move data from an unapproved on-premise location to another on-premise location that is approved, and provide markers so users can be made aware of the change and can request access to the new location if they have a business need.
- Clear visibility for organizations to decide what data can be migrated to the cloud and assign labels so that cloud services can enforce the appropriate data protection required to meet all regulatory obligations.
- DLP events from on-premises DLP are visible in the same Microsoft 365 Compliance Center Audit and Activity explorer used for all other Microsoft DLP solutions.
- Events from on-premises DLP are visible in the same Microsoft 365 Compliance Center Audit and Activity explorer used for all other Microsoft DLP solutions.
Figure 5: On-Premise DLP architecture
Figure 6: On-Premises DLP in M365 Compliance Center
Advanced DLP Alert Management
After our last Ignite conference, we introduced the ability for you view, investigate, manage, and remediate aggregated and non-aggregated DLP alerts in a dedicated dashboard. This streamlined the effort to address DLP policy violations by providing new capabilities to quickly assert if a detection is a true positive or not to determine the appropriate remediation. Specifically:
- Content preview, allows you to view the file or email that triggered the DLP policy for all Office workloads.
- Matched sensitive content and surrounding context to allow you to better understand why the DLP policy was triggered.
- Enhanced DLP alert management capabilities supporting advanced workflows to review, assign, and manage DLP alerts with actions and status information including “Active, Investigating, Resolved, Dismissed”.
Some DLP alerts can contain very sensitive or privileged information. The alert management view provides granular controls to protect and restricted viewing of this sensitive content for approved security and compliance roles to prevent inappropriate disclosure.
Figure 7: DLP Alerts
Figure 8: DLP Event Source - view of DLP policy data
Figure 9: Matched sensitive information types and surrounding characters view
Announcing the General Availability of Security Groups and Distribution Lists for Microsoft Teams DLP policy scoping
Organizations often have a need to scope Microsoft Teams CChat DLP policies to specific groups of users in order address the unique use cases that are applicable only to some user communities and not others.
With the general availability of security groups and distribution lists for Teams Chat DLP, organizations can leverage existing security groups and distribution lists as the applicable context in a Teams Chat DLP policy.
This means that as users are added or removed from a security group or distribution list, they are automatically added or removed from the associated Teams Chat DLP policies without any additional configuration in the DLP policy definition itself. This approach offers significant benefits for organizations who have very dynamic user populations such as groups with high turnovers.
In addition, using security groups and distribution lists as the applicable context in Teams Chat DLP policies provides a simplified means for bulk inclusion and exclusion of user communities. This is particularly beneficial for example when a Teams Chat DLP policy is only intended to apply to a group of users located in a specific geography, business unit, or role.
Multiple security groups or distribution lists can be applied to individual Teams Chat DLP policies as the applicable context. This does not alter the behavior of the DLP policy or the user experience only the communities of users the DLP policy applies to.
Figure 10: User Experience of a Teams Chat DLP policy configured with a Security Group or Distribution List
Quick Path to Value
To help customers accelerate their deployment of comprehensive information protection and data loss prevention strategy across all their environments containing sensitive data, and help ensure immediate value, Microsoft provides a one-stop approach to data protection and DLP policy deployment within the Microsoft 365 Compliance Center.
Microsoft Information Protection (MIP) provides a common set of classification and data labeling tools that leverage AI and machine learning to support even the most complex of regulatory or internal sensitive information compliance mandates. MIP’s over 150 sensitive information types and over 40 built-in policy templates for common industry regulations and compliance offer a quick path to value.
Consistent User Experience
No matter where DLP is applied, users have a consistent and familiar experience when notified of an activity that is in violation of a defined policy. Policy Tips and guidance are provided using a familiar look and feels users are already accustomed to from applications and services they use every day. This approach can reduce end-user training time, eliminates alert confusion, increases user confidence in prescribed guidance and remediations, and improves overall compliance with policies – without impacting productivity.
Integrated Insights
Microsoft DLP integrates with other Security & Compliance solutions such as MIP, Microsoft Defender, and Insider Risk Management to provide broad and comprehensive coverage and visibility required by organizations to meet regulatory and policy compliance.
Figure 11: Integrated Insights
This approach reduces the dependence on individual and uncoordinated solutions from disparate providers to monitor user actions, remediate policy violations and educate users on the correct handling of sensitive data at the endpoint, on-premises, and in the cloud.
Get Started
Microsoft DLP solution is part of a broader set of Information Protection and Governance solutions that are part of the Microsoft 365 Compliance Suite. You can sign up for a trial of Microsoft 365 E5 or navigate to the Microsoft 365 Compliance Center to get started today.
Additional resources:
- For more information on Data Loss Prevention, please see this and this
- For videos on Microsoft Unified DLP approach and Endpoint DLP see this and this
- For a Microsoft Mechanics video on Endpoint DLP see this
- For more information on the Microsoft Compliance Extension for Chrome see this and this
- For more information on DLP Alerts and Event Management, see this
- For more information on Sensitivity Labels as a condition for DLP policies, see this
- For more information on Sensitivity Labels, please see this
- For more information on conditions and actions for Unified DLP, please see this
- For the latest on Microsoft Information Protection, see this and this
- For more information on AIP scanner, see this
Thank you,
The Microsoft Information Protection team