Home
%3CLINGO-SUB%20id%3D%22lingo-sub-793826%22%20slang%3D%22en-US%22%3ERe%3A%20New%20Exact%20Data%20Match%20(EDM)%20classification%20helps%20you%20better%20detect%20and%20protect%20sensitive%20informat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-793826%22%20slang%3D%22en-US%22%3E%3CP%3EI%20don't%20get%20it.%20You%20have%20to%20regularly%20index%20your%20sensitive%20data%20and%20upload%20that%20index%20to%20the%20DLP%20service%20for%20this%20to%20work%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-793841%22%20slang%3D%22en-US%22%3ERe%3A%20New%20Exact%20Data%20Match%20(EDM)%20classification%20helps%20you%20better%20detect%20and%20protect%20sensitive%20informat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-793841%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F33735%22%20target%3D%22_blank%22%3E%40Oleg%20K%3C%2FA%3E%26nbsp%3B%2C%20EDM%20sensitive%20content%20detection%20does%20exact%20match%20lookup%20of%20user%20content%20(email%2C%20files)%20with%20sensitive%20data%20(patient%20%2Femployee%20%2F%20customer%20records)%20configured%20to%20be%20protected.%26nbsp%3B%20The%20sensitive%20data%20used%20in%20EDM%20lookup%20needs%20to%20be%20uploaded%20to%20service%20and%20refreshed%20periodically%20for%20changes.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-793949%22%20slang%3D%22en-US%22%3ERe%3A%20New%20Exact%20Data%20Match%20(EDM)%20classification%20helps%20you%20better%20detect%20and%20protect%20sensitive%20informat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-793949%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20doesn't%20sound%20practical.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-795960%22%20slang%3D%22en-US%22%3ERe%3A%20New%20Exact%20Data%20Match%20(EDM)%20classification%20helps%20you%20better%20detect%20and%20protect%20sensitive%20informat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-795960%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F72503%22%20target%3D%22_blank%22%3E%40Dhanas%20Raju%3C%2FA%3EWhat%20post-upload%20processing%20or%20protections%20do%20you%20introduce%20to%20enforce%20security%20on%20the%20uploaded%20sensitive%20data%3F%20If%20a%20healthcare%20organisation%20is%20providing%20you%20with%20its%20patient%20list%2C%20for%20example%2C%20that%20data%20is%20obviously%20highly%20sensitive.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-795968%22%20slang%3D%22en-US%22%3ERe%3A%20New%20Exact%20Data%20Match%20(EDM)%20classification%20helps%20you%20better%20detect%20and%20protect%20sensitive%20informat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-795968%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F72503%22%20target%3D%22_blank%22%3E%40Dhanas%20Raju%3C%2FA%3EAre%20you%20planning%20on%20supporting%20OCR%20for%20in-image%20obfuscation%20of%20sensitive%20data%20in%20a%20deliberate%20exfiltration%20scenario%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-796000%22%20slang%3D%22en-US%22%3ERe%3A%20New%20Exact%20Data%20Match%20(EDM)%20classification%20helps%20you%20better%20detect%20and%20protect%20sensitive%20informat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-796000%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F72503%22%20target%3D%22_blank%22%3E%40Dhanas%20Raju%3C%2FA%3E%26nbsp%3B%20Do%20you%20have%20any%20provision%20for%20a%20live%20look-up%20against%20on-premises%20data%20in%20a%20hybrid%20scenario%2C%20thereby%20absolving%20the%20customer%20of%20the%20need%20to%20upload%20its%20sensitive%20data%20to%20you%20continuously%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-796274%22%20slang%3D%22en-US%22%3ERe%3A%20New%20Exact%20Data%20Match%20(EDM)%20classification%20helps%20you%20better%20detect%20and%20protect%20sensitive%20informat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-796274%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F24874%22%20target%3D%22_blank%22%3E%40Michael%20Sampson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3E%3CSTRONG%3EPost-upload%20processing%20or%20protections%3A%3C%2FSTRONG%3E%26nbsp%3B%20EDM%20solution%20uploads%20only%20hashed%20value%20of%20sensitive%20content.%20Uploaded%20data%20access%20in%20the%20service%20is%26nbsp%3B%20restricted.%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%3CSTRONG%3EOCR%20Support%3A%3C%2FSTRONG%3ECurrently%20in%20plan%20as%20part%20of%20Office%20365%20DLP%20solution.%20EDM%20will%20leverage%20the%20same%20capability.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EOn-prem%20Lookup%3A%20%3C%2FSTRONG%3EEDM%20requires%20the%20data%20to%20be%20uploaded%20from%20on-prem%20to%20the%20service.%20It%20does%20not%20support%20look-up%20data%20in%20on-prem.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-797839%22%20slang%3D%22en-US%22%3ERe%3A%20New%20Exact%20Data%20Match%20(EDM)%20classification%20helps%20you%20better%20detect%20and%20protect%20sensitive%20informat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-797839%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20your%20answer%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F72503%22%20target%3D%22_blank%22%3E%40Dhanas%20Raju%3C%2FA%3E.%20It's%20a%20good%20first%20step%3B%20looking%20forward%20to%20seeing%20how%20this%20matures%20over%20time%2C%20especially%20for%20real-time%20on-prem%20lookup.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-793526%22%20slang%3D%22en-US%22%3ENew%20Exact%20Data%20Match%20(EDM)%20classification%20helps%20you%20better%20detect%20and%20protect%20sensitive%20information%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-793526%22%20slang%3D%22en-US%22%3E%3CP%3EOffice%20365%20Data%20Loss%20Prevention%20(DLP)%20enables%20you%20to%20create%20policies%20to%20help%20prevent%20the%20inadvertent%20or%20inappropriate%20sharing%20of%20documents%20and%20emails%20containing%20sensitive%20information.%20DLP%20policies%20can%20leverage%20a%20broad%20range%20of%20over%2090%20built-in%20sensitive%20information%20types%20to%20detect%20common%20data%20types%2C%20such%20as%20financial%20data%2C%20PII%20and%20health-related%20information.%20Organizations%20can%20also%20choose%20to%20create%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fcustom-sensitive-info-types%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ecustom%20sensitive%20information%20types%3C%2FA%3Eto%20detect%20information%20specific%20to%20their%20organization%E2%80%99s%20needs%20%E2%80%93%20based%20on%20patterns%2C%20supporting%20evidence%20(keywords%20such%20as%26nbsp%3B%3CEM%3Eemployee%3C%2FEM%3E%2C%26nbsp%3B%3CEM%3Ebadge%3C%2FEM%3E%2C%26nbsp%3B%3CEM%3EID%3C%2FEM%3E%2C%20and%20so%20on)%2C%20character%20proximity%20(how%20close%20evidence%20is%20to%20characters%20in%20a%20particular%20pattern)%2C%20and%20confidence%20levels.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EExact%20Data%20Match%20(EDM)%20is%20a%20new%20capability%20that%20enhances%20custom%20sensitive%20information%20types%20to%20help%20accurately%20target%20detection%20of%20your%20exact%20and%20unique%20sensitive%20content.%20Exact%20Data%20Match%20(EDM)%20sensitive%20information%20types%20is%20designed%20to%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3Ebe%20dynamic%20and%20refreshable%3C%2FLI%3E%0A%3CLI%3Ebe%20more%20scalable%3C%2FLI%3E%0A%3CLI%3Eresult%20in%20fewer%20false-positives%3C%2FLI%3E%0A%3CLI%3Ework%20with%20structured%20sensitive%20data%3C%2FLI%3E%0A%3CLI%3Ehandle%20sensitive%20information%20more%20securely%3C%2FLI%3E%0A%3CLI%3Ebe%20used%20with%20several%20Microsoft%20cloud%20services%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EExample%20use%20cases%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EExample%201%3A%20A%20healthcare%20provider%20needs%20to%20prevent%20or%20block%20the%20sharing%20of%20medical%20records%20that%20contains%20patient%20information%20%E2%80%93%20especially%20to%20ensure%20that%20this%20information%20isn%E2%80%99t%20sent%20to%20external%20users.%20The%20organization%20configures%20an%20Exact%20Data%20Match%20(EDM)%20based%20sensitive%20information%20type%20to%20do%20exact%20match%20lookup%20based%20on%20their%20patient%20records.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EA%20patient%20EDM%20sensitive%20information%20type%20is%20configured%20to%20detect%20content%20which%20matches%20patient%20SSN%20or%20Patient%20ID%20or%20medical%20record%20number%2C%20along%20with%20patient%20information%20(e.g.%20name%2C%20date%20of%20birth%2C%20phone%20number).%20Office%20365%20DLP%20policies%20are%20configured%20to%20block%20external%20sending%20of%20email%20if%20a%20patient%20EDM%20sensitive%20information%20type%20is%20found.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EExample%202%3A%20A%20banking%20institution%20needs%20to%20prevent%20customer%20account%20numbers%20from%20being%20sharing%20outside%20of%20the%20organization%E2%80%99s%20boundary.%20They%20configure%20an%20Exact%20Data%20Match%20(EDM)%20based%20sensitive%20information%20type%20to%20do%20exact%20match%20lookup%20based%20on%20customer%20bank%20account%20records.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EA%20customer%20account%20EDM%20sensitive%20information%20type%20is%20configured%20to%20detect%20account%20number%2C%20type%20of%20account%20and%20customer%20information%20(name%2C%20email%20address%2C%20phone%20number).%20Office%20365%20and%20Microsoft%20Cloud%20App%20Security%20DLP%20policies%20are%20configured%20to%20detect%20and%20block%20sharing%20of%20content%20that%20contains%20the%20customer%20account%20EDM%20sensitive%20information%20type.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20701px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F126028i4796CF3C6AFF6787%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22exact%20data%20match.png%22%20title%3D%22exact%20data%20match.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EConfigure%20Exact%20Data%20Match%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EExact%20data%20match%20configuration%20involves%20three%20key%20steps%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EDefine%20the%20schema%20for%20Exact%20lookup%20data%3C%2FLI%3E%0A%3CLI%3EUpdate%20sensitive%20content%20used%20for%20Exact%20Lookup%3C%2FLI%3E%0A%3CLI%3ECreate%20Exact%20Data%20Match%20sensitive%20type%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20provide%20an%20EDM%20Upload%20Agent%20to%20enable%20indexing%20and%20secure%20upload%20of%20sensitive%20content%2C%20which%20supports%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAuthorization%20to%20ensure%20that%20only%20users%20with%20right%20permission%20can%20execute%20EDM%20lookup.%3C%2FLI%3E%0A%3CLI%3Eto%20ensure%20that%20sensitive%20content%20used%20for%20lookup%20never%20exits%20the%20customer%E2%80%99s%20boundary.%3C%2FLI%3E%0A%3CLI%3EUploads%20indexed%20file%20right%20Microsoft%20service%20instance.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDetailed%20steps%20to%20create%20Exact%20Data%20Match%20sensitive%20information%20types%20is%20located%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FOffice365%2FSecurityCompliance%2Fcreate-custom-sensitive-information-types-with-exact-data-match-based-classification%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EStart%20using%20Exact%20Data%20Match%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ETo%20start%2C%20Office%20365%20DLP%20for%20Exchange%20Online%20(email)%2C%20OneDrive%20for%20Business%20(files)%2C%20Microsoft%20Teams%20(conversations)%20and%20Microsoft%20Cloud%20App%20Security%20policies%20supports%20EDM%20sensitive%20information%20types.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEDM%20sensitive%20information%20types%20for%20the%20following%20are%20currently%20in%20development%2C%20but%20not%20yet%20available%20for%20%26nbsp%3BOffice%20365%20DLP%20for%20SharePoint%20(files)%20and%20auto-classification%20of%20content%20for%20the%20purpose%20of%20applying%20sensitivity%20labels%20and%20retention%20labels.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EFor%20end-users%2C%20Office%20365%20DLP%20policy%20tips%20are%20useful%20to%20provide%20notifications%20that%20sensitive%20information%20has%20been%20detected%20and%20DLP%20policies%20are%20being%20applied.%20While%20this%20has%20been%20widely%20available%20on%20Office%20apps%20for%20DLP%20policies%2C%20support%20for%20EDM%20policy%20tips%20will%20start%20in%20Outlook%20for%20the%20web%2C%20and%20we%20intend%20to%20support%20policy%20tips%20in%20other%20Office%20apps%20in%20the%20future.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F126035iF24B1DCBE5C9FA25%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22datamatch2.png%22%20title%3D%22datamatch2.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EA%20policy%20tip%20in%20Outlook%20for%20the%20web%20notifies%20the%20user%20that%20a%20patient%20record%20was%20detected.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EGetting%20started%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EAs%20an%20advanced%20classification%20capability%2C%20Exact%20Data%20Match%20is%20included%20as%20an%20entitlement%20in%20the%20following%20subscriptions%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EOffice%20365%20E5%3C%2FLI%3E%0A%3CLI%3EMicrosoft%20365%20E5%3C%2FLI%3E%0A%3CLI%3EMicrosoft%20365%20Compliance%3C%2FLI%3E%0A%3CLI%3EOffice%20365%20Advanced%20Compliance%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EYou%20must%20be%20a%20global%20admin%2C%20compliance%20administrator%2C%20or%20Exchange%20Online%20administrator%20to%20perform%20the%20tasks%20described%20in%20.%20To%20learn%20more%20about%20DLP%20permissions%2C%20see%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fdata-loss-prevention-policies%23permissions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPermissions%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-793526%22%20slang%3D%22en-US%22%3E%3CP%3EOffice%20365%20Data%20Loss%20Prevention%20(DLP)%20enables%20you%20to%20create%20policies%20to%20help%20prevent%20the%20inadvertent%20or%20inappropriate%20sharing%20of%20documents%20and%20emails%20containing%20sensitive%20information.%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Microsoft

Office 365 Data Loss Prevention (DLP) enables you to create policies to help prevent the inadvertent or inappropriate sharing of documents and emails containing sensitive information. DLP policies can leverage a broad range of over 90 built-in sensitive information types to detect common data types, such as financial data, PII and health-related information. Organizations can also choose to create custom sensitive information types to detect information specific to their organization’s needs – based on patterns, supporting evidence (keywords such as employeebadgeID, and so on), character proximity (how close evidence is to characters in a particular pattern), and confidence levels.

 

Exact Data Match (EDM) is a new capability that enhances custom sensitive information types to help accurately target detection of your exact and unique sensitive content. Exact Data Match (EDM) sensitive information types is designed to:

  • be dynamic and refreshable
  • be more scalable
  • result in fewer false-positives
  • work with structured sensitive data
  • handle sensitive information more securely
  • be used with several Microsoft cloud services

 

Example use cases

 

Example 1: A healthcare provider needs to prevent or block the sharing of medical records that contains patient information – especially to ensure that this information isn’t sent to external users. The organization configures an Exact Data Match (EDM) based sensitive information type to do exact match lookup based on their patient records.

 

A patient EDM sensitive information type is configured to detect content which matches patient SSN or Patient ID or medical record number, along with patient information (e.g. name, date of birth, phone number). Office 365 DLP policies are configured to block external sending of email if a patient EDM sensitive information type is found.

 

Example 2: A banking institution needs to prevent customer account numbers from being sharing outside of the organization’s boundary. They configure an Exact Data Match (EDM) based sensitive information type to do exact match lookup based on customer bank account records.

 

A customer account EDM sensitive information type is configured to detect account number, type of account and customer information (name, email address, phone number). Office 365 and Microsoft Cloud App Security DLP policies are configured to detect and block sharing of content that contains the customer account EDM sensitive information type.

 

exact data match.png

 

Configure Exact Data Match

 

Exact data match configuration involves three key steps:

  • Define the schema for Exact lookup data
  • Update sensitive content used for Exact Lookup
  • Create Exact Data Match sensitive type

 

We provide an EDM Upload Agent to enable indexing and secure upload of sensitive content, which supports:

  • Authorization to ensure that only users with right permission can execute EDM lookup.
  • to ensure that sensitive content used for lookup never exits the customer’s boundary.
  • Uploads indexed file right Microsoft service instance.

 

Detailed steps to create Exact Data Match sensitive information types is located here.

 

Start using Exact Data Match

To start, Office 365 DLP for Exchange Online (email), OneDrive for Business (files), Microsoft Teams (conversations) and Microsoft Cloud App Security policies supports EDM sensitive information types.

 

EDM sensitive information types for the following are currently in development, but not yet available for  Office 365 DLP for SharePoint (files) and auto-classification of content for the purpose of applying sensitivity labels and retention labels.

 

For end-users, Office 365 DLP policy tips are useful to provide notifications that sensitive information has been detected and DLP policies are being applied. While this has been widely available on Office apps for DLP policies, support for EDM policy tips will start in Outlook for the web, and we intend to support policy tips in other Office apps in the future.

 

datamatch2.pngA policy tip in Outlook for the web notifies the user that a patient record was detected.

 

Getting started

As an advanced classification capability, Exact Data Match is included as an entitlement in the following subscriptions:

  • Office 365 E5
  • Microsoft 365 E5
  • Microsoft 365 Compliance
  • Office 365 Advanced Compliance

You must be a global admin, compliance administrator, or Exchange Online administrator to perform the tasks described in . To learn more about DLP permissions, see Permissions.

 

 

8 Comments
Super Contributor

I don't get it. You have to regularly index your sensitive data and upload that index to the DLP service for this to work?

Microsoft

@Oleg K , EDM sensitive content detection does exact match lookup of user content (email, files) with sensitive data (patient /employee / customer records) configured to be protected.  The sensitive data used in EDM lookup needs to be uploaded to service and refreshed periodically for changes.  

Super Contributor

This doesn't sound practical.

Occasional Contributor

@Dhanas RajuWhat post-upload processing or protections do you introduce to enforce security on the uploaded sensitive data? If a healthcare organisation is providing you with its patient list, for example, that data is obviously highly sensitive. 

Occasional Contributor

@Dhanas RajuAre you planning on supporting OCR for in-image obfuscation of sensitive data in a deliberate exfiltration scenario?

Occasional Contributor

@Dhanas Raju  Do you have any provision for a live look-up against on-premises data in a hybrid scenario, thereby absolving the customer of the need to upload its sensitive data to you continuously?

Microsoft

@Michael Sampson 

  • Post-upload processing or protections:  EDM solution uploads only hashed value of sensitive content. Uploaded data access in the service is  restricted. 
  • OCR Support: Currently in plan as part of Office 365 DLP solution. EDM will leverage the same capability.
  • On-prem Lookup: EDM requires the data to be uploaded from on-prem to the service. It does not support look-up data in on-prem.

 

Occasional Contributor

Thank you for your answer @Dhanas Raju . It's a good first step; looking forward to seeing how this matures over time, especially for real-time on-prem lookup.