Blog Post

Security, Compliance, and Identity Blog
3 MIN READ

New Exact Data Match (EDM) classification helps you better detect and protect sensitive information

dhanasraju's avatar
dhanasraju
Icon for Microsoft rankMicrosoft
Aug 07, 2019

Office 365 Data Loss Prevention (DLP) enables you to create policies to help prevent the inadvertent or inappropriate sharing of documents and emails containing sensitive information. DLP policies can leverage a broad range of over 90 built-in sensitive information types to detect common data types, such as financial data, PII and health-related information. Organizations can also choose to create custom sensitive information types to detect information specific to their organization’s needs – based on patterns, supporting evidence (keywords such as employeebadgeID, and so on), character proximity (how close evidence is to characters in a particular pattern), and confidence levels.

 

Exact Data Match (EDM) is a new capability that enhances custom sensitive information types to help accurately target detection of your exact and unique sensitive content. Exact Data Match (EDM) sensitive information types is designed to:

  • be dynamic and refreshable
  • be more scalable
  • result in fewer false-positives
  • work with structured sensitive data
  • handle sensitive information more securely
  • be used with several Microsoft cloud services

 

Example use cases

 

Example 1: A healthcare provider needs to prevent or block the sharing of medical records that contains patient information – especially to ensure that this information isn’t sent to external users. The organization configures an Exact Data Match (EDM) based sensitive information type to do exact match lookup based on their patient records.

 

A patient EDM sensitive information type is configured to detect content which matches patient SSN or Patient ID or medical record number, along with patient information (e.g. name, date of birth, phone number). Office 365 DLP policies are configured to block external sending of email if a patient EDM sensitive information type is found.

 

Example 2: A banking institution needs to prevent customer account numbers from being sharing outside of the organization’s boundary. They configure an Exact Data Match (EDM) based sensitive information type to do exact match lookup based on customer bank account records.

 

A customer account EDM sensitive information type is configured to detect account number, type of account and customer information (name, email address, phone number). Office 365 and Microsoft Cloud App Security DLP policies are configured to detect and block sharing of content that contains the customer account EDM sensitive information type.

 

 

Configure Exact Data Match

 

Exact data match configuration involves three key steps:

  • Define the schema for Exact lookup data
  • Update sensitive content used for Exact Lookup
  • Create Exact Data Match sensitive type

 

We provide an EDM Upload Agent to enable indexing and secure upload of sensitive content, which supports:

  • Authorization to ensure that only users with right permission can execute EDM lookup.
  • to ensure that sensitive content used for lookup never exits the customer’s boundary.
  • Uploads indexed file right Microsoft service instance.

 

Detailed steps to create Exact Data Match sensitive information types is located here.

 

Start using Exact Data Match

To start, Office 365 DLP for Exchange Online (email), OneDrive for Business (files), Microsoft Teams (conversations) and Microsoft Cloud App Security policies supports EDM sensitive information types.

 

EDM sensitive information types for the following are currently in development, but not yet available for  Office 365 DLP for SharePoint (files) and auto-classification of content for the purpose of applying sensitivity labels and retention labels.

 

For end-users, Office 365 DLP policy tips are useful to provide notifications that sensitive information has been detected and DLP policies are being applied. While this has been widely available on Office apps for DLP policies, support for EDM policy tips will start in Outlook for the web, and we intend to support policy tips in other Office apps in the future.

 

A policy tip in Outlook for the web notifies the user that a patient record was detected.

 

Getting started

As an advanced classification capability, Exact Data Match is included as an entitlement in the following subscriptions:

  • Office 365 E5
  • Microsoft 365 E5
  • Microsoft 365 Compliance
  • Office 365 Advanced Compliance

You must be a global admin, compliance administrator, or Exchange Online administrator to perform the tasks described in . To learn more about DLP permissions, see Permissions.

 

 

Updated Aug 12, 2019
Version 2.0