Forum Discussion
MicrosoftAnnouncing support for custom sensitive information types in the Security & Compliance Center
Wesley Holley is a program manager on the Office 365 team.
Core to protecting your organization’s data is identifying which data is sensitive and creating policies to govern its use. We include over 80 sensitive information types out of the box to detect commonly used data types in regions around the globe; however, some information is proprietary in nature and is specific to your organization. For example, your organization may need to protect employee ID numbers or other data with unique characteristics. To better help you meet your data protection needs, we’re pleased to announce that you can now create your own custom sensitive information types for use in your Security & Compliance Center policies.
Where can I use custom sensitive types?
Previously only available for Exchange Online, this capability is now available across Exchange Online, SharePoint Online, OneDrive for Business, Outlook (2013+), OWA, Office Clients (ProPlus/2016), and supported mobile apps. Now you can define the kinds of data you want to detect by creating your own sensitive types or modifying any of our out-of-box definitions. Once defined in XML and uploaded to the Security & Compliance Center, your custom sensitive information types can be used in any of your DLP or Retention policies or eDiscovery queries, where we’ll automatically identify and protect your data across Office 365. While managed in the Security & Compliance Center, custom sensitive types will still be available for use in Exchange Transport rules (ETRs) which are created in the Exchange Admin Center (EAC).
What kinds of data can I protect?
We provide a rich set of capabilities for you to detect your sensitive information including regular expressions, keyword lists, and built-in functions, along with a robust framework in which define your detection requirements. To help you balance user productivity and risk of data exposure, we also allow you to create different versions of your sensitive types, varying in strictness, and trigger off them separately in your policy rules. For example, a pattern alone might be a false positive, but if you’re risk averse, you may want to at least log the match or get a report when detected; however, if the pattern is found with other evidence like keywords or other patterns, you may want to take a more strict action such as encrypting the content. We’ve designed this feature to give you the maximum flexibility possible.
What about my existing custom sensitive types in Exchange?
Any custom sensitive information types you’ve created in Exchange Online have been automatically migrated to the Security & Compliance Center. Your existing policies or Exchange Transport Rules that use those custom sensitive types will continue to function normally. Going forward you can manage all custom sensitive types in the Security & Compliance Center.
We’re excited to bring this powerful capability to the Security & Compliance Center and can’t wait for you to try it out! For more information, check out this article.
15 Replies
Hi Wesley, earlier this year add added a number of DLP policies based on file properties (tags put in there by AIP (in office files). However since the move to Security & Compliance I can no longer adapt/update (or add new) DLP policies based on file tags. Is there a way to add this kind of what is basically word detection method (but not in file content but in file properties) via the sensitive information types, if so what is a simple way to do it.
Help is really welcome as I can for a months already not even update existing dlp policies due to this change.
Wesley HolleyHi Eddy, you're right that the SCC doens't show this option in the UX yet, but you are still able to edit/add/remove these tags. Here are the instructions: https://support.office.com/en-us/article/Create-a-DLP-policy-to-protect-documents-with-FCI-or-other-properties-1b9e3c6c-4308-4a20-b11e-c37b8013e177
Hi Wesley, is there any chance the list of sensitive information types will be updated/ expanded? Especially with upcoming GDPR European Union (EU) privacy regulation in mind. E.g. nationalities or other privacy sensitive information. Maybe additional packages can be bought or supplied by partners?
Thanks in advance,
Jeroen
- Wesley Holley
Hi Jeroen,
Yes are adding to the list in the coming months to meet GDPR requirements. This will be included out of the box. I believe Nucleuz.com also provides a GDPR rulepack you can purchase.
Thanks,
Wes
Hi Wesley,
Would this also work for the fingerprint? How do we reference for fingerprint the template we want to compare with? Can we extract the XML from Exchange Online fingerprint and add it to SCC? Or how do you recommend to build a custom sensitive information for fingerprint? Is there any limitation between fingerprint on Exchange Online vs. SCC?
Thank you very much
- Wesley Holley
Hi Jacques,
Great question. Fingerprinting is currently only supported in Exchange and can be created and managed in the Exchange Admin Center. We are working to add support for them within the SCC, but I don't have a date to share quite yet. Please let me know if you have additional questions.
Thanks,
Wes
- Hi Wesley, When is this expected to rollout? We have custom sensitive data in Exchange Online, but we dont yet see it in the Security and Compliance center yet.
- Wesley Holley
Hi Dale,
This has already rolled out to all customers. Like in Exchange, the feature is currently accessible via PowerShell. Just connect to the Security & Compliance Center using remote PowerShell where you can use the New/Get/Set/Remove-DlpSensitiveInformationTypeRulePackage cmdlet to upload and manage your custom sensitive information types. The structure of the XML has not changed from Exchange, just the cmdlet name. Full instructions are in the article linked above. Let me know if you have any trouble seeing or using the feature.
I tried the command, but got the following message:
New-DlpSensitiveInformationTypeRulePackage : The term 'New-DlpSensitiveInformationTypeRulePackage' is not recognized as the name of a cmdlet, function, script file, or operable program.
