DLP policies take too long to tag new files uploaded to OneDrive

%3CLINGO-SUB%20id%3D%22lingo-sub-1441739%22%20slang%3D%22en-US%22%3EDLP%20policies%20take%20too%20long%20to%20tag%20new%20files%20uploaded%20to%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1441739%22%20slang%3D%22en-US%22%3E%3CP%3EI%20work%20at%20a%20financial%20institution%20(Bank)%20and%20securing%20information%20is%20critical.%20We%20are%20trying%20to%20apply%20DLP%20policies%20for%20when%20employees%20begin%20sharing%20with%20external%20users.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20running%20tests%20to%20see%20how%20responsive%20is%20the%20system%20and%20one%20thing%20that%20we%20saw%20that%20could%20potentially%20scrap%20the%20whole%20idea%20of%20sharing%20with%20externals%20is%20the%20fact%20that%20DLPs%20take%20too%20long%20to%20tag%20a%20file%20with%20more%20than%2050%20SSNs.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDuring%20the%20time%20that%20it%20takes%20for%20the%20DLP%20policies%20to%20kick%20in%2C%20the%20damage%20is%20done.%20We%20tested%20this%20and%20from%20the%20external's%20side%2C%20they%20were%20able%20to%20access%20the%20list%20of%2050%20SSNs%20without%20an%20issue.%20After%20the%20DLP%20kicks%20in%2C%20the%20external%20user%20no%20longer%20has%20access%20to%20the%20file%2C%20but%20again...the%20damage%20is%20done%20by%20this%20time.%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20if%20an%20employee%20finds%20out%20about%20this%2C%20they%20can%20potentially%20leak%20a%20lot%20of%20high%20sensitive%20documents%20and%20the%20external%20can%20download%20them%20within%20the%20time%20limit%20without%20issues.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20there%20was%20an%20older%20thread%20from%202017%20which%20had%20the%20same%20issue%20and%20the%20answers%20were%20not%20really%20convincing.%20Just%20wanted%20to%20know%20what%20exactly%20does%20Microsoft%20recommend%20when%20it%20comes%20to%20situations%20like%20these%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERight%20now%20we%20have%20a%20need%20that%20unfortunately%20MS%20cannot%20provide%20due%20to%20limitations%20of%20the%20features%20and%20we%20use%20O365%20for%20everything.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%20are%20welcomed!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWas%20this%20issue%20addressed%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1441739%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOneDrive%20for%20Business%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1442175%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20policies%20take%20too%20long%20to%20tag%20new%20files%20uploaded%20to%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1442175%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F326922%22%20target%3D%22_blank%22%3E%40Odenkaz%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20would%20a%20DLP%20policy%20setup%20as%20below%20not%20achieve%20what%20you%20want%3F%26nbsp%3B%20It%20will%20show%20the%20users%20policy%20tips%20when%20there%20is%20a%20match%2C%20if%20there%20are%20more%20that%2010%20SSN's%20in%20the%20document%20or%20email%20it%20will%20trigger%20the%20policy%20and%20block%20people%20from%20sharing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202020-06-05%20at%2008.01.43.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F196665i1327001B6FD4DB90%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Screenshot%202020-06-05%20at%2008.01.43.png%22%20alt%3D%22Screenshot%202020-06-05%20at%2008.01.43.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EIs%20this%20along%20the%20lines%20of%20what%20you%20are%20trying%20to%20setup%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1443712%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20policies%20take%20too%20long%20to%20tag%20new%20files%20uploaded%20to%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1443712%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616707%22%20target%3D%22_blank%22%3E%40PeterRising%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWell%20we%20are%20using%20a%20default%20DLP%20that%20Office%20365%20offers%20which%20is%20the%20GLBA%20DLP.%20That%20one%20has%20two%20rules.%20one%20for%20low%20volume%20and%20one%20for%20high%20volume.%20They%20work%20fine.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20issue%20here%20is%20that%20it%20just%20take%20too%20long%20for%20the%20DLP%20policy%20to%20identify%20a%20newly%20uploaded%20sensitive%20document%20in%20order%20to%20tag%20it%20and%20restrict%20external%20access%20to%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20means%20that%20if%20I%20(as%20employee)%20uploaded%20a%20list%20of%2050%20SSNs%20in%20an%20Excel%20to%20my%20OneDrive%2C%20then%20shared%20it%20to%20an%20external%20user%20(my%20own%20gmail%20for%20example)%20then%20I%20can%20access%20that%20content%20from%20my%20gmail%20within%20the%20time%20limit%20before%20the%20DLP%20finally%20tags%20the%20document.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20have%20within%20seconds%20lists%20of%20SSNs%20from%20the%20bank's%20customers%20which%20is%20a%20big%20deal%20in%20terms%20of%20cybersecurity!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20don't%20know%20what%20can%20be%20done%20to%20lower%20the%20speed%20at%20which%20the%20DLP%20goes%20in%20identifying%20sensitive%20documents.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20just%20with%201%20external%20user%2C%20imagine%20if%20hundreds%20of%20users%20were%20doing%20this%20at%20the%20same%20time%2C%20I%20don't%20know%20how%20long%20the%20DLP%20can%20last%20before%20tagging%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1445533%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20policies%20take%20too%20long%20to%20tag%20new%20files%20uploaded%20to%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1445533%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F326922%22%20target%3D%22_blank%22%3E%40Odenkaz%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20know%20of%20any%20way%20that%20it%20is%20possible%20to%20manipulate%20DLP%20in%20the%20way%20you%20are%20suggesting%20I%20believe.%26nbsp%3B%20I%20am%20near%20enough%20certain%20that%20this%20is%20not%20something%20that%20is%20possible.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1455612%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20policies%20take%20too%20long%20to%20tag%20new%20files%20uploaded%20to%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1455612%22%20slang%3D%22en-US%22%3EYou%20can%20enable%20sensitive%20by%20default%20for%20your%20tenant%20-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fsensitive-by-default%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fsensitive-by-default%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20will%20mark%20files%20as%20sensitive%20immediately%20at%20upload%20and%20only%20remove%20DLP%20once%20deemed%20safe.%20It%20doesn%E2%80%99t%20speed%20up%20processing%20as%20now%20you%20may%20need%20to%20wait%20in%20order%20to%20share.%20But%20it%20will%20prevent%20data%20leakage%20from%20occurring%20before%20DLP%20has%20a%20chance%20to%20process%20the%20files.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1455681%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20policies%20take%20too%20long%20to%20tag%20new%20files%20uploaded%20to%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1455681%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F519%22%20target%3D%22_blank%22%3E%40Ben%20Stegink%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOh%20now%20that%20it%20nice.%26nbsp%3B%20Not%20something%20I%20had%20heard%20of%20yet%20but%20will%20definitely%20be%20checking%20it%20out.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F326922%22%20target%3D%22_blank%22%3E%40Odenkaz%3C%2FA%3E%26nbsp%3B-%20if%20this%20does%20what%20you%20are%20looking%20to%20achieve%20(which%20I%20think%20it%20will)%2C%20please%20can%20you%20mark%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F519%22%20target%3D%22_blank%22%3E%40Ben%20Stegink%3C%2FA%3Es%20reply%20as%20the%20best%20response%20in%20order%20that%20others%20can%20easily%20find%20this%20solution.%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1458975%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20policies%20take%20too%20long%20to%20tag%20new%20files%20uploaded%20to%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1458975%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F519%22%20target%3D%22_blank%22%3E%40Ben%20Stegink%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616707%22%20target%3D%22_blank%22%3E%40PeterRising%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tested%20it%20out%20and%20the%20external%20user%20was%20still%20able%20to%20see%20the%20contents%20of%20the%20document.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20ran%20this%20cmd%20from%20the%20linked%20documentation%20you%20posted%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3ESet-SPOTenant%E2%80%AF-MarkNewFilesSensitiveByDefault%20BlockExternalSharing%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EUpdate%3A%3C%2FSTRONG%3E%20Re-read%20the%20documentation%20and%20this%20solution%20doesn't%20cover%20OneDrive%20yet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CEM%3ENote%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3EThis%20cmdlet%20applies%20to%20newly%20added%20files%20in%20all%20SharePoint%20sites.%20It%20doesn't%20block%20sharing%20if%20an%20existing%20file%20is%20changed.%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EThe%20cmdlet%20doesn't%20cover%20files%20added%20to%20OneDrive.%20We're%20working%20to%20bring%20this%20functionality%20to%20OneDrive.%3C%2FEM%3E%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20issue%20is%20strictly%20with%20OneDrive%20external%20collaboration.%20We%20do%20not%20have%20SharePoint%20enabled%20for%20external%20sharing%20yet.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20an%20estimate%20of%20how%20long%20this%20new%20cmd%20will%20be%20able%20to%20cover%20OneDrive%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1459157%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20policies%20take%20too%20long%20to%20tag%20new%20files%20uploaded%20to%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1459157%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F326922%22%20target%3D%22_blank%22%3E%40Odenkaz%3C%2FA%3Egot%20it.%20As%20for%20OneDrive%2C%20I'm%20not%20sure%20on%20a%20time%20frame%20there.%20I%20haven't%20seen%20anythign%20on%20this%20fucntionality%20being%20extedned%20into%20OneDrive%20as%20well%20unfortuantely.%20If%20I%20can%20get%20some%20information%20or%20can%20find%20a%20time%20frame%20I'll%20let%20you%20know.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1459539%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20policies%20take%20too%20long%20to%20tag%20new%20files%20uploaded%20to%20OneDrive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1459539%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F519%22%20target%3D%22_blank%22%3E%40Ben%20Stegink%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGreatly%20appreciated!%20hopefully%20it's%20not%20far%20too%20long!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWill%20keep%20myself%20tuned%20in%20to%20this%20thread%20for%20any%20updates%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I work at a financial institution (Bank) and securing information is critical. We are trying to apply DLP policies for when employees begin sharing with external users. 

 

We are running tests to see how responsive is the system and one thing that we saw that could potentially scrap the whole idea of sharing with externals is the fact that DLPs take too long to tag a file with more than 50 SSNs. 

 

During the time that it takes for the DLP policies to kick in, the damage is done. We tested this and from the external's side, they were able to access the list of 50 SSNs without an issue. After the DLP kicks in, the external user no longer has access to the file, but again...the damage is done by this time.

So if an employee finds out about this, they can potentially leak a lot of high sensitive documents and the external can download them within the time limit without issues.

 

I know there was an older thread from 2017 which had the same issue and the answers were not really convincing. Just wanted to know what exactly does Microsoft recommend when it comes to situations like these?

 

Right now we have a need that unfortunately MS cannot provide due to limitations of the features and we use O365 for everything.

 

Any ideas are welcomed! 

 

Was this issue addressed? 

8 Replies
Highlighted

@Odenkaz 

 

Hi, would a DLP policy setup as below not achieve what you want?  It will show the users policy tips when there is a match, if there are more that 10 SSN's in the document or email it will trigger the policy and block people from sharing.

 

Screenshot 2020-06-05 at 08.01.43.png

Is this along the lines of what you are trying to setup?

Highlighted

@PeterRising 

Well we are using a default DLP that Office 365 offers which is the GLBA DLP. That one has two rules. one for low volume and one for high volume. They work fine.

 

The issue here is that it just take too long for the DLP policy to identify a newly uploaded sensitive document in order to tag it and restrict external access to it.

 

This means that if I (as employee) uploaded a list of 50 SSNs in an Excel to my OneDrive, then shared it to an external user (my own gmail for example) then I can access that content from my gmail within the time limit before the DLP finally tags the document. 

 

I can have within seconds lists of SSNs from the bank's customers which is a big deal in terms of cybersecurity!

 

So I don't know what can be done to lower the speed at which the DLP goes in identifying sensitive documents. 

 

This is just with 1 external user, imagine if hundreds of users were doing this at the same time, I don't know how long the DLP can last before tagging 

 

 

Highlighted

@Odenkaz 

 

I don't know of any way that it is possible to manipulate DLP in the way you are suggesting I believe.  I am near enough certain that this is not something that is possible.

Highlighted
You can enable sensitive by default for your tenant - https://docs.microsoft.com/en-us/sharepoint/sensitive-by-default

This will mark files as sensitive immediately at upload and only remove DLP once deemed safe. It doesn’t speed up processing as now you may need to wait in order to share. But it will prevent data leakage from occurring before DLP has a chance to process the files.
Highlighted

@Ben Stegink 

 

Oh now that it nice.  Not something I had heard of yet but will definitely be checking it out.

 

@Odenkaz - if this does what you are looking to achieve (which I think it will), please can you mark @Ben Steginks reply as the best response in order that others can easily find this solution. :smile:

Highlighted

@Ben Stegink 

@PeterRising 

I tested it out and the external user was still able to see the contents of the document.

 

I ran this cmd from the linked documentation you posted: 

 

 

 

Set-SPOTenant -MarkNewFilesSensitiveByDefault BlockExternalSharing

 

 

 

 

Update: Re-read the documentation and this solution doesn't cover OneDrive yet.

 

"Note

This cmdlet applies to newly added files in all SharePoint sites. It doesn't block sharing if an existing file is changed.
The cmdlet doesn't cover files added to OneDrive. We're working to bring this functionality to OneDrive."

 

My issue is strictly with OneDrive external collaboration. We do not have SharePoint enabled for external sharing yet. 

 

Is there an estimate of how long this new cmd will be able to cover OneDrive? 

Highlighted

@Odenkazgot it. As for OneDrive, I'm not sure on a time frame there. I haven't seen anythign on this fucntionality being extedned into OneDrive as well unfortuantely. If I can get some information or can find a time frame I'll let you know.

Highlighted

 

@Ben Stegink 

 

Greatly appreciated! hopefully it's not far too long!

 

Will keep myself tuned in to this thread for any updates

 

Thanks!