DLP Policy Slow to Screen New Files in OneDrive For Business and SharePoint Online

%3CLINGO-SUB%20id%3D%22lingo-sub-58488%22%20slang%3D%22en-US%22%3EDLP%20Policy%20Slow%20to%20Screen%20New%20Files%20in%20OneDrive%20For%20Business%20and%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-58488%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20enabled%20some%20DLP%20policies%20in%20Office%20365%20security%20center%2C%20and%20these%20apply%20to%20OneDrive%20for%20business%20and%20SharePoint%20Online.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20far%20these%20policies%20are%20working%20and%20preventing%20data%20from%20getting%20shared%20to%20un-authorized%20recipients.%20However%2C%20if%20I%20create%2Fupload%20a%20new%20file%20in%20my%20OneDrive%20For%20Business%2C%20I%20can%20share%20the%20file%20with%20external%20people%20within%20the%20first%2010%20to%2015%20minutes%20of%20upload%2Fcreate.%20After%20about%2010-15%20minutes%20the%20DLP%20policy%20kicks%20in%20and%20locks%20down%20the%20new%20file%2C%20but%20it's%20too%20late%2C%20the%20file%20is%20already%20shared!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20idea%20how%20to%20force%20new%20files%20to%20get%20scanned%20by%20the%20DLP%20policy%20engine%20immediatly%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3ERobert%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-58488%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOneDrive%20for%20Business%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-58785%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20Policy%20Slow%20to%20Screen%20New%20Files%20in%20OneDrive%20For%20Business%20and%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-58785%22%20slang%3D%22en-US%22%3E%3CP%3EWell%20if%20memory%20serves%2C%20the%20document%20will%20get%20locked%20upon%20detecting%20any%20DLP%20policy%20matches%2C%20so%20even%20if%20it%20was%20shared%20during%20that%20short%20interval%2C%20it%20will%20not%20be%20accessable%20by%20external%20users.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-58664%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20Policy%20Slow%20to%20Screen%20New%20Files%20in%20OneDrive%20For%20Business%20and%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-58664%22%20slang%3D%22en-US%22%3EHi%20Vasil%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you%20for%20your%20reply.%20This%20is%20unfortunate%2C%20as%20my%20organization%20is%20a%20financial%20institution.%20We%20value%20DLP%20over%20user%20productivity%20because%20the%20data%20we%20have%20simply%20can't%20get%20leaked.%20It%20seems%20the%20only%20way%20to%20guarantee%20that%20sensitive%20data%20won't%20get%20shared%20is%20to%20keep%20it%20on%20premise.%20Hopefully%20Microsoft%20will%20introduce%20a%20feature%20that%20can%20disallow%20sharing%20until%20DLP%20clears%20a%20document.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-58563%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20Policy%20Slow%20to%20Screen%20New%20Files%20in%20OneDrive%20For%20Business%20and%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-58563%22%20slang%3D%22en-US%22%3E%3CP%3EAt%20the%20very%20least%2C%20the%20document%20needs%20to%20be%20crawled%20by%20the%20search%20engine%2C%20which%20in%20SPO%20can%20take%20a%20while%20(I%20believe%20the%20minimum%20guarantee%20is%20around%2015%20mins%2C%20but%20it%20can%20take%20a%20lot%20less%20or%20lot%20more%20depending%20on%20the%20overall%20load).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20way%20DLP%20policies%20work%20against%20SPO%2FODFB%20content%20is%20detailed%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2FOverview-of-data-loss-prevention-policies-1966b2a7-d1e2-4d92-ab61-42efbb137f5e%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2FOverview-of-data-loss-prevention-policies-1966b2a7-d1e2-4d92-ab61-42efbb137f5e%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1441702%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20Policy%20Slow%20to%20Screen%20New%20Files%20in%20OneDrive%20For%20Business%20and%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1441702%22%20slang%3D%22en-US%22%3EHi%2C%20I%20know%20this%20is%20more%20than%203%20years%20old%20but%20we%20have%20the%20same%20situation.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20tried%20what%20you%20said%20and%20it%20does%20not%20do%20this.%20The%20external%20user%20is%20able%20to%20access%20the%20%22illegal%22%20content%20that%20was%20leaked.%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20if%20someone%20is%20quick%20enough%20to%20share%20a%20file%20that%20has%20a%20big%20list%20of%20SSNs%2C%20the%20external%20user%20can%20access%20the%20content%20of%20that%20file%20without%20a%20problem.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20is%20a%20big%20security%20concern...%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1441749%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20Policy%20Slow%20to%20Screen%20New%20Files%20in%20OneDrive%20For%20Business%20and%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1441749%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20this%20is%20a%20huge%20security%20issue.%20Not%20only%20has%20it%20not%20improved%2C%20but%20MS%20seems%20content%20to%20spend%20it%20time%20rebranding%20things.%20Now%20we%20have%20security%20tags.%20These%20tags%20have%20the%20same%20flaw.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20make%20matters%20worse%2C%20I%20have%20an%20environment%20that%20has%20Windows%2010%2C%20Mac%20OS%2C%20IOS%2C%20etc.%20The%20encryption%20features%20that%20follow%20a%20document%20depend%20on%20Azure%20Information%20Protection.%20The%20client%20is%20built%20into%20office%20now.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnfortunately%2C%20the%20office%20client%20does%20not%20have%20the%20encryption%20code.%20After%20speaking%20with%20MS%20support%2C%20the%20encryption%20features%20are%20in%20the%20Windows%20OS.%20So%20security%20in%20Azure%2FO365%20is%20for%20Windows-only%2C%20it%20isn't%20real%20time%2C%20and%20in%20my%20opinion%20is%20not%20a%20serious%20contender%20in%20the%20security%20space.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1441751%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20Policy%20Slow%20to%20Screen%20New%20Files%20in%20OneDrive%20For%20Business%20and%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1441751%22%20slang%3D%22en-US%22%3EThis%20is%20very%20unfortunate%20to%20read.%20Chances%20are%20we%20may%20have%20to%20re-check%20if%20we%20want%20to%20stick%20with%20O365%20or%20move%20to%20something%20else%20since%20we%20can't%20rely%20on%20their%20DLP%20policies%20when%20it%20comes%20to%20tagging%20new%20sensitive%20files.%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you%20for%20letting%20me%20know.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1569506%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20Policy%20Slow%20to%20Screen%20New%20Files%20in%20OneDrive%20For%20Business%20and%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1569506%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F326922%22%20target%3D%22_blank%22%3E%40Odenkaz%3C%2FA%3E%26nbsp%3Bconsider%20trying%20this.%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fsensitive-by-default%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fsensitive-by-default%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1606053%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20Policy%20Slow%20to%20Screen%20New%20Files%20in%20OneDrive%20For%20Business%20and%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1606053%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F750833%22%20target%3D%22_blank%22%3E%40bgrono1%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tried%20it%20and%20I%20am%20having%20trouble.%20I%20can%20still%20share%20newly%20uploaded%20files%20even%20with%20this%20feature%20turned%20on.%20I%20read%20that%20this%20is%20a%20feature%20still%20on%20roll%20out.%20How%20would%20I%20know%20if%20I%20can%20now%20use%20it%20or%20not%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hello Everyone,

 

I have enabled some DLP policies in Office 365 security center, and these apply to OneDrive for business and SharePoint Online.

 

So far these policies are working and preventing data from getting shared to un-authorized recipients. However, if I create/upload a new file in my OneDrive For Business, I can share the file with external people within the first 10 to 15 minutes of upload/create. After about 10-15 minutes the DLP policy kicks in and locks down the new file, but it's too late, the file is already shared!

 

Any idea how to force new files to get scanned by the DLP policy engine immediatly?

 

Thanks,

Robert

8 Replies
Highlighted

At the very least, the document needs to be crawled by the search engine, which in SPO can take a while (I believe the minimum guarantee is around 15 mins, but it can take a lot less or lot more depending on the overall load).

 

The way DLP policies work against SPO/ODFB content is detailed here: https://support.office.com/en-us/article/Overview-of-data-loss-prevention-policies-1966b2a7-d1e2-4d9...

Highlighted
Hi Vasil,

Thank you for your reply. This is unfortunate, as my organization is a financial institution. We value DLP over user productivity because the data we have simply can't get leaked. It seems the only way to guarantee that sensitive data won't get shared is to keep it on premise. Hopefully Microsoft will introduce a feature that can disallow sharing until DLP clears a document.
Highlighted

Well if memory serves, the document will get locked upon detecting any DLP policy matches, so even if it was shared during that short interval, it will not be accessable by external users.

Highlighted
Hi, I know this is more than 3 years old but we have the same situation.

I tried what you said and it does not do this. The external user is able to access the "illegal" content that was leaked.

So if someone is quick enough to share a file that has a big list of SSNs, the external user can access the content of that file without a problem.

This is a big security concern...
Highlighted

Yes, this is a huge security issue. Not only has it not improved, but MS seems content to spend it time rebranding things. Now we have security tags. These tags have the same flaw. 

 

To make matters worse, I have an environment that has Windows 10, Mac OS, IOS, etc. The encryption features that follow a document depend on Azure Information Protection. The client is built into office now. 

 

Unfortunately, the office client does not have the encryption code. After speaking with MS support, the encryption features are in the Windows OS. So security in Azure/O365 is for Windows-only, it isn't real time, and in my opinion is not a serious contender in the security space.

Highlighted
This is very unfortunate to read. Chances are we may have to re-check if we want to stick with O365 or move to something else since we can't rely on their DLP policies when it comes to tagging new sensitive files.

Thank you for letting me know.
Highlighted

@bgrono1 

 

I tried it and I am having trouble. I can still share newly uploaded files even with this feature turned on. I read that this is a feature still on roll out. How would I know if I can now use it or not?