Microsoft’s unified Data Loss Prevention solution provides a simple and unified approach to protecting sensitive information from risky or inappropriate sharing, transfer or use.
Since our last Ignite in September 2020, many milestones were reached, and new DLP capabilities introduced including:
Figure 1: Microsoft’s unified DLP
Today, we are pleased to announce a continued investment in DLP with three new capabilities that further extend and expand the scope of DLP to a third-party browser and on-premises file repositories, and the introduction of a new DLP management and workflow experience.
Chrome browser DLP and Insider Risk Management extension
Many organizations use the Chrome browser to support sensitive workflows, and we are pleased to announce the public preview of the Microsoft Compliance Extension for Chrome available here. With this addition, customers now have Microsoft DLP and Insider Risk Management capabilities within the Chrome browser of their on-boarded endpoint devices so they can:
Figure 2: Chrome DLP block with an override for printing
Figure 3: Chrome DLP allowing upload of a sensitive file to a sanctioned service domain
Figure 4: Chrome DLP blocking upload of a sensitive file to an unsanctioned service domain
With the Microsoft Chrome extension, users are automatically alerted when they take a risky action with sensitive data and are provided with actionable policy tips and guidance to remediate properly.
As with other Microsoft DLP and Insider Risk Management capabilities, the Microsoft Chrome extension provides the same familiar look and feel that users are already accustomed to from the applications and services they use every day.. This reduces end-user training time and alert confusion and increases user confidence in the prescribed guidance and remediations offered in the policy tips. This approach can help improve policy compliance – without impacting productivity.
On-Premises DLP
Speaking with customers, we know that organizations have transitioned many of their operations to the cloud. However, they also tell us that even with this transition well underway, they continue to have a significant presence of data within their on-premises environments.
One of the big challenges they face is that much of their data on-premises is “dark” -– meaning it has not been classified, protected or governed -– which makes it very difficult for them to assess what it is, how it should be protected, and where it should go.
This lack of visibility is impacting their ability to pursue the migration of data to the cloud because they cannot take the unknown risks of moving, what could be sensitive data, in an inappropriate a way that could have unintended consequences. This lack of visibility also impacts their ability to properly protect their on-premises sensitive data from inappropriate access or use.
Microsoft’s on-premises DLP was developed specifically to assist customers to gain the visibility they need for their on-premises data and build a comprehensive and actionable data security and compliance framework to help them better manage and protect their sensitive data by offering:
Figure 5: On-Premise DLP architecture
Figure 6: On-Premises DLP in M365 Compliance Center
Advanced DLP Alert Management
After our last Ignite conference, we introduced the ability for you view, investigate, manage, and remediate aggregated and non-aggregated DLP alerts in a dedicated dashboard. This streamlined the effort to address DLP policy violations by providing new capabilities to quickly assert if a detection is a true positive or not to determine the appropriate remediation. Specifically:
Some DLP alerts can contain very sensitive or privileged information. The alert management view provides granular controls to protect and restricted viewing of this sensitive content for approved security and compliance roles to prevent inappropriate disclosure.
Figure 7: DLP Alerts
Figure 8: DLP Event Source - view of DLP policy data
Figure 9: Matched sensitive information types and surrounding characters view
Announcing the General Availability of Security Groups and Distribution Lists for Microsoft Teams DLP policy scoping
Organizations often have a need to scope Microsoft Teams CChat DLP policies to specific groups of users in order address the unique use cases that are applicable only to some user communities and not others.
With the general availability of security groups and distribution lists for Teams Chat DLP, organizations can leverage existing security groups and distribution lists as the applicable context in a Teams Chat DLP policy.
This means that as users are added or removed from a security group or distribution list, they are automatically added or removed from the associated Teams Chat DLP policies without any additional configuration in the DLP policy definition itself. This approach offers significant benefits for organizations who have very dynamic user populations such as groups with high turnovers.
In addition, using security groups and distribution lists as the applicable context in Teams Chat DLP policies provides a simplified means for bulk inclusion and exclusion of user communities. This is particularly beneficial for example when a Teams Chat DLP policy is only intended to apply to a group of users located in a specific geography, business unit, or role.
Multiple security groups or distribution lists can be applied to individual Teams Chat DLP policies as the applicable context. This does not alter the behavior of the DLP policy or the user experience only the communities of users the DLP policy applies to.
Figure 10: User Experience of a Teams Chat DLP policy configured with a Security Group or Distribution List
Quick Path to Value
To help customers accelerate their deployment of comprehensive information protection and data loss prevention strategy across all their environments containing sensitive data, and help ensure immediate value, Microsoft provides a one-stop approach to data protection and DLP policy deployment within the Microsoft 365 Compliance Center.
Microsoft Information Protection (MIP) provides a common set of classification and data labeling tools that leverage AI and machine learning to support even the most complex of regulatory or internal sensitive information compliance mandates. MIP’s over 150 sensitive information types and over 40 built-in policy templates for common industry regulations and compliance offer a quick path to value.
Consistent User Experience
No matter where DLP is applied, users have a consistent and familiar experience when notified of an activity that is in violation of a defined policy. Policy Tips and guidance are provided using a familiar look and feels users are already accustomed to from applications and services they use every day. This approach can reduce end-user training time, eliminates alert confusion, increases user confidence in prescribed guidance and remediations, and improves overall compliance with policies – without impacting productivity.
Integrated Insights
Microsoft DLP integrates with other Security & Compliance solutions such as MIP, Microsoft Defender, and Insider Risk Management to provide broad and comprehensive coverage and visibility required by organizations to meet regulatory and policy compliance.
Figure 11: Integrated Insights
This approach reduces the dependence on individual and uncoordinated solutions from disparate providers to monitor user actions, remediate policy violations and educate users on the correct handling of sensitive data at the endpoint, on-premises, and in the cloud.
Microsoft DLP solution is part of a broader set of Information Protection and Governance solutions that are part of the Microsoft 365 Compliance Suite. You can sign up for a trial of Microsoft 365 E5 or navigate to the Microsoft 365 Compliance Center to get started today.
Thank you,
The Microsoft Information Protection team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.