The escalating prevalence of cyber threats and data breaches demands stringent measures to ensure data security. Exfiltrating sensitive information through personal emails or social media sites can not only expose sensitive data to hackers but also lead to potential misuse. Implementing controls that restrict such actions provides an additional layer of security, reducing the risk of data leaks and fortifying the confidentiality of sensitive data. Additionally, as organizations adopt AI technologies, it is important to implement security AI strategies to safeguard sensitive data from the potential threats while also ensuring sensitive data doesn’t inadvertently get exposed to the AI tools that organizations are using.
Today we are excited to announce a new capability in Microsoft Purview Data Loss Prevention that can help organizations create policies that prevent their users from pasting sensitive data to specific websites, including personal email, generative AI prompts, social media sites and more when accessed through a supported web browser. This capability supports built-in and custom sensitive information types from Microsoft Purview Information Protection as defined here.
As an example, organizations can now set DLP policies to prevent their users from copying and pasting sensitive information such as personally identifiable information (PII) from organization’s internal databases such as SQL server, KUSTO databases, customer relationship management (CRM) tools and more to their personal email accounts, generative AI chatbots, and social media sites on supported browsers. Microsoft Purview DLP natively supports Microsoft Edge (on Windows and macOS) and the DLP controls can be extended through the Microsoft Purview extension for Chrome and Firefox.
Until today, Microsoft Purview DLP has supported scenarios for file-based protection, where organizations can apply restrictions on actions taken on sensitive information in files such as copying to removable media, printing, uploading the sensitive content to unsanctioned clouds, sharing though Bluetooth apps and more. With this new capability, Microsoft Purview DLP is now providing content-based protection, where no matter what the source of the sensitive data is (file, databases, or sensitive sites), when the user tries to paste sensitive data from the source to a website on a supported browser, the DLP engine is able to inspect the data, assess its sensitivity, and apply the appropriate restrictions. Learn more about configuring restrictions for this capability here.
How preventing pasting of sensitive data in websites works
Organizations can use this capability in combination with the existing sensitive service domains setting in endpoint DLP, where you can create groups of sensitive domains or websites and apply different restrictions to each group. Here’s how this could be used at your own organization. Let’s say you want to allow your users to paste sensitive data that lives in your SQL server, CRM tool, or KUSTO databases into internal SharePoint sites and internal email programs but prevent that data from flowing to their personal emails or social media sites. To achieve this, DLP administrators can create two groups of websites: Group A is a group for your internal SharePoint sites and Group B is a group of work email sites that your users use such as Outlook. Once your groups are created, you can configure your DLP policy such that:
When users try to paste sensitive information from anywhere to websites in Group A (your internal SharePoint sites), an audit action is triggered, allowing your users to stay productive and at the same time providing your admins visibility into the action
When users try to paste the same sensitive information to websites in Group B they receive a Policy tip warning them that the action is not allowed but if they provide a business justification, they can perform the action
When users paste sensitive information in personal emails, generative AI prompts, social media sites like Twitter, Facebook, TikTok etc. – all websites that are not a part of Group A or Group B – they are completely blocked, without a warning.
Learn how to create groups of sensitive service domains here.
Additionally, organizations can leverage Adaptive Protection prevent their high-risk users from pasting sensitive data into certain websites while allowing lower risk users to maintain productivity. Building on the example earlier, with Adaptive Protection you can now tailor your policies such that high-risk users are blocked from pasting sensitive content in work email (Group B) instead of receiving a warning. Learn more in our Insider Risk Management blog.
This capability is available to commercial tenants in public preview starting this month. To get started, DLP admins can configure restrictions for pasting data on supported browsers as part of configuring the DLP rule for their endpoint DLP policies.
Figure 1: Configuring paste to supported browser as 'Block' for all domains not in Group A or Group BFigure 2: Configuring groups of sensitive service domains and assigning different restrictions to different groups
Figure 3: Copying sensitive data (customer PII) from KUSTO
Figure 4a: Pasting sensitive data to internal website is allowed with business justification
Figure 4b: Pasting sensitive information in personal email is blocked
Like all DLP incidents, the alerts for Paste to Browser is captured in the Microsoft Purview activity explorer, where Admins can quickly get details for this action including the matched sensitive information and policy and device details. Admins will also be able to see these incidents in the Microsoft 365 Defender portal as part of their security incident and leverage the advanced hunting capabilities in the Defender portal.
Figure 5: Admins can easily triage events using the 'Paste to Browser' activity in Microsoft Purview DLP activity explorer tab
Figure 6: Admins can view the ‘Paste to Browser’ alerts in context of their security incidents in Microsoft 365 Defender portal
Figure 7: Admins can easily filter the ‘Paste to Browser’ exfiltration Alerts in the Microsoft 365 Defender portal
Get started today by turning on endpoint DLP as it is built into Windows 10 and 11 and doesn’t require an on-premises infrastructure or agent. Learn more about endpoint DLP here. You can try Microsoft Purview DLP and other Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a free trial!
Guidance on optimal DLP incident management experience
Investigating Microsoft Purview DLP alerts in Microsoft 365 Defender portal
And, lastly, join the Microsoft Purview DLP Customer Connection Program (CCP) to get information and access to upcoming capabilities in private previews in Microsoft Purview Data Loss Prevention. An active NDA is required. Click here to join.