Microsoft’s unified Data Loss Prevention solution provides an ever-expanding set of capabilities to address the needs of organizations to protect sensitive information from risky or inappropriate sharing, transfer, or use in the modern workplace.
Since our last announcements at spring Ignite a few weeks ago (see blog here), we are proud to introduce two new capabilities in general availability and also offer an exciting new public preview.
Advanced Controls in DLP for Email Protection – General Availability
Today we are excited to announce the general availability of 27 new controls (conditions and actions) for DLP policies in Microsoft Exchange.
Some customers have previously used Exchange Transfer Rules (ETR) to define special handing actions for email messages that met specific criteria. While this approach provided them with the ability to enforce messaging policies, many deployments required a broader and more streamlined approach that leveraged integration with DLP to simplify policy creation, policy monitoring, and event remediation.
These new DLP conditions and exceptions announced in general availability for Exchange enhance the already existing capabilities in DLP (See highlighted in Figure 1: New DLP Conditions for Exchange and Figure 2: New DLP Actions and Sensitivity Labels) to offer customers the ability to configure the same conditions, exceptions, and actions they previously used in ETR, within DLP, to offer additional granular control over the scoping and application of a DLP policy, and ensure policies are applied as intended in Exchange.
This new approach provides customers with a fully consolidated view of all DLP policies, alerts, and alert management across Microsoft’s unified DLP offerings that operations teams will find valuable in their day-to-day tasks.
Figure 1: New DLP Conditions for Exchange
Figure 2. New DLP Actions for Exchange
Sensitivity label-aware DLP policies – General Availability
We continue to invest in developing cutting-edge information protection solutions for our customers. Microsoft Information Protection (MIP) is an intelligent, unified, and extensible solution to know your data, protect your data, and prevent data loss across an enterprise – in Microsoft 365 Apps, services, on-premises, devices, and third-party SaaS applications and services.
Sensitivity labels are a core capability of MIP. They allows customers to classify data according to sensitivity such as Public, General, Confidential, Highly Confidential or any other sensitivity label created by the organization to meet its needs.
This sensitivity information is added to the file information and is used to guide users, applications, and services in the proper handling and use of sensitive data such as:
Protect content in Microsoft 365 Apps across different platforms and devices
Enforce protection settings such as encryption or watermarks on labeled content
Protect content in third-party apps and services
Extend sensitivity labels to third-party apps and services
Classify content without using any protection settings
Expand the quality of insights to intelligently flag potential insider risks
With the general availability of sensitivity label-aware DLP policies, organizations can apply a MIP sensitivity label as a foundational component for a DLP policy, thereby streamlining the process to help ensure sensitive information is protected with DLP from risky or inappropriate sharing, transfer or use.
Figure 3. Sensitivity Label-aware DLP policies
Figure 4. Supported services, items, policy tips and enforceability
Dynamic Policy Scoping by User in OneDrive for Business (Security Groups and Distribution List support) – Public Preview
Organizations often have a need to scope DLP policies in Microsoft OneDrive for Business (ODB) to specific groups of users to address the unique use cases that are applicable only to some user communities and not others.
With the public preview of security groups and distribution lists for ODB, its now easier than ever for organizations to leverage their existing security groups and distribution lists as the applicable context in an ODB DLP policy.
This means that as users are added or removed from a security group or distribution list, they are automatically added or removed from the associated ODB DLP policies without any additional configuration in the DLP policy definition itself. This approach offers significant benefits for organizations who have very large or dynamic user populations such as groups with high turnovers, or changes in business function.
Using security groups and distribution lists as the applicable context in ODB DLP policies also provides a simplified means for bulk inclusion and exclusion of user communities. This is particularly beneficial for example when a ODB DLP policy is only intended to apply to a group of users located in a specific geography, business unit, or role.
Figure 5. Security Groups and Distribution Lists for OneDrive for business
Figure 6. Security Groups and Distribution Lists – Inclusion
Figure 7. Security Groups and Distribution Lists - exclusion
Quick Path to Value
To help customers accelerate their deployment of a comprehensive information protection and data loss prevention strategy across all their environments containing sensitive data and help ensure immediate value, Microsoft provides a one-stop approach to data protection and DLP policy deployment within the Microsoft 365 Compliance Center.
Microsoft Information Protection (MIP) provides a common set of classification and data labeling tools that leverage AI and machine learning to support even the most complex of regulatory or internal sensitive information compliance mandates. The more than 150 sensitive information types and over 40 built-in policy templates for common industry regulations and compliance in MIP offer a quick path to value.
Consistent User Experience
No matter where DLP is applied, users have a consistent and familiar experience when notified of an activity that is in violation with a defined policy. Policy Tips and guidance are provided using a familiar look and feel users are already accustomed to from applications and services they use every day. This approach can reduce end-user training time, eliminates alert confusion, increases user confidence in prescribed guidance and remediations, and improves overall compliance with policies – without impacting productivity.
Microsoft DLP interoperates with other Security and Compliance solutions such as MIP, Microsoft Defender, and Insider Risk Management to provide broad and comprehensive coverage and visibility required by organizations to meet their regulatory and policy compliance obligations.
Figure 8: Integrated Insights
This approach reduces the dependence on individual and uncoordinated solutions from disparate providers to monitor user actions, remediate policy violations, and educate users on the correct handling of sensitive data at the endpoint, on-premises, and in the cloud.
Microsoft unified DLP solution is part of a broader set of Information Protection and Governance solutions within the Microsoft 365 Compliance Suite. You can sign up for a trial of Microsoft 365 E5 or navigate to the Microsoft 365 Compliance Center to get started today.
For more information on Data Loss Prevention, please see this and this
For videos on Microsoft Unified DLP approach and Endpoint DLP see this and this
For more information on Advanced Controls in DLP for Email protection see this
For more information on Sensitivity Labels as a condition for DLP policies, see this
For a Microsoft Mechanics video on Endpoint DLP see this
For more information on the Microsoft Compliance Extension for Chrome see and this
For more information on DLP Alerts and Event Management, see this
For more information on Sensitivity Labels, please see this
For more information on conditions and actions for Unified DLP, please see this
For the latest on Microsoft Information Protection, see this and this