Microsoft’s unified Data Loss Prevention solution provides a simple and unified approach to protecting sensitive information from risky or inappropriate sharing, transfer, or use.
In the past few months, Microsoft has introduced a wide range of new capabilities in General Availability and Public Preview that are designed to provide new ways of protecting data across a wider breadth of use cases and workloads and provide greater visibility into how sensitive content is used, stored and shared. These include:
Customizable DLP Policy Violation Justifications – General Availability
Many organizations offer their users the ability to override certain policy violations when there is a justifiable business need. These can range from a requirement to address a specific situation where the risks are limited:
To addressing a business need when an alternate process has not been defined or is incorrectly scoped:
Microsoft supports up to five built-in justifications that can be selected by users when they override a DLP policy:
You can customize and replace the out-of-the-box justifications with your organization’s own text to better define the type and scope override. (See Figure 1: DLP policy blocking override - customizable justification to address business needs)
Figure 1: DLP policy blocking override - customizable justification to address business needs
In addition to built-in selections, you can also offer users the ability to provide a text field to enter a more contextually descriptive justification for why they are overriding the DLP policy block. This capability can provide organizations with a deeper understanding of why users override a DLP policy and also additional visibility into processes and policies which could benefit from additional refinement, user education, or another review.
Enforcement of DLP Policies for File Sharing Across Bluetooth – General Availability
Users enjoy the flexibility of tethering their Bluetooth-enabled devices to share data for ubiquitous access anywhere at any time. While there are tangible benefits to Bluetooth tethering, organizations face the risks that sensitive data may be inappropriately shared or stored on unapproved devices.
Microsoft Endpoint DLP provides customers the ability to create and enforce DLP policies that regulate the sharing of sensitive data to Bluetooth devices using the same DLP policy creation and management solution they currently use to support DLP across Microsoft’s fully unified DLP offering with the experience their users are already familiar with.
DLP controls for Bluetooth include:
Enforcement of DLP Policies for File Sharing Across an RDP session – General Availability
Customers use Remote Desktop Protocol (RDP) to provide remote users the ability to connect and use a windows desktop located elsewhere via a network connection. Over the past two years, many organizations have increasingly leveraged RDP as a solution to support remote workers.
Microsoft Endpoint DLP provides customers the ability to create and enforce DLP policies to regulate the sharing of sensitive data over an RDP session, using the same familiar DLP policy tools and user experience from Microsoft’s fully unified DLP offering.
DLP controls for RDP include support for deploying DLP policies in Audit mode, Block with Override mode, and Block mode.
Auto-Quarantine of Sensitive Files Accessed by Unallowed Apps – Public Preview
Apps can be defined in DLP as not allowed to access specific sensitive content. Some apps are automated and can generate repeated DLP alert notifications when they continuously access sensitive content for which they are unallowed.
For example, when a user deploys an external file synch solution that is unallowed to access sensitive content and the local sharing folder contains a sensitive file that cannot be shared externally. In this example, the file synch upload activity will be repeatedly blocked by DLP. Each blocked activity will generate a notification on the user’s desktop, and each will also be recorded as a DLP event until the file has been removed from the local sharing folder. This impacts the user experience and creates unnecessary event volumes.
To address this potential concern, Microsoft is introducing a new auto-quarantine capability that can be assigned to individual unallowed apps when configuring a DLP policy.
Using the same scenario as above, if the external file synch solution is defined in a DLP policy as an unallowed app for sensitive data, and auto-quarantine is enabled, the sensitive data would be removed from the home folder and would be stored in a predefined approved quarantine folder. A text file replaces the original file with details for the user to explain the auto-quarantined action. In this instance, the user would only be notified once, and auto-quarantine would prevent repeated DLP policy violations and reduce the risk of sensitive data exfiltration. (see Figure 2: DLP Auto-Quarantine of Sensitive Content)
Figure 2: DLP Auto-Quarantine of Sensitive Content
Displaying Cloud DLP, Office, and AIP data in Activity Explorer and Displaying OneDrive data in Content Explorer– General Availability
Customers require the ability for different administrative users to have different views and levels of functionality depending on the role they have when reviewing user and label activity related to sensitive data. Microsoft offers three distinct ways to view this activity with ‘Overview’, ‘Content Explorer’, and ‘Activity explorer’.
With these General Availability announcements customers will have new visibility into events in their environment:
(Note that the default behavior for AIP data in Activity explorer is Opt-in. If customers would prefer to opt-out, they have to follow steps here to disable sending logs to Activity Explorer)
Microsoft Unified DLP Quick Path to Value
To help customers accelerate their deployment of comprehensive information protection and data loss prevention strategy across all their environments containing sensitive data and help ensure immediate value, Microsoft provides a one-stop approach to data protection and DLP policy deployment within the Microsoft 365 Compliance Center.
Microsoft Information Protection (MIP) provides a common set of classification and data labeling tools that leverage AI and machine learning to support even the most complex of regulatory or internal sensitive information compliance mandates. MIP’s over 150 sensitive information types and over 40 built-in policy templates for common industry regulations and compliance offer a quick path to value.
Consistent User Experience
No matter where DLP is applied, users have a consistent and familiar experience when notified of an activity that is in violation of a defined policy. Policy Tips and guidance are provided using a familiar look and feel users are already accustomed to from applications and services they use every day. This approach can reduce end-user training time, eliminates alert confusion, increases user confidence in prescribed guidance and remediations, and improves overall compliance with policies – without impacting productivity.
Integrated Insights
Microsoft DLP integrates with other Security & Compliance solutions such as MIP, Microsoft Defender, and Insider Risk Management to provide broad and comprehensive coverage and visibility required by organizations to meet regulatory and policy compliance.
Figure 3: Integrated Insights
This approach reduces the dependence on individual and uncoordinated solutions from disparate providers to monitor user actions, remediate policy violations and educate users on the correct handling of sensitive data at the endpoint, on-premises, and in the cloud.
Microsoft DLP solution is part of a broader set of Information Protection and Governance solutions that are part of the Microsoft 365 Compliance Suite. You can sign up for a trial of Microsoft 365 E5 or navigate to the Microsoft 365 Compliance Center to get started today.
Thank you,
The Microsoft Information Protection team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.