Planning for data loss prevention

- Data loss prevention allows you to perform the following three actions; identify sensitive information across many locations, such as Exchange Online, SharePoint Online, OneDrive for Business and Microsoft Teams. It can also help in preventing the accidental or intentional sharing of sensitive information, as well as help you monitor and protect the information in the desktop versions of Excel, PowerPoint and Word. Data loss prevention can also help end users within the organization to understand when their content violates a specific policy. And this can be done without interrupting the way they work. As administrators, you can then view the DLP reports that will show false positives as well as legitimate policy violations. Data loss prevention is included within the bundled license or the stand alone compliance add-on license. The required licenses are Microsoft 365 E3 and E5, Office 365 E3 and E5, and Office 365 Education, A3 and A5. Now to use the data loss prevention features with Microsoft Teams, the higher licensing is required. So how does data loss prevention work? Well as people add or change documents in their sites, the search engine will scan the content so that then you can find the content later. While this is happening, the content also is scanned for sensitive information and to check if it's been shared with anybody. Any sensitive information that's found is stored securely in the search index so that only the compliance team can access it, but not any of the typical users. Each DLP policy that you've turned on runs in the background asynchronously checking the search frequently for any content that matches a policy and applies actions to it to protect it from inadvertent leaks. Finally, documents can conflict with the DLP policy, but they can also become compliant with the DLP policy. For example, if a person adds a credit card number to a document, it might cause the policy to block access to it automatically. But if the person removes that sent information later, the action in this case the blocking is automatically undone the next time the policy is evaluated. The most important key here is that this happens continually as the content is indexed. So what are the recommended policies and where are they? Well, the recommended policies are available within the Security & Compliance Center. They are automatically created and can be applied to content. The out of the box recommended policies are visible within the Security & Compliance Center. They are insight driven based on the top five common sensitive information types. The widget within the Security & Compliance Center will allow you direct creation of those policies by clicking the Get Started option. When you create a DLP policy that includes Exchange Online as a location, the policy is synced from the Office 365 Security & Compliance Center directly to Exchange Online. And then from Exchange Online to Outlook in the Web and Outlook Client, when a message is being composed within Outlook, the user can see policy tips as the content is being created, as it's evaluated against the DLP policies in real time. After the message is sent, it's also then evaluated against DLP policies as part of the normal mail flow or transport rule process. And DLP policies that are created in the admin center specifically are also applied. DLP policies can scan both the message and any attachments. Excel, PowerPoint, and Word include the same capability to identify sensitive information and apply DLP policies as SharePoint Online and OneDrive for Business does. The Office programs will sync the policies directly from the central store and then as the user is creating content, the policies are continuously evaluated against those policies without the need for the end user to change what they're doing. The DLP policy evaluation in Office is designed to not affect the end user working and the performance of the application. When you create a DLP policy that includes Microsoft Teams as a location, the policy is synced from the Office 365 Security & Compliance Center to user accounts and the Microsoft Teams channels and chat messages are protected. Depending on how the DLP policies are configured, when someone attempts to share sensitive information in a Microsoft Teams chat or channel message, the message can be blocked or revoked and documents that contain sensitive information that are then shared with guests or external users will not open for them. So how do we implement DLP policies? Well, the first step in creating a comprehensive DLP plan is determining where all your organization's data is located and how much of it is sensitive. You'll also want to analyze your current security posture in each of these locations to determine how data is being managed and protected and where there are any potential security gaps. The level of regulatory compliance that your DLP plan will have to adhere to depends on the nature of your organization. For example, healthcare companies need to comply with HIPAA regulations. Next step, is to review specific business information and then define the policies for the types of data that have been identified. The next step is then to build the automated rules and classification and protection for the content that's been identified. Lastly, DLP is not a one size fits all. It needs regular updating and maintenance to be effective. The key to using DLP is to first create the use cases that define how and what you are trying to achieve. Some core examples of this would be, you have a need to protect organizational sensitive data from internal users or insider threats. Maybe you want to protect sensitive data from being leaked through mobile devices or comply with multiple data protection regulatory laws, or you just want to centrally manage sensitive data residing anywhere within the organization. The key is to define the use cases to help you craft what the policies will look like. As an example, let's talk about some of these core requirements. Let's look at a policy type. So the kind of data that we wish to protect, the location of where it would be, the direction for sharing, what the restrictions should be, And then if we're going to show a policy tip. So first off, if we talk about PCI data, then the location for this will be anywhere in the organization, in the tenant, the Microsoft 365 tenant. The direction of this we want to protect is if someone tries to externally share this, that we want to block and restrict access with a policy tip. The next one would be PII external sharing, but no email. So this again, is something that's shared externally that contains PII and we'll block sharing and restrict access and show a policy tip. The next one is then PII external sharing, but focusing on email only. So the location for this will be just exchange, focused on externally sharing and again, we'll block sharing and restrict access, and then a policy tip. We also have the ability if we're not blocking to encrypt the content. So defining your use cases and then mapping them to the types of policies that you wish to create, at least from a feature perspective is critical in designing the policies.