MS-203 Microsoft 365 Messaging – Managing Compliance Part 2

3. Understanding Data Loss Prevention (DLP)

What exactly is Data Loss prevention? Well, it’s actually an industry standard based solution that is all about trying to identify in your environment what types of information are sensitive and making sure that that information does not get exfiltrated. Now what is exfiltrated? That basically means it gets leaked out there to people who shouldn’t get access to it. So in other words, you may have some information that is on the inside that needs to be safe and it makes its way to the outside world.

You probably can imagine via email, for example, a scenario where maybe you accidentally emailed the wrong person, or maybe you almost emailed the wrong person. You could imagine if somebody had a piece of sensitive information associated to an email message or an attachment or something like that, and then they accidentally sent it to the wrong person, right? This can also happen with SharePoint.

This can also happen with Team. So we’re not just talking email here. The Microsoft 365 services as a whole, you have to consider the fact that information that’s meant for people on the inside, and not just all people, but specific people on the inside, somehow makes its way to the outside world. So this is all about data leakage, data loss, rigid. In fact, some people even think that DLP stands for Data Leak Prevention, but it actually is Data Loss Prevention.

But the goal of Data Loss Prevention is to stop leakage from occurring in our environment. Okay, so when we say sensitive information, what exactly is considered a sensitive piece of information? Well, here are some examples up on the screen here for you. But really, ultimately a company makes a decision on what they consider to be sensitive. Certain pieces of information for our internal environment may be different as far as what sensitivity goes than your environment. Okay? But here’s a couple of examples.

You have financial data, so that gets into things like bank account numbers. It gets into just financial information in general. So we’re talking things like people’s, payroll, people’s, the budget of your company. That’s all considered sensitive and it’s important that we identify that and prevent it from getting out there. PII personally identifiable information. And that is an acronym I would be aware of. PII involves any type of information about someone that could be used in something like identity theft. I mean, that gets into persons name, their address, their phone number, their Social Security number, their driver’s license number, even date of birth.

All of that is considered PII. And if somebody got that information, they could potentially use that to perform identity theft, right? So we want to keep that information secure, and so that’s a very common one. And then Phi, this is Protected Health Information, another acronym to be aware of. This gets into things like HIPAA compliance, the medical world. This gets into people’s health, medical record information being exposed out there somewhere. So this is definitely especially in the medical world, in the HIPAA compliance world, we definitely want to keep that information safe and secure.

How about tax information? All right. Tax information is another one that’s important that we wouldn’t want to get out there. And of course, the federal government and all that, they have all sorts of different laws and restrictions when it comes to this information and how long you keep it, it gets into retention and all that. Of course, there’s countless other pieces of information out there too, that might be sensitive to our company.

And again, one of the big things we have to think about there is we have to make sure we know what is considered sensitive in our own environment. Okay? Now, in the Microsoft 365 world, office 365 Exchange and SharePoint, all those products, data Loss Prevention actually works in conjunction with another product in the cloud called Azure Information Protection, also known as AIP. So these two kind of work together. AIP is going to help us with identifying what pieces of information in our environment are sensitive. And it can do this various ways.

It can do this with the help of keywords. It can do this with the help of actually using something known as regular expression, also known as regex or Regex, depending upon the way you like to pronounce it. This means that it can actually recognize unique sequences of numbers, basically patterns of numbers, and identify that this is probably a piece of sensitive information. For example, here in the United States, we have a Social Security number, and it’s a three digit number, then a dash, and then a two digit number, and then a dash, and then a four digit number.

So that would be an example of it recognizing a pattern and then identifying that as a potential Social Security number. And so another thing that this is all about, DLP allows you to apply these rules inside of a thing called a policy that’s going to try to prevent the accidental sharing of sensitive information. So it’s going to try to stop somebody from accidentally emailing something out or sharing it through SharePoint or teams or whatever. OneDrive, this is going to monitor and protect this information. And it can even work on our desktop operating systems. So with Windows Ten and all that. Windows Ten, for example, has a thing called Whip windows Information protection. That is the client side agent that basically works in conjunction with DLP data Loss Prevention and Azure Information Protection. So these two things all work together in order to protect your information.

So even if somebody is using a client side piece of software to share something out, this piece of software, with the help of Whip Windows Information Protection in Windows Ten, it can monitor for that. But not only that, when you start getting into things like Intune and all that, it also works with Android devices. It works with Apple devices. So it’s not just windows. Okay? The main thing too is not only does this allow us to apply rules to stop things, but it also can help educate. So like a good example that would be like with our email, we have mail tips that can pop up and say, hey, you’re about to share this with somebody outside the organization.

This contains a sensitive piece of information and it’s been blocked. Okay? We can also even give somebody the ability to override that if they feel like, no, this is not actually a piece of sensitive information and they can fill out a little form and they can go ahead and send it anyway, or we can stop that altogether. We have flexibility on that to allow it or not allow it. The last thing that you get out of that too is this generates reports for us so I can go through and I can audit and see reports to see which users have actually done this. If users have overridden the policy or attempted to or what, we can look at our reports and we can see who’s done this.

Now just looking right here, just a quick glimpse for you. The data loss prevention policies in the Micro 365 services are now mostly managed in the Security and Appliance Center. So this is going to be the main place where you would go and you would implement these policies. So you’ll have a data loss prevention area of policy that you’ll go to, you’ll create the policy and apply the policy to your Microsoft 365 services. And again, from there you even get to pick and choose which products this policy is going to sort of manage, which is things like Exchange and Teams and SharePoint and all that. One drive you get to sort of pick and choose which of those things that you want this policy to be part of.

Okay? All in all though, I think this is a really good system and I really do like the fact that Microsoft has centralized it. Now instead of me having to jump into Exchange to configure it just for Exchange and SharePoint to configure it just for SharePoint and one Driving and Teams just to configure it for those, I can manage it all right here in the Security and Compliance Center. So I think they’ve got a good strategy with that and I really like that they’ve centralized it. But all in all, DLP is definitely something that a company that cares anything about security is going to want to put in place.

4. Configuring Data Loss Prevention Policies (DLP)

I’d like to now walk you through looking at and creating a data loss prevention policy. So we’re starting out here in the Microsoft 365 Admin Center, which you can get to by going to admin dot Microsoft. com or portal dot Microsoft. com. From there we’re going to click on the Show All Ellipse symbol. Down here at the bottom we’re going to click the Security Admin Center. This is going to pull up the Security and Compliance Center, which is the centralized place where your data loss prevention policies are going to be managed. Okay? So from there you’ll notice there is a data loss prevention drop down I can click, and right here I can click on Policy. All right? So as you can see, this is where I can go and actually create a policy. So I’m going to click create a policy. All right? And then from there I can choose the actual type of policy type I want to create based upon what are known as the DLP templates for Sensitive information.

So that’s what you’re seeing here, there are all sorts of different templates. You can even create a custom one where you sort of can pick and choose what you care about, but they’ve got groups of sensitive information you can assign as well. So I’m going to click on privacy. And why don’t we do the US Patriot Act and the US Patriot Act, as you can see here, is going to include credit card numbers, bank account numbers, individual tax ID numbers, Social Security numbers, all that. So it’s going to use that regular expression, also known as reg X or Regx, depending upon the way you like to say it, to actually recognize those numbers when you try to do something like share this with somebody else. So we’re going to click Next, and then you can give it a name.

I’ll just leave it as the default name, which is the US Patriot Act. And then I can click Next, and then notice that it says that it’s going to protect your content in exchange email teams, chats, channel messages, OneDrive and SharePoint. So I can say let me choose and then I can click Next. Maybe I only want this to apply to Exchange so I could just turn off each one of these if I wanted to. This is something I really love about this. It makes it very easy for you to turn off different locations that you don’t want the policies to apply or turn on different locations you do want it to apply.

So I’m going to click next. Okay? And the default option here says find content that contains credit card numbers, us bank account numbers, individual tax ID numbers, Social Security numbers, detect when this content is shared with people outside my organization. Okay, so I can select that or people inside. You can also choose advanced settings, which is going to give you even more flexibility. So I’m going to actually choose advanced, I’m going to click next. And one thing I like about it is it has a low volume and a high volume.

Okay? So essentially, depending upon how many instances of something that it discovers you doing, sending this rule will apply to you. These rules here, or if you’re sending a certain amount, this rule apply to you. Now, if we actually click on Edit, on the low volume side of things, you can see a minimum of one and up to nine. So that’s what they consider low volume. Those are a minimum of one of any one of these instances, up to a maximum of nine. If that’s the case, it falls within that. So if I had up to nine bank account numbers or Social Security numbers or something like that in an email going through Exchange, for example, then this policy right here would apply to it.

With the high volume. It’s basically more than that. So if I actually cancel out of that and I go down here and click on the Edit rule, you’ll notice the high is ten or higher. So this is really nice that you can actually configure different rules depending upon whether it’s a low volume or a high volume. So come back up here and I’ll edit this rule. And so you can apply the name. You can specify the name here. Each one of these menu bar buttons that you see at the top here just simply navigate to that area of the screen. So it’s really just like a scroll bar.

But I can set specific conditions that I want to add here. And the conditions I applied to the policy are the US Patriot Act, which are these individual things. But if you wanted to add another set of additional sensitive info types, you could, okay, you can specify if it’s being shared with people outside the organization, people inside the organization, you can set exceptions as well. So if I wanted to set an exception, and maybe I’m going to set an exception to where it’s okay to share with somebody who is part of the Acmecorp. com domain, maybe we’ve got a partnership with them. I could add that as an exception if I wanted to. Okay, then you got Use Actions to protect it. If I wanted to, I could set restrictions and encryption on there. I could actually set headers on if it’s an email message going through. You’ve got user notification. I can have certain users to be notified. So notify these people. The person who sent shared or modify owner, SharePoint site one drive, owner of a SharePoint OneDrive content. So I could do that if I wanted.

Or I could simply just say notify the user who sent shared or last modified it. You can also set the email text. You can customize that. You can customize a policy tip that will pop up when they’re sending it. You can support user overrides here if you want. So somebody could override it and say, no, this is not actually a sensitive piece of information. You could do that if you want it. You can have this flagged as a low, medium, or high severity level if you want. So I might say that it’s low if it’s less than nine, and high if it’s more than ten. I can send an alert to an administrator. I can have an incident report even generated and sent to a specific user if I want.

So I’m going to have it sent to Jcxamlabpractice. com. So you have the following information in the report the name of the person, the type of sensitive information, rule, severity level, the content that match the rule, the item containing the content will all be part of that. Okay? You can also have it just stop processing any other DLP policies if you want, and you can set the priority to a high level. So if there’s a conflict between data loss prevention policies, you can set a priority level for this particular policy. At that point, I could save this the way I want it.

I can click next, I can say, yes, turn this on right away, or if I want to test it out, I can test it out if I want. Okay, so I’m just going to say turn it on, and then we’ll click Create. And we’ve now officially created a data loss prevention policy. So all in all, I think it’s a great system Microsoft has put together here. I think it’s pretty intuitive. And again, I love that it’s so easy to associate it with the different products that I want this to be associated with.

• Category: Uncategorized