What Data Loss Prevention Is & How the Tech Works in Office 365
Greg Judge, Infrastructure Engineer, Fabric
What is DLP?
Data Loss Prevention (DLP) is a powerful tool used to ensure sensitive data is not lost. Losing company data can be devastating, lessening trust with partners and clients. Even when data has been lost it’s not always realised after many months or even years! Regulation laws such as GDPR, legal action and fines can follow.
The maximum fine under the GDPR is up to 4% of annual global turnover or €20 million – whichever is greater – for organisations that infringe its requirements. (IT Governance)
DLP can be best explained in three stages:
1 – Discover/Classify – Scan & detect what data sensitive information we want to protect
- Financial – Credit/Debit Card Numbers, SWIFT Code etc…
- Medical – National Health Service Number, National Insurance Number (NINO) etc…
- Personal (privacy) data – Driver’s License Number, Passport Number etc…
2 – Protect – Apply actions to the classified data such as
- Encryption – Ensure the data is encrypted (especially useful if data is emailed outside of the company)
- Access Restrictions – Restrict people sharing the sensitive data
- Guidance tip – A notice appears for the sensitive data. Tips can provide an override of the policy if needed
3 – Monitor – Reporting, Alerts and Remediation
In the following demo we will secure UK financial data from being shared outside of the company.
Sensitive info types in Office 365 let us define sensitive data we want to protect. Luckily there are many predefined templates
U.K. Financial Data template covers;
Credit Card Number
EU Debit Card Number
You may notice bank account is not listed, so let’s define this by adding a new Sensitive Info Type.
Add the name and description:
Choose what requirements are classed as a match
• Keywords – words that match the data
• Regular Expression – Simply put, regular expressions are used to define how the data is formatted. For example, an account number is 8 numerical digits, and a sort code 6.
Now we’ve defined what UK Bank Account data is, we can use it with our DLP policy!
Creating DLP Policy
Once the DLP policy has been named, in this case ‘U.K. Financial Data’, we will specify where the policy applies to. You can choose to add it to Exchange (email), SharePoint, OneDrive or Teams. You can then apply the policy to a specific location or to the whole organisation!
Next, we add rules which are applied to the defined data.
Here, the action taken is to block when any of the U.K. Financial Data is shared or sent to anyone external to the company.
Once complete, let’s test it!
Here is a beautiful spreadsheet with some bank account details.
To test our DLP policy we have Excel spreadsheet with bank account details stored in SharePoint
You may notice the “Policy Tip: This item is protected by a policy in your organization” telling the user that a policy is attached (Policy tips can be customised).
When trying to share this spreadsheet, we are blocked. Success!
Even if we copy and paste the sensitive information into an email, then try and send, a Policy Tip appears:
Try sending and this happens…
Crisis diverted #2019
Read more… Don’t let your business join our list of the most shocking data breaches in the 21st century.