Table of Contents
Design DLP policies based on an organization’s requirements
Designing Data Loss Prevention could be based on the regulations of your industry or just internal security principles that should be made to carve the security measure framework in to stone.
In my examples I will use GDPR as the main component.
Here some reasons why it should be done
- Compliance:
- Different levels of government regulations dictate how organizations collect and safeguard personally identifiable information.
- Ensuring compliance with data regulations and reporting during compliance audits involves implementing a data loss prevention policy.
- Intellectual Property:
- Protecting proprietary information and trade secrets is essential to prevent unauthorized access.
- Data Visibility:
- Valuable insights can be obtained by monitoring how stakeholders access and engage with data within organizations.
GDPR data protection
Numerous data privacy laws are in effect globally, with more pending. A standard DLP policy comprises three key elements:
- Location: Specifies where the policy applies, e.g., GDPR data protection rules apply wherever personal information is stored.
- Conditions: Sets the parameters for data loss prevention, including unauthorized data usage, outdated data deletion, or storing personal data in unsecured locations.
- Action: When conditions are met, actions are taken to prevent data loss. For example, data violating GDPR may be deleted, and unverified storage of personal data can be blocked.
Simplified steps for DLP planning
- Identify your stakeholders.
- Define the categories of sensitive data and protection objectives.
- Establish a plan for policy deployment.
- Gain a comprehensive understanding of DLP policy components.
- Examine DLP policy templates.
- Collaborate with key stakeholders to craft a policy intent statement.
- Ensure policy alignment with your overarching DLP strategy.
- Link the intent statement to configuration options.
- Make a choice between predefined or custom policy templates.
- Gather all necessary information for policy creation.
- Document policy settings and conduct a review with stakeholders.
- Draft the policy while referencing your deployment plan.
What DLP can do?
In Microsoft Purview, data loss prevention is established through DLP policies. These policies enable the identification, monitoring, and automatic protection of sensitive items across various areas, including:
- Microsoft 365 services (Teams, Exchange, SharePoint, OneDrive)
- Office applications (Word, Excel, PowerPoint)
- Endpoints (Windows 10, Windows 11, macOS)
- Non-Microsoft cloud apps
- On-premises file shares and SharePoint
- Power BI
DLP goes beyond simple text scans, employing deep content analysis to:
- Identify primary data matches to keywords.
- Evaluate regular expressions.
- Validate internal functions.
- Detect secondary data matches near primary data matches.
Machine learning and other techniques are also used to detect content that aligns with DLP policies.
See more from Learn
Configure permissions for DLP
Pre-defined roles
The account you use to create and deploy policies must be a member of one of these role groups
Role group | Description |
Compliance Administrator | Members can manage settings for device management, data loss prevention, reports, and preservation. |
Compliance Data Administrator | Members can manage settings for device management, data protection, data loss prevention, reports, and preservation. |
Information Protection | Full control over all information protection features, including sensitivity labels and their policies, DLP, all classifier types, activity and content explorers, and all related reports. |
Information Protection Admins | Create, edit, and delete DLP policies, sensitivity labels and their policies, and all classifier types. Manage endpoint DLP settings and simulation mode for auto-labeling policies. |
Security Administrator | This role group grants members access to various security features, including Identity Protection Center, Privileged Identity Management, Microsoft 365 Service Health, and Defender and compliance portals. Initially, it may appear empty, but it inherits the Security Administrator role from Microsoft Entra ID. To manage permissions, use the Microsoft Entra admin center. Changes within this group apply solely to security and compliance functions, and it offers both read-only permissions similar to the Security reader role and additional administrative permissions for services like Azure Information Protection. |
Custom roles
If you want to create a custom role, you could use either one of these.
View-Only DLP Compliance Management | View the settings and reports for data loss prevention (DLP) policies. |
DLP Compliance Management | View and edit settings and reports for data loss prevention (DLP) policies. |
Creating custom roles
Open Compliance portal and Roles & scopes -> Permissions
Choose Create a role group
You have in total 96 different roles to choose from and like we saw in earlier, some of these roles a predefined already but with the custom roles you could limit them even more.
Create and manage DLP policies
Like stated in the beginning, I will use GDPR as my example for this. It would fit for most of the sectors and Data Loss Prevention is the perfect feature to enforce these regulatory restrictions.
When you have the appropriate roles, you will just open https://compliance.microsoft.com/datalossprevention/policies and click “Create policy”
Create a name carefully because it cannot be changed after. Then use Administrative Units (AU) if you wish.
Administrative units:
- Divide your organization into smaller units.
- Assign specific administrators to manage those units.
- Enable administrators to manage members and associated features within their assigned units.
- Delegate permissions for geographic regions or departments.
- Create specific policies and view user activity.
- Serve as an initial scope for policies based on unit membership.
With Administrative Units for Data Loss Prevention (DLP) you can limit oversight of DLP policies, involving the limitation of DLP alert visibility to administrators.
Policies with SITs
When you create an DLP policy you can use the predefined SITs (Sensitivity Information Types) or custom ones.
Let’s see the process of creating Custom ones with SITs.
First you have to select the scope for the policy.
And to choose “Content contains” and SITs
Choose the custom SIT you created or an predefined one. You can also choose multiple different SITs
If you wish to Block External access
You also need to add “Content is shared from M365”
Otherwise you will get this
Then you add Policy tips and other notifications
And to alerts admins and send email on the policy hits
And then for the Policy mode, you can choose to Educate, turn it on or keep it off.
Managing policies with Labels
When you have create the DLP policy, you can also edit it, not the name, so be sure to choose it right in the start.
You can easily edit the existing rules
Remove the SIT
And to add Labels instead of them but
Right, you have to remove some services from the scope (Teams)
Let’s see what happens
Here is an table to show what we can use in which service
Location | Content can be defined by SIT | Content can be defined sensitivity label | Content can be defined by retention label |
---|---|---|---|
Exchange email online | Yes | Yes | No |
SharePoint in Microsoft 365 sites | Yes | Yes | Yes |
OneDrive for work or school accounts | Yes | Yes | Yes |
Teams Chat and Channel messages | Yes | No | No |
Devices | Yes | Yes | No |
Microsoft Defender for Cloud Apps | Yes | Yes | Yes |
On-premises repositories | Yes | Yes | No |
Power BI | Yes | Yes | No |
And there we have it, GDPR Sensitivity label attached documents and email will not be lost.
But like we notice, for labeled content, it will match with the label but for SITs you have to define the Confidence and the count if hits in this content.
The levels in brief:
- Low Confidence (65): Fewest false negatives, most false positives. Returns all confidence levels.
- Medium Confidence (75): Balanced false positives and false negatives. Returns medium and high confidence matches.
- High Confidence (85): Fewest false positives, most false negatives. Only returns high confidence matches.
Preview features
Now you can also test your policies
And share DLP alerts
And you can also have an Default DLP policy for Teams
Interpret policy and rule precedence in DLP
For policies you can change the order. The “Priority” parameter assigns a value to policies, dictating their processing order. Lower integer values signify higher priorities, with 0 being the highest, and no two policies can share the same priority value.
For rules inside the policy you can also arrange them accordingly.
- Rules are processed in priority order, with the most restrictive action enforced first.
- Only the most restrictive rule is applied, even if content matches multiple rules.
- Rules can address specific protection needs, and DLP policies group them for streamlined management and reporting. For instance, a DLP policy can help safeguard HIPAA data across SharePoint and OneDrive by blocking access and sending notifications when sensitive information is shared externally.
Configure a Microsoft Defender for Cloud Apps file policy to use DLP policies
You can still use the old portal for a week, after that the redirection will be automatic.
So I won’t be covering the old one, let’s see the new unified Security portal.
First you must Enable file monitoring from https://security.microsoft.com/cloudapps/settings?tabid=filesSettings
Then navigate to https://security.microsoft.com/cloudapps/policies/management?tab=informationProtectionPolicies to create a File policy.
Policy type icon | Policy type | Category | Use |
---|---|---|---|
File policy | Information protection | File policies enable you to scan your cloud apps for specified files or file types (shared, shared with external domains), data (proprietary information, personal data, credit card information, and other types of data) and apply governance actions to the files (governance actions are cloud-app specific) |
Data Classification Service is also employed by the DLP policies configured in the Microsoft Purview compliance portal. You can use this option to have a uniform experience across all your configured DLP policies.
First time you create a File policy, you will need to add Grant permissions with Entra ID
Once you Enable you can define the settings even more.
If the policy hits files, you can add governance actions
In example apply Sensivitity labels for the content
See more on Cloud Apps and labeling from Learn.
When you create the policy you can choose filters to match it. For the sharing access
And for specific apps and services
Once you done, you can view the matches and created Incidents.
Closure
Like before, let’s see what we learned.
DLP policies can help you to:
- Compliance:
- Different levels of government regulations dictate how organizations collect and safeguard personally identifiable information.
- Ensuring compliance with data regulations and reporting during compliance audits involves implementing a data loss prevention policy.
- Intellectual Property:
- Protecting proprietary information and trade secrets is essential to prevent unauthorized access.
- Data Visibility:
- Valuable insights can be obtained by monitoring how stakeholders access and engage with data within organizations.
In Microsoft Purview, data loss prevention is established through DLP policies. These policies enable the identification, monitoring, and automatic protection of sensitive items across various areas, including:
- Microsoft 365 services (Teams, Exchange, SharePoint, OneDrive)
- Office applications (Word, Excel, PowerPoint)
- Endpoints (Windows 10, Windows 11, macOS)
- Non-Microsoft cloud apps
- On-premises file shares and SharePoint
- Power BI
DLP goes beyond simple text scans, employing deep content analysis to:
- Identify primary data matches to keywords.
- Evaluate regular expressions.
- Validate internal functions.
- Detect secondary data matches near primary data matches.
Machine learning and other techniques are also used to detect content that aligns with DLP policies.
Custom roles in use.
View-Only DLP Compliance Management | View the settings and reports for data loss prevention (DLP) policies. |
DLP Compliance Management | View and edit settings and reports for data loss prevention (DLP) policies. |
With Administrative Units for Data Loss Prevention (DLP) you can limit oversight of DLP policies, involving the limitation of DLP alert visibility to administrators.
When you create an DLP policy you can use the predefined SITs (Sensitivity Information Types) or custom ones.
- Rules are processed in priority order, with the most restrictive action enforced first.
- Only the most restrictive rule is applied, even if content matches multiple rules.
- Rules can address specific protection needs, and DLP policies group them for streamlined management and reporting.
File policies enable you to scan your cloud apps for specified files or file types (shared, shared with external domains), data (proprietary information, personal data, credit card information, and other types of data) and apply governance actions to the files (governance actions are cloud-app specific)
Cloud Apps can enforce DLP and apply labels to the content that it founds with Sensitivity Information Types.