Skip to main content
Microsoft 365

Office 365 compliance controls: Data Loss Prevention

Shobhit Sahay is a product marketing manager on the Exchange team.

When was the last time you asked your employees to carry your company’s handbook containing all the company policies with them? Do your IT workers know whether a particular email message they’re sending may violate company policy and run the risk of being noncompliant? Are they sure whether an email they’re sending contains sensitive information? Almost every IT worker faces compliance questions like these daily. Learn how you can help your IT workers achieve compliance without disrupting their normal routine or yours.

A recent blog post laid out the two dimensions of Office 365 security, compliance, and privacy: built-in capabilities and customer controls. This post focuses on a key feature under customer controls in compliance: data loss prevention (DLP).

DLP Policy Tips inform your workers in real time

With the new DLP Policy Tips in Office 365, admins can inform email senders that they may be about to pass along sensitive information that is detected by the company’s policies-before they click Send. This helps your organization stay compliant and it educates your employees about custom scenarios based on your organization’s requirements. It accomplishes this by emphasizing in-context policy evaluation. Policy Tips not only analyzes email messages for sensitive content but also determines whether information is sensitive in the context of communication. That means you can target specific scenarios that you associate with risk, external communication for example, and configure custom policy tips for those scenarios. Reading those custom policy tips in email messages keeps your workers aware of your organization’s compliance policies and empowers them to act on them, without interrupting their work.

DLP Policy Tips is supported only in Outlook 2013, but even if your users don’t have the latest version of Outlook, you are still protected from disclosing sensitive data through back-end processing. Admins can configure rules and take actions by setting up DLP rules in the Exchange Administration Center (EAC). This ensures that a single DLP policy controls both the client and server endpoints, minimizing the admin administrative overhead.

How do Policy Tips work? Consider a real-life scenario. Contossoplay is a company that has an internal policy to warn its employees any time they include sensitive information like a credit card number in email communications. Sara Davis is a Contossoplay employee composing an email to Dan, who works outside her organization. She includes credit card information in the mail, and immediately a DLP policy tip shows up in the message in Outlook.

When you include sensitive information in an email message, a DLP policy tip alerts you before you send the message.

At this point Sarah can decide to: send the email message with the credit card information, send the message with the credit card information and click Report to report a false positive, or delete the credit card information before sending the message. If she’s unsure what to do, she can click Learn more to understand her company’s policy, which her admin may have customized.

Let’s  look at another scenario. Contossoplay has recently set up a policy that blocks emails containing multiple credit cards or that need to be overridden with a business justification. Sara starts an email message to book the travel for multiple employees in the company and attaches a document that includes the personal credit card information of the employees. A different policy tip shows up, highlighting the new compliance requirement. In Outlook 2013, the attachment that is the cause of concern is also highlighted, making it easy for her to locate the information being questioned.

A custom DLP policy tip alerts you about an attachment that may contain high-count sensitive information.

As these two scenarios show, data loss prevention empowers end users, making them part of the organization’s compliance process and ensuring that the business flow is not interrupted or delayed, because achieving compliance does not get in users’ way. At the same time, data loss prevention simplifies compliance management for admins, because it enables them to maintain control easily through the Exchange Administration Center in the Office 365 admin portal.

Policy Tips are similar to MailTips, and you can configure them to present a brief note in Outlook 2013 that provides information about your business policies to the person creating a message. You can configure policy tips that will merely warn workers, block their messages, or even allow them to override your block with a justification. Policy tips can also be useful for fine-tuning your DLP policy effectiveness, because they allow end users to easily report false positives. If policy tips are not available to a user in Outlook, admins can still control compliance behavior by setting up rules in the Exchange Administration Center. For example, admins can set up an action to generate incident reports if a particular DLP event occurs. Such incident reports can help tracks events in real time, because a report is generated in real time and sent to a designated mailbox, such as the mailbox for incident manager account. The figure below shows a sample incident report.

You can generate incident reports for specific DLP events in Office 365.

What does data loss prevention in Office 365 offer?

Data loss prevention in in Office 365 helps you identify, monitor, and protect sensitive information in your organization through deep content analysis. DLP is increasingly important for enterprise message systems, because business-critical email often includes sensitive data that needs to be protected. Worrying about whether financial information, personally identifiable information (PII), or intellectual property data might be accidently sent to unauthorized users can keep a Chief Security Officer (CSO) up all night. Now you can protect sensitive data more easily than ever before, without affecting worker productivity. Admins can easily set up compliance management in email using the Exchange Administration Center (EAC) in the Office 365 admin portal. In the EAC, you can:

  • Start with a preconfigured policy template that can help you detect specific types of sensitive information such as PCI-DSS data, Gramm-Leach-Bliley act data, or even locale-specific personally identifiable information (PII).
  • Use the full power of existing transport rule predicates and actions and add new transport rules.
  • Test the effectiveness of your DLP policies before fully enforcing them by running the rule in the Test mode.
  • Incorporate your own custom DLP policy templates and sensitive information types.
  • Detect sensitive information in message attachments, body text, or subject lines and adjust the confidence level at which Exchange takes action.
  • Add policy tips, which can help contextually educate your end users by displaying a policy tip in Outlook. This can also enable users to provide feedback via false-positive reporting.
  • Review incident data in message-tracking logs or add reporting by using a new generate-incident report action.
  • Look at the different DLP reports in the Office 365 admin center to drive compliance adoption in the organization.

How do I get started with data loss prevention?

Using the Microsoft-supplied DLP policy templates is an easy way to get started. DLP policies are packages of transport rules with new features that you can customize. These rules include classification types that define the type of content you are looking for in the DLP policy. You can use the Exchange management shell, the Exchange Administration Center (EAC), or even your own XML file editor to start incorporating DLP policies into your messaging environment. The screenshot below shows the data loss prevention management interface within EAC.

You can manage DLP from the Exchange Administration Center in the Office 365 admin portal.

DLP is accomplished through what is called “transport rules” in Exchange. The new transport rules include a significant new approach to detecting sensitive information that can be incorporated into mail flow processing. This new DLP feature performs deep content analysis through keyword matches, dictionary matches, regular expression evaluation, internal functions such as validate checksum on credit card numbers, and other content examination to detect specific content types within the message body or attachments. Here is a screenshot for the policy tip rule that triggered the policy tip above in the second screenshot.

You can configure policy tip rules to trigger specific alerts about sensitive content in email.

How do I establish policies that protect  sensitive data?

You can start using DLP in one of these three ways:

  1. Apply an out-of-the-box template supplied by Microsoft. The quickest way to start using DLP policies is to create and implement a new policy using a template. This saves you the effort of building a new set of rules from scratch.
  2. Import a prebuilt policy file from outside your organization. You can import policy templates that have already been created outside of your messaging environment by independent software vendors. In this way you can extend the DLP solution to suit your business requirements.
  3. Create a custom policy without any preexisting conditions. Your enterprise may have its own requirements for monitoring certain types of data known to exist within a messaging system. You can create a custom DLP policy to check and act on your own unique message data.

Sensitive information types in DLP policies

When you create DLP policies, you can include rules that include checks for sensitive information. The conditions that you establish within a policy, such as how many times something has to be found before an action is taken or exactly what that action is, can be customized within your new custom policies in order to meet your business requirements. Sensitive information rules are integrated with the transport rules framework by introducing a condition that you can customize: If the message contains…Sensitive Information. This condition can be configured with one or more sensitive information types that are contained within messages.

To make it easy for you to use the sensitive information-related rules, Microsoft supplies policy templates that already include some of the sensitive information types. Here is the inventory of the sensitive information types supplied out of the box.

Data loss prevention in Office 365 is one of the major customer compliance control features offered to customers. Other compliance features under customer controls are available, such as in-place eDiscovery and in-place legal hold. We’ll discuss these customer controls more in-depth in future blog posts.

So get started today and make your organization more compliant, without impacting your users’ or your productivity, using data loss prevention.

–Shobhit Sahay