Data loss prevention in Office 365

IRS_data_theft

Data theft, data loss or data leakage is an increasing problem concerning enterprise information. According to Wikipedia data leakages occurs when “sensitive data is disclosed to unauthorized personnel either by malicious intent or inadvertent mistake”. And such mistakes occur regularly.

It’s not uncommon these days to read a newspaper report on e-mails which were send to the wrong address or information which was inadvertently shared with the wrong audience.

Microsoft addressed these data loss scenarios some time ago in Microsoft Exchange. Using sensitive data policies, Exchange can act when sensitive data is (planned to be) send to the wrong party or parties. And now, Microsoft has broadened this functionality to include SharePoint Online as well. And for good reasons.

Sharing information using SharePoint Online has never been easier. Let’s say you have some Excel sheets containing credit card numbers or a number of bank statements. You can easily add these to your OneDrive for Business and share these with anyone within or even outside of your organization.

But now we can start preventing these kinds of scenarios.

Let’s take a look at data loss prevention for SharePoint Online.

Security & Compliance center

The options which I’m about to explain to you, can be found within the new Security & Compliance center of Office 365. This center is a huge improvement over the existing compliance  features provided by Office 365.

 

 

 

 

Data loss prevention can be found in the Security policies section. When
selected, you will presented with a dashboard showing current policies in use.
Or none at all, when you don’t have these in use.

dlp_policies

A policy can contain one or more rules. These rules need to be added to the policy.

Adding a policy and rule is easy. You will be guided through every step using a wizard. But even with this wizard, some steps are somewhat complicated. The first question you will need to answer is, what kind of information do you want to protect? Basically, this gives you the opportunity to select several build-in policies or create a custom one.

For example, a policy based on the U.S. Patriot Act.

Create a custom policy

Let’s not use these build-in policies. I’ll create a custom one.

Let’s look at the steps involved.

DLP_Rule_sites

 

First, I will need to specify for which sites this policy is created. I can select everything, specific sites and even if this policy is applicable for OneDrive for Business.

The next step is to create a new rule for the sites I selected.

DLP Rules

A rule is made up of four sections. You have the conditions (when) and the actions (what). And you can also send incident reports and give the rule a name. And yes, this is the last option (General). When using this wizard, use these sections in this order and then press Ok.

Section 1 – Conditions

In this section you will specify when this rule is trigged. This can be for all content, when the content is shared (either in- or externally) or when specific document properties contain specific values. These can be custom properties (be sure to included these as managed properties in search) or build-in properties.

DLP_Rule_Conditions

But there is a third option. You can trigger the rule if content contains sensitive information. And this might be credit card numbers, social security numbers, etc.

Microsoft has already included many of the standard sensitive 
information types in SharePoint Online. The rule will use these 
to determine if information inside the documents are sensitive. 
It uses a complex algorithm for this. For example, the Dutch 
BurgerServiceNumber uses a so-called 11-test to determine if a 
number is a BurgerServiceNumber or a random string of numbers. 
This kind of algorithm is used by SharePoint Online.

If you want, you can even set the certainty level of the algorithm. 
For example, you can configure that SharePoint needs to be 95% sure 
when it detects a document and the rule should only act when there are 
more than 5 occurences.

 

DLP_Rule_Conditions_information_types

You can even combine these conditions. For example, when content contains sensitive information and is shared with external parties.

Section 2 – Actions

Now you have set-up the conditions for the rule, you can now set the appropriate actions.

These can be combined as well. You can choose to block the content. In which case, the content cannot be accessed by anyone except the owner (created by), site-collection administrator or last modifier.

You can combine this with an e-mail notification. Or, you can choose to send an e-mail notification first using this rule and block access on a later date. In which case you can first (gently) inform your people about the possible sensitive data, but have a rule ready when they still don’t comply (resistance is futile…..).

DLP_Rule_Actions

Section 3 – Incident reports

We are nearing the end of the wizard and the rule is nearing completion. In this section you can include an e-mail notification. This notification will be sent when the rule has been activated. You can choose the severity level and the people you want to send this e-mail to.

Section 4 – General

Don’t forget to give this rule a name. You can also turn of this rule, if needed.

 

After the rule is created, you can add multiple other rules. But when finished, SharePoint will ask you if the policy needs to be active. We will turn it on.

Policy and rule is active

Alright, the rule is active. It will take a little time (couple of minutes) for SharePoint search to detect any content which complies to the new rule(s). But when it does, this is what happens.

First of all, an e-mail notification is sent to the people included in the rule.

But as important, in the document library which contains the sensitive data, you will see some new icons. Documents which are subject to the rule will now have a “do not enter” sign and a (default) policy tip.

DLP_Rule_Inaction

These documents can still be seen by the owner, site-collection administrator and last modifier. But to anyone else, these documents will not be visible.

And that’s it. The information is now protected by a data loss prevention policy.

But that’s not all. The functions are described above can only function with the help of SharePoint Search. It’s search which detects if content is or isn’t compliant. And that provides us with an additional functionality. Being able to search for sensitive content.

Searching for sensitive content

Yes, indeed. You can search your entire tenant for information which might be sensitive.

And the Security & Compliance Center is our entry point for this. Just go to the section Search & investigation | Content search. Here you can create (recurring) queries for specific sites or the entire tenant.

I want go into more detail. But it’s important to note that these queries can be saved, results can be previewed and exported.

You can search using all the query possibilities provided out of the box. But for sensitive data, SharePoint online now provides the “SensitiveType” option. When using this, you can specify which kind of information needs to be found and even the certainty level.

More information here.

 

It took me a while to get this working. This SensitiveType is very sensitive itself. It needs the exact and correct type to work. In the end, I used this technet article.The correct type is located in the definition part of every type. For example.

 <!-- U.S. Social Security Number (SSN) -->
    <Entity id="a44669fe-0d48-453d-a9b1-2cc83f2cba77" patternsProximity="300"
 recommendedConfidence="75">
      <Pattern confidenceLevel="85">
        <IdMatch idRef="Func_ssn" />
        <Match idRef="Keyword_ssn" />
      </Pattern>
      <Pattern confidenceLevel="75">
        <IdMatch idRef="Func_unformatted_ssn" />
        <Match idRef="Keyword_ssn" />
      </Pattern>
      <Pattern confidenceLevel="65">
        <IdMatch idRef="Func_randomized_formatted_ssn" />
        <Match idRef="Keyword_ssn" />
        <Any minMatches="0" maxMatches="0">
          <Match idRef="Func_ssn" />
        </Any>
      </Pattern>
      <Pattern confidenceLevel="55">
        <IdMatch idRef="Func_randomized_unformatted_ssn" />
        <Match idRef="Keyword_ssn" />
        <Any minMatches="0" maxMatches="0">
          <Match idRef="Func_unformatted_ssn" />
        </Any>
      </Pattern>
    </Entity>

In the end

This is great new functionality. Anyone working on compliance, security or any other related roles should be(come) aware of this as-off this moment.

I did a presentation on this subject at SharePoint Saturday NL. Here is is:

 

 

6 Comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s