Microsoft 365 DLP – The (new) control pane?

Posted by

Data loss prevention or DLP has been around for quite some time now. Exchange Server 2013 introduced DLP as an option to scan and control email messages to check if these contain sensitive information. This was augmented with the DLP options in SharePoint Server 2016 – allowing you to set policies for sensitive information in sites. Remember those “one-way street” icons for documents?

Policy tip showing blocked access to document

In Office 365 many of the DLP options were moved to the Security & Compliance Center. This allowed for policies with a broader reach. Both Exchange Online, SharePoint Online and OneDrive for Business could be part of the same policy. The number of available sensitive information types was impressive and (first using PowerShell) you could add your own specific ones.

Data loss prevention page in the Office 365 Security & Compliance Center

DLP was part of a complete information protection architecture. A cog in a larger machine, if you will. A machine which also included SharePoint Online Information Rights Management, setting the correct access permissions on sites and libraries and setting the right guest access levels. But the machine was relatively limited – it was based on information in the three major Office 365 components: Exchange Online, SharePoint Online and OneDrive for Business and it didn’t really care for real-time communication.

Fast-foward a couple of years to 2021. We are living in a world where information is stored anywhere (if required and possible), can be shared in multiple ways (even in real-time) and is under a constant threat. As illustrated by this Microsoft drawing, showing the “safe” on-premises environment surrounded by devices, cloud-platforms and online identities.

We must realize that information isn’t confined to your on-premises fileshare or SharePoint Online site. It lives on the Windows 10 endpoint, might be stored on an AWS S3 bucket or be accessible from a Microsoft Teams environment. So, does this effect DLP in any way?

Microsoft seems to think so. A couple of weeks ago a new extension to Microsoft 365 Endpoint DLP was introduced; The Google Chrome extension. In the related article (at the end) a new overview was shown depicting the Microsoft Security & Compliance unified capabilities.

And it’s this overview that made me wonder; Is Microsoft 365 DLP, becoming the new control pane for working with sensitive information? In other words: do we need to spend more time on thinking about data leakage scenario’s and prevention and use this as our foundation for information protection?

Does this make sense? Not too long ago I would not agree as Office 365 DLP was relatively limited to this environment. But now I’m not to sure. I’ll tell you why. Protecting sensitive information is becoming more about the content itself than the location where it’s stored. This was already the concept for Azure (now Microsoft) Information Protection. DLP now adds to this mix.

Why? Three reasons come to mind:

First of all – finding sensitive information. Gone are the days of using a relatively limited set of sensitive information types. We can add our own, using components like keyword dictionaries, build-in functions and more. We can also use machine learning (trainable classifiers) or specific structured information (exact data match). Should information already been labeled, then this can be used as-well.

Second – go beyond documents. Sure, documents and emails are still part of the equation. But we now can include real-time conversations and chats. And we can expect that this is not all. There is more information in Microsoft 365 (meeting recordings for example) – so this will probably be part of the mix soon.

Third – locations. This is something I’m really excited about. In addition to the Office 365 components, DLP now goes beyond this. Information is detected on-premises (fileshares and SharePoint), in non-Microsoft cloud platforms, and on Windows 10 endpoints.

And the actions within the DLP policies are wide. For example: endpoint DLP, non-Microsoft cloud and on-premises;

To be fair: please check you licenses and other pre-requisites of course. For example, non-Microsoft cloud platform requires Microsoft Cloud App Security and the on-premises repositories are scanned using the Microsoft Information Protection scanner function. All of which have the licensing and other requirements.

But when we can use all these available options, can we state that DLP is the new control pane for working with sensitive information? At this moment I would be tempted to go for a yes. We can now set-up a holistic environment able to control what actions can and cannot be taken when working with sensitive information. But we still need the groundwork; know which information is sensitive, classify and protect this information. And we also need to make sure that the information is carefully and professionally governed.

Also, Microsoft is investing greatly in these functions. New classifiers, content types and more are released periodically. Microsoft Teams DLP policies support security groups and distribution lists and sensitivity labels can be used in the policy.

But to be fair (again) this holistic view is great, but does have very specific requirements which might not be available for all enterprises. All-in-all: in this article I wanted to share some thoughts on Microsoft 365 DLP and my vision on it becoming the new control pane. If you want more information: Microsoft Further Extends Unified Data Loss Prevention – Microsoft Tech Community

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s