Data Loss Prevention: a layered approach to security across information, identities and devices

Previously, we looked at the benefit of sensitivity labelling as part of Microsoft 365 Information Protection. Sensitivity labels are an excellent way of classifying and protecting data, in preparation for sharing with external parties. However, there are a few scenarios where sensitivity labels won’t be able to help, consider the following: 

  1. You don’t have Information Protection Plan 2, so can’t automatically label documents based on their content. 
  2. An individual is not sure if the contents of a document or email is confidential so doesn’t select the correct label or opts to downgrade it. 
  3. You have certain data that simply should never be shared externally, no matter which sensitivity label is used. 

Whilst the first consideration may be resolved by upgrading to plan two, generally you cannot mitigate against these scenarios with sensitivity labels alone. That is why we need a layered approach to security across information, identities and devices. To protect at this layer, we need Data Loss Prevention. 

What is Data Loss Prevention? 

Data Loss Prevention (DLP) looks for messages, documents and other files that contain sensitive information. This information could be something considered universally sensitive, such as credit card numbers, or something that could be sensitive to your business only. 

When it finds sensitive information, it will apply an action. The exact action applied will depend on what has been configured in the DLP policy. The most frequent action will be to block the user from sharing the data and notify them as to why this has happened.  

The fact that DLP is dynamic, is what sets it apart from sensitivity labels, meaning that as you are working on a document or email, its being monitored. The moment the sensitive information is added, DLP detects it and acts accordingly. Its a real time policy engine that re-evaluates the content, after every single keystroke. 

How does it work? 

Like sensitivity labels, DLP is based on triggers and actions. With sensitivity labels, the label itself is the trigger for applying the action. For instance, adding a watermark if the highly confidential label is used. With DLP, the trigger is the presence of the sensitive data. More specifically, the trigger is the number of occurrences of that sensitive data.  

When configuring our DLP policies, we can specify how many times the information is detected within a certain document, in order to determine if action is needed. For example, you may send out correspondence to customers or clients and it may contain their account number. That is one instance and is expected behaviour. But what if an email is about to be sent that contains a list of 100 account numbers? 

Creating a DLP policy that looks for 10+ occurrences of those account numbers within a single document will mean that we have detected that email. However, we are only concerned if it is being shared externally. Therefore, our second trigger, or condition, is that the recipient is outside our organisation. Once the sender types in an external mail address, the DLP policy will have a match (10+ occurrences of data plus external recipient). 

As far as what action to take, the obvious one would be to block the sending of the email or sharing of the data. However, we can incorporate helpful hints to our end users when a policy is matched. In the example above, we could show a mail tip to the user that informs them that sensitive information has been detected and the message will not send. The same applies in a Word document or even a Microsoft Teams message. Scanning in real time means that we can immediately inform users that what they are about to do is going to get blocked. They can either remove the content or if you allow, they can override the policy and supply justification for doing so. 

As with everything in 365, you’ll have a wealth of analytics through the reporting dashboards, that can be used to see how often people are trying to share sensitive data and what action was taken. 

Why do I need it? 

You could be forgiven for thinking that sensitivity labels and DLP perform the same tasks, which begs the question: why do I need both? In fact, they perform two very distinct tasks that contribute to that layered approach to security. 

Sensitivity labels are there to apply the correct level of protection to a document that you have every intention of sharing externally. It needs to get to the intended recipient, but we are going to govern what they can do with it. 

DLP on the other hand is about protecting the data that simply shouldn’t leave the business, with or without a label. Education and awareness will get you so far, but mistakes are made, and social engineering attacks are getting harder to stop. If an attacker is masquerading as a trusted external contact and asking for something slightly out of the ordinary, will you spot the trap?  

How do I get it? 

DLP is included in Office 365 E3 and above, as well as Microsoft 365 Business Premium and above. Its probably easier to tell you which plans don’t include it. These are Microsoft 365 Business BasicStandard and Apps for Business. 

If you are interested in applying DLP policies to Teams chat messages, you’ll need either an E5 plan or you can take the Office 365 Advanced Compliance add-on. With this add-on you’ll be able to detect and block sensitive content within a Teams chat or channel message. 

If you would like clarification on your plan, the security features available or how best to implement them then reach out to one of our team, who will be happy to discuss the options. 

How can LIMA help? 

Effectively rolling out DLP involves categorising highly sensitive data, as well as finding those lines of demarcation between accepted number of occurrences and possible data leak. One account number in an email is okay, but, 100 account numbers in an email, is probably not.  We can work with you to take your unique business requirements and translate those in to appropriate DLP policies. We can also advise the best approach for deploying these policies, whether that be targeting a particular user group, SharePoint site or monitoring all locations in ‘listen only’ mode. 

Through our Microsoft 365 Security Assessment service, we can capture your existing security posture, highlighting areas of potential weakness. From here we can map Microsoft 365 security capabilities, such as Data Loss Prevention, to your security objectives and requirements, providing a prioritised and actionable Microsoft 365 security roadmap. 

Speak to your account manager or email enquiries@lima.co.uk to find out more about how LIMA can help secure your mobile workforce with our Microsoft 365 Assessment Services. 

 

Contact us Back to News & Events

Our awards & accreditations.

For the past 20 years, we’ve been solving business challenges by designing and delivering intelligent IT solutions with a passion for technical excellence and customer satisfaction.

We’d love to hear from you.

If you have a question you'd like to ask, we’d love to answer it.
Fill in the contact form below and we’ll get back to you as soon as possible.

Head Office
6 Digital Park
Pacific Way
Salford Quays
Manchester
M50 1DR
0345 345 1110
We’d love to hear from you.

If you have a question you'd like to ask, we’d love to answer it.

Contact Us

Manchester
6 Digital Park
Pacific Way
Salford Quays
Manchester
M50 1DR

0345 345 1110