New Exchange Online DLP

There is a great new feature of Exchange 2013 that will be part of Exchange Online. I am really happy to now have native Data Loss Prevention (DLP) features to share with customers. Up to this point, you have been able to utilize Transport Rules to implement light DLP however if you wanted to implement real DLP organizations were required to manage an appliance on premise to support this. Now organizations have the ability to now remove that dependency and utilize DLP delivered through the Office 365 cloud.
Below are some notes and resources that you should know about. The new DLP capability:

• The goal is to help identify, monitor, and protect sensitive information from leaving the organization.
• DLP can be configured through the Exchange Administration Center.
• You have the ability to start with a pre-configured DLP templates to detect information such as PII. You have the ability to create custom templates with sensitive information types. This will save you a lot time.
• Types – Detect sensitive information in attachments, body text, subject lines and adjust sensitive level to take action rules (transport rules).
• DLP Policies are tied directly into Transport Rules. They are no more that packages of conditions, transport rules, action and exceptions.
• Transport Rules – You have the ability to coordinate DLP rules with Transport Rules and create actions to capture information. Transport Rules look for specific conditions on a message and then takes action on them. Transport Rules let you apply messaging policies, secure messages, protect message and prevent leakage. You can prevent information from leaving, filter confidential information, track / copy messages sent / received by individuals, redirect email for inspection, apply disclaimers, etc. You have the ability to incorporate classifying sensitive information. Additionally you can perform content analysis through keyword matches, dictionary matches, regular expression, etc.
• Testing – There is the ability to test rules before actually enforcing them. This is possible by creating rules but not activating. Email-flow is not affected until they are finalized.
• Policy Tips – This is truly a great feature in that preventive actions can be taken with an end user before they actually send an email that could violate a DLP policy. Policy Tips to show users warnings in Outlook in the same manner as Mail Tips. This does require Outlook 2013 client.
• Reporting – DLP Reports are available and can create own specific reports to monitor issues.

Some additional deeper notes:

• There are three ways to create a template – 1) Create template using an OOB one. 2) Import ones 3) Start from scratch. There are OOB templates like PCI Data Security Standard, US Financial data, U.S. Gramm-Leach-Bliley Act (GLBA), HIPPA, Patriot Act, PII, etc. Types of common modifications could be to make certain types of users exempt from specific policies for specific situations. Or maybe even invoke RMS in certain situations when a DLP policy may be broken. This native integration into Exchange Online itself is really exciting.
• There are Sensitive Information Types like a US SSN, Drivers License Number, etc. It is the common rule to find that type. You have ability to create XML files that can be imported through PowerShell to do customer ones. You have the ability to create Entity Rules which define identifiers like SSN. Then there are Affinity Rules which are targeted towards documents. Built of a multiple evidence rules when aggregated together and matches happening in proximity to each other can constitute a DLP policy being triggered. So depending on how many times a rule it tripped in a single item can create a DLP policy to be tripped.
• Sensitive Information Rules can be used to with transport rules to create hard and soft rules. There is a new “If this message contains…Sensitive Information” transport rule. This can be used with existing transport rules and Boolean logic. For example: Limit interaction between recipient and senders – between internal groups and external groups, Applying separate policies for communications internal and external, Prevent inappropriate information from entering or leaving, Filter confidential information, Tracking or archiving messages sent / received by specific individuals, Redirect inbound / outbound message for inspection before delivery, and Disclaimers.
• DLP Supported File Types – All the core file types are supported (including zips and cabs). However if there is an unknown file attached that must go through DLP evaluation an exception will be raised to allow you to take action. For Exchange Online you cannot extend this like you can on-premise because you need to create your own IFilter packages which is not supported in the cloud.

References:

• Exchange Online Preview Service Description - http://technet.microsoft.com/en-us/library/jj819264.aspx
• TechNet Data Loss Prevention - http://technet.microsoft.com/en-us/library/jj150527(EXCHG.150).aspx
• File Types That Are Supported In Transport Rules - http://technet.microsoft.com/en-us/library/jj674307.aspx
• DLP Policy Templates Supplied in Exchange 2013 - http://technet.microsoft.com/en-us/library/jj150530.aspx