A Static State: New Unified DLP for Office 365 Coming Soon

Friday, May 22, 2015

New Unified DLP for Office 365 Coming Soon

At the RSA Security Conference (April 2015) and the Ignite Conference there were some new announcements for the futures of Data Loss Prevention for Office 365.

What is available right now?

There are multiple solutions in Office 365 right now.

Exchange Online DLP – there is a powerful solution that was released with Exchange 2013. Read more here - https://technet.microsoft.com/en-us/library/exchange-online-message-policy-recovery-and-compliance.aspx
Outlook 2013 / OWA – There is DLP Policy tips presented to users as they author email.
AD RMS / Information Rights Management – learn more here - https://technet.microsoft.com/en-us/library/exchange-online-message-policy-recovery-and-compliance.aspx
Routing Outbound email – Sometimes organizations have additional DLP solutions on-premises and they want to route all outbound email through it - https://technet.microsoft.com/en-us/library/exchange-online-mail-flow.aspx
SharePoint Online / OneDrive for Business DLP – Last year DLP was added to SharePoint Online and OneDrive for Business. Here is some information on this - https://technet.microsoft.com/en-us/library/b6db338b-522b-44bf-afb7-1de7827691d0#bkmk_DLP

So what is new?

New Unified DLP in Compliance Center

Even with all of this, there is more required and Office 365 is stepping up. Office 365 is planning to provide a comprehensive and unified Data Loss Protection (DLP) solution across Exchange Online, SharePoint Online, OneDrive for Business and Office ProPlus. This new unified experience will allow customers to define a single DLP policy and see consolidated DLP reporting for something like PII across Office 365 workloads, not just Exchange Online. This is super exciting!!!

New SharePoint Online and OneDrive for Business Policy Tips

SharePoint Online and OneDrive for Business had a DLP capability for compliance to find the data, yet there was no policy tip feature. Now a new Policy Tip feature is being introduced that will proactively notify end users they are placing content that violates policy in SharePoint Online and OneDrive for Business.

New SharePoint Online and OneDrive for Business Solutions

The initial release allowed you to find data, the feature set is being enhanced.

In Preview Right Now

Detect external sharing and apply actions – This is nice because the policy can detect if the SharePoint site itself has permissions given to external users.
Scope policies to specific locations / sites – This is nice because there may be specific sites where different policy needs to be applied.
Scanning for document properties – Will check for DLP not just in a file, but in the metadata, that is good to have.
Block / restrict access to sensitive content – Basically the ability take action on sensitive data once it has been found.
Customized Policy tips – just mentioned this above.

Additionally there is a phase 3 that is being worked on. It is targeted for H2 CY15 and would include:

Exceptions for locations / conditions – This will allow you to create a policy and then create exception rules that state a specific site is allowed to have sensitive data.
Ability to encrypt content as an action – Once a sensitive file is found, an AD RMS policy can then be placed on that data.
Support for custom classifications and document fingerprinting – This will look at the structure of content.
Shared by/by member of conditions
Detect content scanning errors
Richer content types and more enforcement endpoints

Policy Tips in Office ProPlus

As part of Office 2016, some new user experiences are going to be provided. Users will be notified in real-time in Work, Excel and PowerPoint that users are accessing sensitive content. That is awesome. DLP is being pushed farther down the stack. So if a user opens up a sensitive file from SharePoint Online or OneDrive for Business they will be notified.