Data Loss Prevention (DLP) in SharePoint 2016 and Office 365

With technology and the sharing of information, especially sensitive data, between staff, vendors and external companies, all corporations have become targets for hackers and criminals whose sole objective is to find an avenue to steal this information.  Quite common, it is the benevolent mistake of an employee who includes information about a client, such as a credit card number, a name or an account number, to the outside corporate world through email, social posting, lost portable drive with downloaded confidential information, or a photo of critical information that they took so they could access the information on the go without have to carry the document or file with them.  Breaches can include privacy (examples of companies include Sony, Human Resources and Skills Development Canada “HRSDC”, Adobe Systems, Corrections Canada), health and medical (examples include Health Net, Durham Regional Health, Kaiser Permanente), and identity theft (examples include JPMorgan Chase & Co, CIBC, Daimler Chrysler Financial Services Canada, Inc.).  These examples are all breaches of personal information and corporations are being held legally responsible and accountable.  Facebook Inc., Bell Canada and BC Provincial Health Services Authority have all faced class action suits and the plaintiffs have been successful in their cases.  As you can imagine, customer privacy and the ability to keep their information private, is not an option.  It is mandatory and DLP with SharePoint and Office 365 enhance the ability to keep this information from being shared with those who should not have access to it. 

DLP was first introduced in Microsoft Exchange Server 2010 and later expanded to include Outlook and Outlook Web App.  DLP has now been extended further to include SharePoint 2016 and Office 365, which allows a business to build a DLP structure across email and data, which is phenomenal news for all whether you are on-prem or in Office 365 (SharePoint Online being part of Office 365). 

There is a difference between document lifecycle management and DLP.  DLP does not replace the process for document lifecycle management.  Rather, DLP allows your business to build a policy model to discover, or find, confidential data and protect it in a way not previously possible.  With the integration of DLP over email and data, businesses now have a method to protect critical data from leaving the corporate premises in err through real-time monitoring of user activity, thus reducing and/or preventing critical data breaches.   

The DLP configurations for SharePoint 2016 and Office 365 have slight differences between them. 

Unlike SharePoint 2016, Office 365 is ready for you to start creating policies through the Security and Compliance Admin Console within the Office 365 Admin Centre.  Yes, it is as simple as that.

However, SharePoint 2016 is not as simple as that.  Before you can begin, you must configure the prerequisites for the DLP:

1. Create your search service application and define a crawl schedule.  Once this is completed, perform a full crawl;
2. Configure outgoing mail in order for policy notifications to be sent via email;
3. Allow Usage Reports by turning it on.  This will allow incident reports and overrides to be logged appropriately;
4. Create, either one or both, eDiscovery Centre and/or Compliance Policy Centre site collection.  Note that:

    

   1. each web application requires its own Compliance Policy Centre – you cannot have one that applies to all site collections across all web applications; and
   2. one eDiscovery Centre site collection can run DLP queries across all site collections in all web applications. 
5. Determine the compliance team, risk team and information security team.  Permissions are granted by making these users members of the Site Collection members group so that they may access and manage DLP policies. 

It cannot be stressed enough that a healthy search and crawl configuration is critical as the core data source behind both Office 365 and SharePoint 2016 is the SharePoint Search Index.  If the content is not in the Search Index, the DLP engine will not find it.  In addition to this, you cannot apply DLP policies to sites or content that has been excluded from SharePoint.

In order for new content to be found, a crawl must occur so that the Search Index is updated with the content.  Additionally, in order to enforce DLP policies, four related timer jobs must run.  All this must occur before DLP policies can be enforced on confidential and critical information, and this can take up to 24 hours before the policies become effective in SharePoint 2016. 

We’ve mentioned DLP policies, so how do we create these?  It’s important to note that writing the DLP policy in Office 365 is different than in Office 365.

Before writing any policies and rules, one should determine how many data items in your organization’s SharePoint are in breach of your company’s compliancy regulations.  The discovery process relies 100% on the crawled Search Index.  You have the ability to conduct a DLP query based on specific DLP templates across your SharePoint data.  By conducting this query, you can quickly identify the policies that require management as well as the areas that are in breach.  In SharePoint 2016, a new eDiscovery site template called a DLP query allows a user, who must have read access to all data in SharePoint, to launch queries against all DLP templates or specific content in the SharePoint environment.  Read access to all SharePoint data can be granted via a Web Application Policy on-prem or by adding the user as a site collection administrator in SharePoint Online or on-prem.   Once Discovery has been completed, and areas of breach have been determined, you can proceed to write the DLP policies and rules. 
 

DLP Policy Creation in Office 365
 

1.  Specify locations where the policy may be applied for SharePoint Online and OneDrive for Business by listing all sites or specific sites;

2. Configure one or more DLP Rules.  Each rule consists of:

a.  Conditions

There are 80 templates specifying the conditions and these are the same ones used in Exchange.  The full list of templates can be found via the hyperlink.  You must:

1. choose the applicable templates to apply as you cannot create custom data sensitive templates
2. determine and set the maximum and minimum number of instances for each sensitive data type selected
3. determine who the content is shared with.  This includes internal and external people and organizations
4. metadata properties

  b.  Actions

1. send a default or custom email notification
2. show a default or custom policy tip
3. allow an override with or without business justification
4. block content to all users with the exception of site owners, document owners or last modified user

   c.  Incident Reports

1. logging of report
2. level of severity
3. email notification with report attached

  d.  General Settings

1. name of rule plus description for each rule
2. name of policy plus description for each
3. indication of whether policy has been configured or not

DLP Policy Creation in SharePoint 2016 

The DLP policy creation in SharePoint 2016 is similar to Office 365, but there are some notable differences:   

1.  Specify DLP Policy name;

2.  Select 1 of the 10 possible policy templates.  Each policy template consists of a combination of 10 sensitive data types.  These relate only to US and UK sensitive data types;

3.  Determine and set the number of incidences of the sensitive data type which will, in turn, trigger the policy;

4.  Provide the specific email address for the incident report to be emailed to;

5.  Determine to display a default policy tip or not;

6.  Determine who will be blocked access to the content – all users except site owners, document owner or last modified user;

7.  Assign the policy to a site collection where you wish it to be enforced.  Each site collection must be specified one at a time as there is no overall site collection ability.  Also note that you cannot specify the application of a policy down to the subsite level. 

Remember, a search crawl and four timer jobs must be completed before the new data and policies are enforced.   

With SharePoint 2016 and Office 365, the integration of DLP policies and rules spanning data in SharePoint and Exchange provide corporate entities more power in technology to combat the onslaught of hackers who try to steal and misappropriate sensitive data.  By having control over DLP protocols, corporations now have the ability to audit their data and their users in real time to proactively prevent the loss of sensitive data.  Data Loss Prevention – this is what SharePoint 2016, Office 365 and the future of security software are focused on.