Category: Security & Compliance

องค์กรจำนวนมากมีข้อมูลสำคัญ (Sensitive Data) เก็บอยู่ใน On-Premises File Shares ซึ่งเสี่ยงต่อการรั่วไหลหากไม่ได้รับการตรวจสอบและปกป้องอย่างเหมาะสม โครงการนี้มีวัตถุประสงค์เพื่อ ค้นหา (Discover), จำแนกประเภท (Classify) และ ปกป้อง (Protect) ข้อมูลสำคัญภายใน file share ขององค์กร โดยใช้เทคโนโลยี Data Classification และ Data Loss Prevention (DLP) ตามมาตรฐานสากล

Remember that, as described in the DLP policy configuration overview, all DLP policies require you to:

• Choose the action to take when the policy conditions are met.
• Choose what you want to monitor
• Choose the Policy Scoping.
• Choose where you want to monitor .
• Choose the conditions that must be matched for a policy to be applied to an item.

For example, here’s a fictitious first draft of an intent statement that provides answers to all five questions:

“We’re a U.S. based organization, and we need to detect Office documents that contain sensitive health care information covered by HIPAA that are stored in OneDrive/SharePoint and to protect against that information being shared in Teams chat and channel messages and restrict everyone from sharing them with unauthorized third parties”.

Map business needs to policy configuration

“We’re a U.S. based organization, and we need to detect Office documents that contain sensitive health care information covered by HIPAA…

• What to monitor: Office docs, use the U.S. Health Insurance Act (HIPAA) template
• Conditions for a match: (preconfigured but editable) – item contains U.S. SSN and Drug Enforcement Agency (DEA) number, International Classification of Diseases (ICD-9-CM), International Classification of Diseases (ICD-10-CM), content is shared with people outside my organization
• drives conversations to clarify the triggering threshold for detection like confidence levels, and instance count (called leakage tolerance).

…that are stored in OneDrive/SharePoint and protect against that information being shared in Teams chat and channel messages…

• Where to monitor: Location scoping by including or excluding OneDrive and SharePoint sites and Teams chat/channel accounts or distribution groups. Policy scoping (preview): Full directory

…and restrict everyone from sharing those items with unauthorized third parties.”

• Actions to take: You add Restrict access or encrypt the content in Microsoft 365 locations
• drives conversation on what actions to take when a policy is triggered including protective actions like sharing restrictions, awareness actions like notifications and alerts, and user empowerment actions like allow user overrides of a blocking action

This example doesn’t cover all the configuration points of a DLP policy; it would need to be expanded.

However, it should get you thinking in the right direction as you develop your own DLP policy intent statements.

---

Complex rule design

The above HIPAA content in SharePoint and OneDrive is a simple example of a DLP policy. The DLP rule builder supports boolean logic (AND, OR, NOT) and nested groups.

• Example 1 We need to block emails to all recipients that contain credit card numbers, OR that have the ‘highly confidential’ sensitivity label applied, but do NOT block the email if it is sent from someone on the finance team to adele.vance@contoso.com

• Example 2 Contoso needs to block all emails that contain a password protected file OR a zip document file extension (‘zip’ or ‘7z’), but do NOT block the email if the recipient is in the contoso.com domain OR the fabrikam.com domain, OR the sender is a member of the Contoso HR group.

See a video.

https://learn.microsoft.com/en-us/purview/dlp-policy-design#complex-rule-design

Policy Design Process

1. Complete the steps in Plan for data loss prevention (DLP)
   • Identify your stakeholders
   • Describe the categories of sensitive information to protect
   • Set goals and strategy
   • Define your policy deployment plan
2. Familiarize yourself with Data Loss Prevention policy reference.
3. Familiarize yourself with what the DLP policy templates include.
4. Develop your policy intent statement with your key stakeholders.
5. Determine how this policy fits into your overall DLP policy strategy.
6. Map the items in your policy intent statement to configuration options.
7. Decide which policy template you start from: predefined or custom.
8. Go through the template and assemble all information required before you create the policy.
9. Document the configuration of all the policy settings and review them with your stakeholders.
10. Create a draft policy and refer back to your policy deployment plan.

Ref.

• Design a data loss prevention policy

---

Data Loss Prevention policy reference

https://learn.microsoft.com/en-us/purview/dlp-policy-reference

---

Create and Deploy data loss prevention policies

Permissions

The account you use to create and deploy policies must be a member of one of these role groups

• Security administrator
• Compliance administrator
• Compliance data administrator
• Information Protection
• Information Protection Admin

Granular Roles and Role Groups

Here’s a list of applicable roles.

• DLP Compliance Management
• Information Protection Admin
• Information Protection Analyst
• Information Protection Investigator
• Information Protection Reader

Here’s a list of applicable role groups. 

• Information Protection
• Information Protection Admins
• Information Protection Analysts
• Information Protection Investigators
• Information Protection Readers

Scenarios

• Scenario 1 Block emails with credit card numbers
• Scenario 2 Block sharing of sensitive items via SharePoint and OneDrive in Microsoft 365 with external users
• Scenario 3 Apply controls to supported files that fail scanning
• Scenario 4 Apply controls to all unsupported files
• Scenario 5 Apply controls to some unsupported files
• Scenario 6 Disable scanning for some supported files and apply controls

Deployment

A haphazard, rushed deployment can negatively impact business process and annoy your users.

Three axes of deployment management

The scope, the state of the policy, and the actions.

You should always take an incremental approach to deploying a policy, starting from the least impactful/simulation mode through to full enforcement.

Recommended deployment control configurations

State

• Run the policy in simulation mode
• Run the policy in simulation mode and show policy tips while in simulation mode
• Turn it on right away
• Keep it off

Actions

• Allow
• Audit only
• Block with override
• Block

Policy scope

In general, you have more flexibility with scoping while the policy is in Run the policy in simulation mode state because no actions are taken.

Then when you change the state to Run the policy in simulation mode and show policy tips, you should narrow your scope to a pilot group that can give you feedback and be early adopters who can be a resource for others when they come onboard.

When you move the policy to Turn it on right away, you broaden the scope to include all the instances of locations that you intended when the policy was designed.

Policy deployments steps

1. After you’ve created the policy and set its state to Keep it off, do a final review with your stakeholders.
2. Change the state to Run the policy in simulation mode. The location scope can be broad at this point.
3. Tune the policy based on the behavior data so that it better meets the business intent.
4. Change the state to Run the policy in simulation mode and show policy tips. Refine the scope of locations to support a pilot group if needed and make use of includes/excludes so that the policy is first rolled out to that pilot group.
5. Gather user feedback and alert and event data, if needed tune the policy and your plans more.
6. Change the state to Turn it on right away. Monitor DLP alerts and DLP activity explorer. Address alerts.

Ref.

• Create and Deploy data loss prevention policies

Many organizations choose to implement DLP to comply with various governmental or industry regulations.

For example, the European Union’s General Data Protection Regulation (GDPR), or the Health Insurance Portability and Accountability Act (HIPAA), or the California Consumer Privacy Act (CCPA)

They also implement data loss prevention to protect their intellectual property.

Identify stakeholders

• identify the regulations, laws, and industry standards your organization is subject to
• identify the categories of sensitive items to be protected
• identify the business processes they’re used in
• identify the risky behavior that should be limited
• prioritize which data should be protected first, based on the sensitivity of the items and risk involved
• outline the DLP policy match event review and remediation process

In general, these needs tend to be 85% regulatory and compliance protection, and 15% intellectual property protection.

Here are some suggestions on roles to include in your planning process:

• IT
• Regulatory and compliance officers
• Chief risk officer
• Legal officers
• Security and compliance officers
• Business owners for the data items
• Business users

---

Describe the categories of sensitive information to protect

For example, DLP defines these categories:

• Custom
• Financial
• Medical and health information
• Privacy

Set implementation plan

• a map of your starting state, desired end state, and the steps to get from one to the other
• a plan for how you’ll address discovery of sensitive items
• a plan for developing policies and the order in which policies you’ll implement them
• a plan for how you’ll address any prerequisites
• a plan for how you’ll simulate policies before implementing them for enforcement
• a plan for how you’ll train your end users
• a plan for how you’ll tune your policies
• a plan for how you’ll review and update your data loss prevention strategy based on changing regulatory, legal, industry standard, or intellectual property protection and business needs

Map out path from start to desired end state

---

Sensitive item discovery

To learn more, see Know your data.

Policy planning

What laws, regulations, and industry standards must your organization comply with?

Example Your organization is subject to U.K. financial regulations.

What sensitive items must your organization protect from leakage?

Example To get started quickly, you might pick the preconfigured U.K. Financial Data policy template, which includes the Credit Card Number, EU Debit Card Number, and SWIFT Code sensitive information types.

Where are the sensitive items and what business processes are they involved in?

DLP policies can be applied to the following locations:

• On-premises repositories
• Exchange online email
• SharePoint sites
• OneDrive accounts
• Teams chat and channel messages
• Windows 10, 11 and macOS Devices
• Microsoft Defender for Cloud Apps

Example Your organization’s internal auditors are tracking a set of credit card numbers. They keep a spreadsheet of them in a secure SharePoint site. Several of the employees make copies and save them to their work OneDrive site, which is synced to their Windows 10 device. One of these employees pastes a list of 14 credit card numbers into an email and tries to send it to the outside auditors for review. In this case, you’d want to apply the policy to the secure SharePoint site, all the internal auditors OneDrive accounts, their Windows 10 devices, and Exchange email.

What is your organization’s tolerance for leakage?

Example Your organization’s security group and legal team both feel that there should be no sharing of credit card numbers with anyone outside the org. They insist on zero leakage. However, as part of their regular review of credit card number activity, the internal auditors must share some credit card numbers with third-party auditors. If your DLP policy prohibits all sharing of credit card numbers outside the org, there will be a significant business process disruption and added cost to mitigate the disruption in order for the internal auditors to complete their tracking. This extra cost is unacceptable to the executive leadership. To resolve this issue, there needs to be an internal conversation to decide an acceptable level of leakage. Once that is decided, the policy can provide exceptions for certain individuals to share the information, or, it can be applied in audit-only mode.

Policy deployment

1. Run the policy in simulation mode, without Policy Tips
2. Run the policy in simulation mode with notifications and Policy Tips
3. Start full policy enforcement

End-user training

Review DLP requirements and update strategy

Contoso Bank is in a highly regulated industry and has many different types of sensitive items in many different locations.

Contoso:

• knows which types of sensitive information are top priority
• must minimize business disruption as policies are rolled out
• has involved business process owners
• has IT resources and can hire experts to help plan, design, and deploy
• has a premier support contract with Microsoft

approach

• Take time to understand what regulations they must comply with and how they’re going to comply.
• Take time to understand the “better together” value of the Microsoft Purview Information Protection stack
• Develop a sensitivity labeling scheme for prioritized items and apply it
• Design and code policies, deploy them in simulation mode, and train users
• Repeat and refine policies

TailSpin Toys doesn’t know what sensitive data they have or where it is, and they have little to no resource depth. They use Teams, OneDrive, and Exchange extensively.

approach

• Start with simple policies on the prioritized locations.
• Monitor what gets identified
• Apply sensitivity labels accordingly
• Refine policies and train users

Fabrikam is a small startup. They want to protect their intellectual property and must move quickly. They’re willing to dedicate some resources, but can’t afford to hire outside experts.

Other considerations:

• Sensitive items are all in Microsoft 365 OneDrive / SharePoint
• Adoption of OneDrive and SharePoint is slow. Many employees still use DropBox and Google drive to store and share items
• Employees value speed of work over data protection discipline
• All 18 employees have new Windows devices

approach

• Take advantage of the default DLP policy in Teams
• Use the “restricted by default” setting for SharePoint items
• Deploy policies that prevent external sharing
• Deploy policies to prioritized locations
• Deploy policies to Windows devices
• Block uploads to cloud storage solutions other than OneDrive

---

Ref.

• Plan for data loss prevention (DLP)

Deploy Microsoft Purview Data Loss Prevention (DLP) policies to govern and prevent the inappropriate sharing, transfer, or use of sensitive data across apps and services.

Purview DLP

Organizations have sensitive information under their control, such as:

• social security numbers
• financial data
• proprietary data
• credit card numbers
• health records
• etc.

DLP detects sensitive items by using deep content analysis, not by just a simple text scan. Content is analyzed:

• DLP also uses machine learning algorithms and other methods to detect content that matches your DLP policies
• For primary data matches to keywords
• By the evaluation of regular expressions
• By internal function validation
• By secondary data matches that are in proximity to the primary data match

Protective actions of DLP policies

• show a pop-up policy tip to the user that warns them that they might be trying to share a sensitive item inappropriately
• block the sharing and, via a policy tip, allow the user to override the block and capture the users’ justification
• block the sharing without the override option
• for data at rest, sensitive items can be locked and moved to a secure quarantine location
• for Teams chat, the sensitive information won’t be displayed

We can apply DLP policies to data at rest, data in use, and data in motion in locations such as:

• Microsoft 365 Copilot (preview)
• Exchange Online email
• SharePoint sites
• OneDrive accounts
• Teams chat and channel messages
• Instances: Microsoft Defender for Cloud Apps
• Devices: Windows 10, Windows 11, and macOS (three latest released versions)
• On-premises repositories
• Fabric and Power BI workspaces

---

Deploy your policies in production

Design your policies

Feel free to start with one workload at a time, or across all workloads – there’s no impact yet.

Implement policy in simulation mode

Evaluate the impact of the controls by implementing them with a DLP policy in simulation mode. 

Monitor outcomes and fine-tune the policy

Here are some examples of things to fine-tune:

• add new restricted sites

• adjusting the locations and people/places that are in or out of scope
• tune the conditions that are used to determine if an item and what is being done with it matches the policy
• the sensitive information definition/s
• add new controls
• add new people
• add new restricted apps

Enable the control and tune your policies

Once the policy meets all your objectives, turn it on.

---

DLP policy configuration overview

Viewing policy application results

• High volume of sensitive info shared or save externally
• DLP Alerts
• DLP Activity Explorer and reports

We can view the last 30 days of DLP information in Activity Explorer using these preconfigured filters:

• DLP policy rules that detected activities
• Endpoint DLP activities
• Files containing sensitive info types
• Egress activities
• DLP policies that detected activities

Contextual summary

We can see the text that surrounds the matched content, like a credit card number in a DLPRuleMatch event in Activity explorer.

---

Ref.

• Learn about data loss prevention