From the MVPs: Data Loss Prevention with Office 365 and Exchange Online
This is the 27th in our series of guest posts by Microsoft Most Valued Professionals (MVPs). You can click the “MVPs” tag in the right column of our blog to see all the articles.
Since the early 1990s, Microsoft has recognized technology champions around the world with the MVP Award. MVPs freely share their knowledge, real-world experience, and impartial and objective feedback to help people enhance the way they use technology. Of the millions of individuals who participate in technology communities, around 4,000 are recognized as Microsoft MVPs. You can read more original MVP-authored content on the Microsoft MVP Award Program Blog.
This post is by Sean McNeill, an Office365 MVP. Thanks much, Sean!
Corporate Data Loss has become a major issue for almost every company. If a company has not suffered from Data Loss, either through an external malicious attack, employee error, or even worse employee deliberate action; most are very aware of consequences of a Data Loss. These consequences include such things as fines, lost trust from customers/clients, payment of credit monitoring services, and many other items that could severely impact a company’s bottom line or, worse, its future.
McAfee has written a white paper titled Data Loss by the Numbers, where they have analyzed data from the Open Security Foundation’s Data Loss Database. The white paper records such items as the below list of high-profile Data Loss examples:
The white paper also reveals a striking chart that shows the types of breaches (Data Losses) and records compromised by the breaches:
As you can see, while just over half of the breaches were from External, the Malicious Insider and Accidental Insider combined percentages nearly reaches half! Having a perimeter security, firewalls, Intrusion detection, etc., is important, but it is also just as crucial to prevent employees from either maliciously or accidentally contributing to a Data Loss.
Exchange 2013 Data Loss Prevention
With the release of Exchange 2013 for on-premises and the new Office 365 (Wave 15, based on the 2013 product sets), Microsoft has now included Data Loss Prevention (DLP) in the core of the Server and Service. With this release, companies can put safeguards in place to prevent Data Loss via email messages.
What is Exchange DLP?
Microsoft implementation of DLP with Exchange 2013 and Office 365 is identical. And since I am an Office 365 MVP, the remainder of this article will concentrate on using DLP within Office 365 and Exchange Online.
DLP at its core is based on Exchange Transport Rules. Transport Rules were introduced in Exchange 2007 with the introduction of the Hub Transport Exchange Server Role. Transport rules allow the administrator to inspect and control mail flow by using sets of Conditions, Actions and Exceptions. You can find more information on Transport Rules here. DLP uses the underlying Transport Rules technology to enforce company email and Data Loss policies.
“DLP policies can use the full power of existing transport rules. In fact, a number of new types of transport rules have been created in Microsoft Exchange Server 2013 and Exchange Online in order to accomplish new DLP capability. One important new feature of transport rules is a new approach to classifying sensitive information that can be incorporated into mail flow processing. This new DLP feature performs deep content analysis through keyword matches, dictionary matches, regular expression evaluation, and other content examination to detect content that violates organizational DLP policies.” [source]
DLP policies cover many different sensitive information types. Here are some examples (Type and Country):
- ABA Routing Number, United States
- Australian Passport Number, Australia
- Canada Bank Account Number, Canada
- Credit Card Number, All
- German Driver’s License Number, Germany
- IP address, All
- Spain National ID, Spain
- U.S. Social Security Number, United States
The above list is just a small sampling of the sensitive information types that DLP support, for a full list go here. DLP has pre-defined Policy Templates available in Exchange Online. These Templates can be used as is or customized.
Creating a DLP policy
For this article, I am going to show how to create a new DLP Policy from a Microsoft-supplied template. Templates can also be imported from Microsoft Partners. As an Administrator, you can also modify a policy based on a template or create a custom policy from scratch.
1. Login to the Office 365 Portal and select Admin\Exchange to navigate to the Exchange Admin Center (EAC)
2. In the EAC, navigate to Compliance Management on the left, select Data Loss Prevention, click the +, and from the drop-down menu select New DLP Policy from Template.
3. Give the Policy a name and description.
4. Select a Template, choose the mode for the Policy, and click Save.
5. Back in the EAC you can now view, edit, or delete the Policy.
6. I did modify the rule to remove the “U.S.PII: Scan email sent outside – low count” and set the high count to 1 for Social Security.
7. I also added an Action to generate incident report and send it to a designated user.
Testing with Outlook 2013
Currently, DLP works only with Outlook 2013 for Policy Tips; OWA in On-premises or Office 365 cannot process DLP Policy Tips. Obviously, this is a crucial point to make. To ensure that DLP Policy Tips are available to users, make sure you have deployed Office/Outlook 2013, and you would also need to prohibit users from using OWA. At the time of writing this, there is a known issue with disabling OWA access for a user. DLP Policies are still applied from messages sent from all clients, but Policy Tips are viewable only in Outlook 2013.
For testing of a new policy, you might need to ensure that the Outlook 2013 client with Office 365 receives the latest policies. To force a download of new Policies to the client, follow KB2823261 Article.
1. Address an email to external recipients and include a Social Security number in the email. (Note: for DLP to properly identify, either SSN or Social Security needs to be included.) As you can see below, Outlook 2013 identifies the DLP data and notifies the user about the issue with the email as written.
2. By default, the rule allows for override. By selecting this link in the Mail/Policy Tips section of the email, the end user has a chance to override the policy and explain why they are overriding.
3. Once the override is conducted, the Mail/Policy Tips message changes and the user can now send the email.
4. If the user did not choose to override, when the Send message is selected, this message would be presented:
5. After the user sends the message with an override, the generated incident report is immediately sent to the designated user after sending.
6. Same email, but if I changed the rule to not allow a user to Override, the sender receives an NDR.
7. Here is an example of DLP scanning an attachment with Outlook 2013. Also, shown below is the content of the Excel spreadsheet to be attached to the email.
8. Once the Excel file is attached, the Mail/Policy Tips section alerts the users, just as if the DLP protected data was in the body of the email.
9. Assuming an override, below is an example of the generated incident report to the designated contact for the Excel attachment.
DLP is not a fad; it is needed by most, if not all, companies to ensure that sensitive data is not released. If a company suffers a Data Loss, it can have major financial and long-term impacts, even leading a company to fail. Microsoft has included DLP with the latest version in the on-premises Exchange 2013 server, as well as Office 365 Exchange Online. This is not a perfect solution, but it provides another tool for a company’s IT department to help secure company data.