数据丢失防护Data loss prevention

了解 Exchange Server 和 Exchange Online 中的 DLP 策略,包括它们包含的内容以及如何对其进行测试。Learn about DLP policies in Exchange Server and Exchange Online, including what they contain and how to test them. 您还将了解 Exchange DLP 中的新增功能。You'll also learn about a new feature in Exchange DLP.

由于将电子邮件大量用于包含敏感数据的业务关键通信,因此数据丢失预防 (DLP) 是企业邮件系统的一个重要问题。为了强制执行针对这类数据的遵从性要求并管理这类数据在电子邮件中的使用(而不影响工作人员的工作效率),DLP 功能使敏感数据的管理比以往更加简单。有关 DLP 的概念概述,请观看以下视频。Data loss prevention (DLP) is an important issue for enterprise message systems because of the extensive use of email for business critical communication that includes sensitive data. In order to enforce compliance requirements for such data, and manage its use in email, without hindering the productivity of workers, DLP features make managing sensitive data easier than ever before. For a conceptual overview of DLP, watch the following video.

DLP 策略是简单的包,其中包含由邮件流规则(也称为 "传输规则")条件、例外和在 Exchange 管理中心(EAC)中创建的操作,然后激活以筛选电子邮件和附件的一组条件。DLP policies are simple packages that contain sets of conditions, which are made up of mail flow rule (also known as transport rule) conditions, exceptions, and actions that you create in the Exchange admin center (EAC) and then activate to filter email messages and attachments. 可以创建 DLP 策略,但选择不激活它。You can create a DLP policy, but choose to not activate it. 这使您可以测试策略而不影响邮件流。This allows you to test your policies without affecting mail flow. DLP 策略可以使用现有的邮件流规则的全部功能。DLP policies can use the full power of existing mail flow rules. 实际上,已在 Microsoft Exchange Server 和 Exchange Online 中创建了许多新类型的邮件流规则,以实现新的 DLP 功能。In fact, a number of new types of mail flow rules have been created in Microsoft Exchange Server and Exchange Online in order to accomplish new DLP capability. 邮件流规则的一个重要新功能是一种新的方法,用于对可以合并到邮件流处理中的敏感信息进行分类。One important new feature of mail flow rules is a new approach to classifying sensitive information that can be incorporated into mail flow processing. 此新 DLP 功能通过关键字匹配、字典匹配、正则表达式计算和其他内容检查来执行深度内容分析,以检测违反组织 DLP 策略的内容。This new DLP feature performs deep content analysis through keyword matches, dictionary matches, regular expression evaluation, and other content examination to detect content that violates organizational DLP policies. 有关邮件流规则的详细信息,请参阅Exchange online 中的邮件流规则(传输规则),并将敏感信息规则与 exchange online 中的邮件流规则集成For more information about mail flow rules, see Mail flow rules (transport rules) in Exchange Online, and Integrating sensitive information rules with mail flow rules in Exchange Online. 您还可以在Exchange PowerShell中使用 Exchange Online PowerShell cmdlet 管理您的 DLP 策略。You can also manage your DLP policies by using Exchange Online PowerShell cmdlets at Exchange PowerShell.

除了可自定义的 DLP 策略本身之外,还可以通知电子邮件发件人他们可能会违反您的某个策略,即使在发送有冲突的邮件之前也是如此。In addition to the customizable DLP policies themselves, you can also inform email senders that they may be about to violate one of your policies, even before they send an offending message. 您可以通过配置策略提示来实现这点。You can accomplish this by configuring Policy Tips. 策略提示类似于邮件提示,可配置为在 Microsoft Outlook 2013 客户端中提供简短说明,提供有关邮件创建者可能违反策略的信息。Policy Tips are similar to MailTips, and can be configured to present a brief note in the Microsoft Outlook 2013 client that provides information about possible policy violations to a person creating a message. 在 Exchange Online 和 Exchange Server 中,策略提示也会显示在 web 上的 Outlook (以前称为 Outlook Web App)和适用于设备的 OWA 中。In Exchange Online and in Exchange Server, Policy Tips are also displayed in Outlook on the web (formerly known as Outlook Web App) and OWA for Devices. 有关详细信息,请参阅 Policy TipsFor more information, see Policy Tips.

备注

数据丢失防护是一项高级功能。Data Loss Prevention is a premium feature. 有关详细信息,请参阅Exchange Online 授权Exchange online 服务说明exchange online Protection 服务说明For more information, see Exchange Online Licensing, Exchange Online Service Description, and Exchange Online Protection Service Description.

备注

混合部署中的内部部署用户之间发送的邮件不会应用 Exchange Online DLP 策略,因为这些消息不会留下本地基础结构。Messages sent between on-premises users in a hybrid deployment do not have Exchange Online DLP policies applied because the messages do not leave the on-premises infrastructure.

制定保护敏感数据的策略Establish policies to protect sensitive data

数据丢失防护可以帮助您标识和监视已在策略条件中定义的许多敏感信息类别,如私人身份证号码或信用卡号码。The data loss prevention features can help you identify and monitor many categories of sensitive information that you have defined within the conditions of your policies, such as private identification numbers or credit card numbers. 您可以选择定义自己的自定义策略和邮件流规则,也可以使用 Microsoft 提供的预定义的 DLP 策略模板,以便快速入门。You have the option of defining your own custom policies and mail flow rules or using the pre-defined DLP policy templates provided by Microsoft in order to get started quickly. 有关包含的策略模板的详细信息,请参阅 在 Exchange 中提供的 DLP 策略模板For more information about the policy templates that are included, see DLP policy templates supplied in Exchange. 策略模板包含一些您可以选择的条件、规则和操作,以便创建并保存可帮助您检查邮件的实际 DLP 策略。A policy template includes a range of conditions, rules, and actions that you can choose from in order to create and save an actual DLP policy that will help you inspect messages. 策略模板是一些模型,您可以选择这些模型或用于构建自己的特定规则,以创建满足您的数据丢失防护需求的策略。The policy templates are models from which you can select or build your own specific rules to create a policy that meets your needs for data loss prevention.

可通过三种不同的方法开始使用 DLP:Three different methods exist for you to begin using DLP:

  1. 应用 Microsoft 提供的现成模板:开始使用 DLP 策略的最快方法是使用模板创建和实施新策略。Apply an out-of-the-box template supplied by Microsoft: The quickest way to start using DLP policies is to create and implement a new policy using a template. 这可使您省去从头构建新规则集的工作。This saves you the effort of building a new set of rules from nothing. 您需要了解要检查的数据类型或是尝试应对的遵从性法规。You will need to know what type of data you want to check for or which compliance regulation you are attempting to address. 您还需要了解处理这类数据的组织期望。You will also need to know your organizations expectations for processing such data. 有关详细信息,请参阅 在 Exchange 中提供的 DLP 策略模板从模板创建 DLP 策略More information at DLP policy templates supplied in Exchange and Create a DLP policy from a template.

  2. 从组织外部导入预建策略文件:您可以导入已由独立软件供应商在邮件环境外部创建的策略。Import a pre-built policy file from outside your organization: You can import policies that have already been created outside of your messaging environment by independent software vendors. 通过此方式可以扩展 DLP 解决方案以满足您的业务要求。In this way you can extend the DLP solutions to suit your business requirements.

  3. 没有任何预先存在的条件的情况下创建自定义策略:您的企业可能有自己的要求来监视邮件系统中已知存在的特定数据类型。Create a custom policy without any pre-existing conditions: Your enterprise may have its own requirements for monitoring certain types of data known to exist within a messaging system. 可以完全自己创建自定义策略,以便开始对自己独有的邮件数据进行检查和操作。You can create a custom policy entirely on your own in order to start checking and acting upon your own unique message data. 需要了解在其中强制执行 DLP 策略的环境的要求和约束,以便创建这类自定义策略。You will need to know the requirements and constraints of the environment in which the DLP policy will be enforced in order to create such a custom policy. 有关详细信息,请参阅 创建自定义 DLP 策略More information at Create a custom DLP policy.

在添加了策略之后,可以查看和更改其规则、使策略处于不活动状态或完全删除它。After you have added a policy, you can review and change its rules, make the policy inactive, or remove it completely.

DLP 策略中的敏感信息类型Sensitive information types in DLP policies

创建或更改 DLP 策略时,可以包含具有敏感信息检查的规则。When you create or change DLP policies, you can include rules that include checks for sensitive information. Exchange Server 中的敏感信息类型主题中列出的敏感信息类型可用于您的策略。The sensitive information types listed in the Sensitive information types in Exchange Server topic are available to be used in your policies. 在策略中建立的条件(如在执行某个操作之前必须发现某种内容的次数或是该操作的具体内容)可以在新自定义策略中进行自定义,以便满足特定策略要求。The conditions that you establish within a policy, such as how many times something has to be found before an action is taken or exactly what that action is can be customized within your new custom policies in order to meet your specific policy requirements. 有关创建 DLP 策略的详细信息,请参阅创建自定义 DLP 策略For more information about creating DLP policies see, Create a custom DLP policy. 有关完整套件邮件流规则的详细信息,请参阅Exchange Online 中的邮件流规则(传输规则)For more information about the full suite mail flow rules, see Mail flow rules (transport rules) in Exchange Online.

为了方便您使用敏感信息相关的规则,Microsoft 提供了已包括一些敏感信息类型的策略模板。To make it easy for you to make use of the sensitive information-related rules, Microsoft has supplied policy templates that already include some of the sensitive information types. 但是不能将此处列出的所有敏感信息类型的条件都添加到策略模板中,因为这些模板旨在帮助您关注组织中最常见的合规性相关数据类型。You cannot add conditions for all of the sensitive information types listed here to policy templates however, because the templates are designed to help you focus on the most-common types of compliance-related data within your organization. 有关预先生成的模板的详细信息,请参阅在 Exchange 中提供的 DLP 策略模板For more information about the pre-built templates, see DLP policy templates supplied in Exchange. 可以为组织创建大量 DLP 策略并全部启用,以便检查许多不同类型的信息。You can create numerous DLP policies for your organization and have them all enabled so that many disparate types of information are examined. 还可以创建不基于现有模板的 DLP 策略。You can also create a DLP policy that is not based on an existing template. 若要开始创建这样一个策略,请参阅创建自定义 DLP 策略To begin creating such a policy, see Create a custom DLP policy. 有关敏感信息类型的详细信息,请参阅Exchange Server 中的敏感信息类型For more information about sensitive information types, see Sensitive information types in Exchange Server.

策略提示向用户通知敏感内容预期Policy Tips notify users about sensitive content expectations

您可以使用策略提示通知邮件在电子邮件发件人撰写电子邮件时通知他们可能的遵从性问题。在 DLP 策略中配置策略提示时,只有在发件人电子邮件中的某些内容符合策略中描述的条件时才显示通知邮件。策略提示类似于 Microsoft Exchange 2010 中引入的邮件提示。有关详细信息,请参阅策略提示You can use Policy Tip notification messages to inform email senders about possible compliance issues while they are composing an email message. When you configure a Policy Tip in a DLP policy, the notification message will only show up if something in the sender's email message meets the conditions described in your policy. Policy Tips are similar to MailTips that were introduced in Microsoft Exchange 2010. For more information, see Policy Tips.

与传统邮件分类一起检测敏感信息Detecting sensitive information along with traditional message classification

Exchange Server 和 Exchange Online 提供了一种新方法,可帮助您在与传统邮件分类进行比较时管理邮件和附件数据。Exchange Server and Exchange Online present a new method of helping you manage message and attachment data when compared with traditional message classification. DLP 解决方案强大之处的一个重要因素是能够正确标识可能对组织、法规需求、地理位置或其他业务需求独有的机密或敏感内容。A key factor in the strength of a DLP solution is the ability to correctly identify confidential or sensitive content that may be unique to the organization, regulatory needs, geography, or other business needs. Exchange Server 可以通过使用新的体系结构进行深入的内容分析,并在您的 DLP 策略中通过规则建立检测条件,从而实现此目的。Exchange Server can achieve this by using a new architecture for deep content analysis coupled with detection criteria that you establish through rules in your DLP policies. 帮助防止 Exchange Server 中的数据丢失依赖配置一组正确的敏感信息规则,以便它们提供高度保护,同时最大限度地减少不恰当的邮件流中断和误报和否定。Helping prevent data loss in Exchange Server relies on configuring the correct set of sensitive information rules so that they provide a high degree of protection while minimizing inappropriate mail flow disruption with false positives and negatives. 这些规则类型在整个 DLP 信息中称为敏感信息检测、邮件流规则提供的框架中的功能,以便启用 DLP 功能。These types of rules, referred to throughout the DLP information as sensitive information detection, function within the framework offered by mail flow rules in order to enable DLP capabilities.

若要了解有关这些新功能的详细信息,请参阅将敏感信息规则与 Exchange Online 中的邮件流规则集成To learn more about these new features, see Integrating sensitive information rules with mail flow rules in Exchange Online. 传统邮件分类字段仍可应用于 Exchange 中的邮件,这些字段也可与新敏感信息检测一起组合到单个 DLP 策略,或并发运行以便在 Exchange 内单独对它们进行评估。The traditional message classification fields can still be applied to messages in Exchange and these can be combined with the new sensitive information detection either together within a single DLP policy or running concurrently so they are evaluated independently within Exchange. 若要了解有关旧版 Exchange 2010 邮件分类的详细信息,请参阅了解邮件分类To learn more about the legacy Exchange 2010 message classifications, see Understanding Message Classifications.

安装先决条件Installation prerequisites

为了使用 DLP 功能,必须为 Exchange Online 配置至少一个发件人邮箱。In order to make use of DLP features, you must have Exchange Online configured with at least one sender mailbox. 数据丢失防护是一项高级功能,要求使用企业版客户端访问许可证 (CAL)。Data Loss Prevention is a premium feature that requires an Enterprise Client Access License (CAL). 有关 Exchange Online 入门的详细信息,请参阅Exchange onlineFor more information about getting started with Exchange Online, see Exchange Online.

更多详细信息For more information

Exchange OnlineExchange Online