What you Need to Know about Data Loss Protection in Microsoft 365

Data is seen as the “new gold” for enterprise organizations as it is the lifeblood of the business revenue stream. No matter what industry, product, or solution a business offers, most companies have embraced data-driven processes to meet modern business challenges in today’s world. It underscores the importance for organizations to protect their data at all costs.

Data Loss Prevention (DLP) solutions provide the capabilities for businesses to protect their data. Companies must include their cloud SaaS solutions as part of their overall DLP strategies. The Microsoft 365 cloud SaaS solution provides robust DLP capabilities built into the platform. We will look at how to protect your business data in Microsoft 365 with DLP and backup.

Before diving into the Microsoft 365 DLP solution, let’s look at what DLP is in general, and why do companies need it? Most organizations have sensitive data that would be highly damaging to fall into the wrong hands. Data including financial data, trade secrets, personally identifiable information (PII) data for customers, health records, or other traditionally sensitive information such as social security numbers (SSNs) or credit card numbers (CCNs) is deemed sensitive.

What is Data Loss Prevention (DLP)?

Data Loss Prevention (DLP) is the set of tools and solutions that protect against sensitive data loss, leak, misuse, or unauthorized access. DLP is a critical aspect of today’s very stringent compliance regulations. Failure to maintain compliance by having the proper security controls and DLP guardrails in place can result in catastrophic consequences for an organization, including steep fines from regulatory violations.

DLP is a framework that enforces remediation with the protective measures that prevent users from accidentally or intentionally sharing data that places a business at risk. Data Loss Prevention is often categorized as a compliance concern for businesses since most compliance frameworks require organizations to take proactive measures to protect sensitive data.

Maintaining strict adherence to compliance regulations is beneficial to customers, end-users, and businesses as it helps protect everyone involved. However, compliance can present challenges as organizations move into cloud Software-as-a-Service (SaaS) environments.

Often businesses have a solution that helps with DLP and other compliance concerns in on-premises environments. However, as they move to cloud SaaS and other cloud offerings, the traditional tools and solutions are no longer relevant to modern cloud architectures. As a result, organizations often must rethink their tooling and strategies for DLP as they migrate business-critical data to the cloud.

Data leaks can be catastrophic

A significant driver to giving due attention to compliance and DLP initiatives is the destructive nature of a data breach. The sheer financial repercussions alone can be substantial. The IBM Cost of a Data Breach 2021 Report helps to emphasize the fiscal implications of a data breach event. Note the following findings for 2021.

• • 10% increase in the average total cost of a breach – 2021 saw the most significant jump in the 17-year history of the report

• • $4.24 million – the average cost of a data breach

• • Healthcare had the highest cost of a data breach for eleven consecutive years

• • Lost business represented 38% of the overall average

• • $180 – the cost per record of personally identifiable information (PII) data

• • 287 – the average number of days to identify and contain a data breach

• • $3.61 million – the average cost of a data breach in hybrid cloud environments

• • $4.62 million – the average cost of a ransomware breach

As the numbers show, financially, a data breach can potentially ruin a business. Part of the cost of a data breach event is also the regulatory compliance implications as a result. These can be significant. For example, in cases of gross negligence leading to a data breach, the General Data Protection Regulation (GDPR) can fine a business as much as €20 million or 4% of the global turnover, whichever is more.

Compliance is no longer a “nice to have” for businesses. Current compliance regulations have “real teeth” to impose fines and other legal ramifications.

In Cloud SaaS, DLP is Your Responsibility

Organizations may misunderstand the responsibilities of cloud service providers when they move their data to cloud SaaS environments like Microsoft 365. Many may assume protecting their data is now solely the responsibility of the cloud service provider. While hyperscale cloud service providers like Microsoft provide robust cloud architectures that do well to help protect your data from loss, the burden of responsibility for business-critical data rests with the cloud SaaS customer.

Cloud service providers such as Microsoft operate on a “shared responsibility model” that places responsibility for the data itself with the customer. In the “Shared Responsibility in the cloud,” note specifically the section of “Responsibility always retained by the customer.” Among the responsibilities that fall within the organization is the responsibility for information and data.

The shared responsibility model defined by Microsoft for cloud environments

Given that information and data are the customer’s responsibility, organizations must take the compliance and security of their data seriously.

Cloud SaaS Backups are Essential

Often Data Loss Prevention (DLP) focuses on the data leak aspect of losing data. However, DLP also indirectly relates to data protection. Most organizations today have a solid on-premises backup solution they use to protect mission-critical workloads running in on-premises enterprise datacenters.

However, as mentioned earlier, there is a notion that data backups are no longer needed once data is migrated to cloud SaaS environments. This idea can prove to be a grave mistake for organizations that suffer data loss from human error or a malicious attack at the hands of ransomware.

The shared responsibility model used by hyperscale cloud service providers such as Microsoft places all aspects of protecting your information and data, including backups. Backing up ALL your data, including Office 365 workloads, is the cornerstone of any data protection strategy and business continuity plan.

What is Microsoft 365 Data Loss Prevention (DLP)

Microsoft has not left organizations on their own when it comes to Data Loss Prevention (DLP) in the Microsoft 365 cloud SaaS environment. Microsoft has baked in DLP into the Microsoft 365 SaaS environment using DLP policies.

Microsoft 365 DLP is part of the Microsoft 365 Compliance tools that allow protecting your sensitive data, no matter where the data is stored and how it is accessed. Microsoft 365 DLP policies allow businesses to monitor end-user activities and how users access sensitive data, whether at rest, in transit, or in use.

You can log into the Microsoft 365 Compliance Center here:

• • https://compliance.microsoft.com

Microsoft 365 Compliance Center

The DLP policies then allow taking protective action based on sensitive data access. For example, Microsoft 365 DLP policies can take action when a user attempts to copy sensitive data from the sanctioned Microsoft 365 business environment to an unapproved location.

Additionally, it can block sharing of sensitive information in an email or other restrictions defined in the DLP policy. Other protective actions that can be defined in the DLP policy include:

• • Warn a user they may be trying to share a sensitive item inappropriately

• • Block the sharing and, via a policy tip, allow the user to override the block and capture the user’s justification

• • Block the sharing without the override option

• • For data at rest, sensitive items can be locked and moved to a secure quarantine location

• • With Teams chat, the sensitive information will not be displayed

Navigating to Data Loss Prevention in Microsoft 365 Compliance Center

When it comes to ensuring your sensitive data is compliant, visibility is essential for DLP. Microsoft 365 DLP outputs the monitored activity events to the Microsoft 365 Audit Log, unified auditing, and “event viewer” of sorts for your Microsoft 365 cloud environment. It provides visibility to user and administrator activities in your organization.

As mentioned, the Microsoft 365 Audit Log is “unified.” This aspect of the logging capabilities in Microsoft 365 is important for DLP enforcement as it allows easily searching the audit log for activities performed in different Microsoft 365 services. In addition, the sheer width and breadth of cloud services offered in Microsoft 365 are staggering, so the unified logging capabilities provide a single-pane-of-glass view for activities affecting your Microsoft 365 security and compliance.

To take advantage of the Microsoft 365 Compliance Center auditing, you need to start recording user and admin activity.

Configuring Microsoft 365 Auditing to record user and admin activity

Microsoft 365 DLP vs. Microsoft Information Protection (MIP)

Many may be confused with the various offerings from Microsoft related to compliance and data loss prevention. Microsoft Information Protection (MIP) is an offering that helps to discover, classify, and protect sensitive information. It is actually a suite of technologies rather than a single product. The capabilities of MIP include the Data Loss Prevention (DLP) capabilities found in Microsoft 365.

• • Sensitive information types (SITs)

• • Trainable Classifiers

• • Data Classification

• • Sensitivity Labels

• • Azure Information Protection (AIP) unified labeling client, now Microsoft Information Protection

• • Azure Information Protection (AIP) unified labeling Scanner, now Microsoft Information Protection

• • Azure Purview

• • Double Key Encryption (DKE)

• • Office 365 Message Encryption (OME)

• • Service encryption with Customer Key

• • SharePoint Information Rights Management (IRM)

• • Rights Management connector

• • Microsoft Cloud App Security (MCAS)

• • Microsoft Information Protection (MIP) SDK

• • Data Loss Prevention (DLP)

Data Loss Prevention (DLP) is Not a Substitute for Cybersecurity

It is essential to understand, that while DLP is required to satisfy regulatory compliance demands and prevent data leak catastrophes, it is not an all-inclusive cybersecurity solution. While DLP should be part of your overall cybersecurity stance, it does not protect your environment from hackers.

Data Loss Prevention helps organizations enforce governance restrictions with business-critical and sensitive data. However, it does not protect your environment from a ransomware attack, stolen credentials, phishing emails, malicious third-party applications, and other threats in the cloud.

On the other hand, strong cybersecurity measures do not protect your organization from data leak events when users transmit or share data accidentally or intentionally. DLP helps organizations protect from insider threats, while other cybersecurity measures and technologies help protect from outside threats posed by attackers and other malicious activities.

Microsoft has other products that help organizations protect from malicious threats such as email compromise and credential phishing. Microsoft Defender for Office 365 provides deep inspection and can sandbox executables to understand if it is legitimate, based on intent and behavior. Advanced artificial intelligence (AI) and machine learning (ML) in ATP help to protect your business-critical and sensitive data from attackers. Learn more about that solution here:

• Advanced Email Threat Protection | Microsoft Security

365 Total Protection from Hornetsecurity offers comprehensive protection for Microsoft cloud services – specially developed for Microsoft 365 and seamlessly integrated to provide comprehensive protection for Microsoft cloud services. Easy to set up and extremely intuitive to use, 365 Total Protection simplifies your IT Security management from the very start.

• Test Hornetsecurity 365 Total Protection free of charge without any obligations

Data Loss Prevention (DLP) is Not a Substitute for Backup

Although Data Loss Prevention sounds like backup, as you can see it’s not the same thing. Your information governance plan for your business should include DLP, Information Protection, AND Backup.

Office 365, Exchange Online, and SharePoint Online / OneDrive for Business uses various data protection technologies to ensure that your data is highly available and protected against hardware failure but there’s NO backup in a separate system and no way to “go back in time”. Make sure you complement DLP and Information Protection with solid third-party backup services for Office 365, such as Altaro’s Office 365 Backup.

Microsoft 365 DLP Default Policy

In the Microsoft 365 Compliance Center, you will see a default Data Loss Prevention (DLP) policy listed, aptly named Default Office 365 DLP policy. The policy contains two safeguards by default, helping to protect organizations from data leaks involving credit card numbers. Let’s take a closer look at the default DLP policy, as it helps to get a feel for the configurable policy settings.

Viewing and editing the default Data Loss Prevention (DLP) policy in Microsoft Compliance Center

The default DLP policy already configured in your Microsoft 365 environment applies to Exchange email, SharePoint sites, and OneDrive accounts. The great thing about Microsoft 365 DLP policies is you can effectively implement DLP policies across multiple services at the same time. As you see below, the policy applies to Exchange email, SharePoint sites, and OneDrive accounts.

Services assigned to the default Microsoft 365 DLP policy

The default DLP policy contains two advanced DLP rules out of the box. The advanced rules contain conditions and actions that define the protection requirements for the policy. You can edit the existing rules or create new ones. The two default rules in the advanced DLP ruleset are:

• • Items containing 1-9 credit card numbers shared externally

• • Items with 10 or more credit card numbers shared externally

Default advanced rules contained in the Microsoft 365 DLP policy

You can see how the policy rules are configured if you edit one of the default policies. Under Conditions, the Sensitive info types are set to Credit Card Number.

Sensitive info types configured for Credit Card Number

It is configured to look for the CCNs that are shared with people outside my organization.

Data shared outside the organization

The Microsoft 365 DLP policies, by default, are configured for user notifications. These notify the following

• • The person who sent, shared, or modified the content

• • Owner of the SharePoint site or OneDrive account

• • Owner of the SharePoint or OneDrive content

You can also configure additional notification rules to send emails to other recipients.

Notification rules for the Microsoft DLP policy

Another configurable setting in the Microsoft 365 DLP policy settings is to allow overrides. This setting allows users to override policy restrictions in Exchange, SharePoint, OneDrive, and Teams. It is a setting that needs to be used with caution as it can potentially violate compliance and governance.

As seen below, you can additionally require a business justification to override. Admins can also choose to receive alerts with user override activity.

Allowing user overrides from M365 services

Built-in Templates

One of the really nice features Microsoft has built into the Microsoft 365 DLP policy configuration wizard is templates. Depending on the type of compliance, industry, and other factors, the templates make it much easier to start with a good baseline of DLP policy settings.

Using Microsoft 365 DLP templates

Microsoft 365 Endpoint DLP

With Microsoft 365 DLP, organizations must monitor the actions taken on sensitive data and help peent the unintentional sharing of those items. However, there is another aspect – the endpoint.

Microsoft 365 Endpoint data loss prevention (Endpoint DLP) provides the capabilities to extend the activity monitoring and protection capabilities to sensitive items that are physically stored on the endpoint. These may include Windows 10, Windows 11, and macOS (currently in public preview) devices.

To access and use Endpoint DLP functionality, you must have one of these subscriptions or add-ons.

• • Microsoft 365 E5

• • Microsoft 365 A5 (EDU)

• • Microsoft 365 E5 compliance

• • Microsoft 365 A5 compliance

• • Microsoft 365 E5 information protection and governance

• • Microsoft 365 A5 information protection and governance

The Endpoint DLP solution allows companies to onboard the devices into the Microsoft 365 compliance solution and monitor activities and actions taken on the endpoint. In addition, using DLP policies, protective actions can be enforced to provide DLP guardrails for the clients.

There are specific activities Microsoft 365 Endpoint DLP allows monitoring and acting upon with Windows 10, Windows 11, and macOS devices. These include the following:

• • Upload to cloud service or access by unallowed browsers

• • Copy to other app

• • Copy to USB or other removable media

• • Copy to a network share

• • Printing a document

• • Copy to a remote session

• • Copy to a Bluetooth device

• • Create an item

• • Rename an item

You can also monitor specific file types, including:

• • Word files

• • PowerPoint files

• • Excel files

• • PDF files

• • .csv files

• • .tsv files

• • .txt files

• • .rtf files

• • .c files

• • .class files

• • .cpp files

• • .cs files

• • .h files

• • .java files

Configuring Microsoft 365 Endpoint DLP settings

To configure Microsoft 365 Endpoint DLP settings, navigate to Data Loss Prevention (DLP) > Endpoint DLP settings. As you can see below, you can configure policy settings controlling:

• • File path exclusions

• • Unallowed apps

• • Unallowed Bluetooth apps

• • Browser and domain restrictions to sensitive data

• • Additional settings for endpoint DLP

• • Always audit file activity for devices

Configuring Endpoint DLP settings

As an example, let’s set up unallowed browsers. Under Browser and domain restrictions to sensitive data > Unallowed browsers > Add or edit unallowed browsers.

Adding Unallowed Browsers in a Microsoft 365 Endpoint DLP policy

Next, you will select or add the executable for the unallowed browser for your Endpoint DLP policy.

Choosing unallowed browsers for your Endpoint DLP policy

Onboarding devices into Microsoft 365 Endpoint DLP

You must enable device monitoring and onboard your endpoints before you can monitor and protect sensitive items on a device. You can enable device management and onboard devices using the Microsoft 365 Compliance portal. Onboarding is accomplished by downloading the appropriate script and running the script on the endpoint.

You can also onboard devices using Group Policy, Microsoft Endpoint Configuration Manager, Mobile Device Management tools, and onboarding virtual desktop infrastructure (VDI) devices.

Onboarding devices into Microsoft 365 Endpoint DLP

Does DLP Cover all Your Data Loss Needs?

Compliance and governance are both extremely important initiatives for organizations today. Data Loss Prevention (DLP) is required by most compliance regulations and helps prevent the accidental or intentional sharing of sensitive data outside the sanctioned environment.

Microsoft 365 Data Loss Prevention (DLP) is a solution from Microsoft that helps organizations effectively meet the challenges of protecting their business-critical and sensitive data from leaking outside their Microsoft 365 environment. The policy-driven engine of Microsoft 365 allows effectively building and applying policies to control how data can be shared, accessed, and transmitted from Microsoft 365.

It allows controlling both the data that resides in the Microsoft 365 environment and the data that physically resides on the endpoint. By configuring both aspects of Microsoft 365 DLP, organizations can effectively prevent unauthorized data access of sensitive information. As covered, DLP is not an all-inclusive cybersecurity solution. Organizations must combine DLP with other security solutions, such as Microsoft’s Defender for Office 365 or Hornetsecurity’s 365 Total Protection for protecting against phishing attacks, ransomware, and other threats plus a backup solution such as Office 365 Backup. You can also bundle both together in 365 Total Protection Enterprise Backup.