The ABCs of Microsoft Office 365's Data Loss Prevention (DLP)
When it comes to data breaches, it's not a matter of if a breach will occur, it’s a matter of when. And regardless of how substantial -- or how advanced -- you think your cybersecurity is, you’re still vulnerable.
The most recognizable data breaches for 2019 (so far) include:
- January 16: Fortnite exposes players to being hacked. According to the security firm Check Point, who discovered the vulnerabilities, a threat actor could take over the account of any player, view their personal account information, purchase V-bucks (in-game currency), and eavesdrop on game chatter. Fortnite has 200 million users worldwide, 80 million of whom are active each month.
- March 21: Facebook admits it failed to properly secure the passwords of as many as 600 million users since 2012. These passwords were stored in plain text, accessible by over 20,000 company employees.
- March 22: Survivors of hurricanes Maria and Irma, as well as the California wildfires, had their PII exposed in a Federal Emergency Management Agency (FEMA) privacy incident. Approximately 2.5 million disaster victims had personal information (i.e. names and addresses, bank account info and birthdates) shared with a contractor, leaving them unprotected.
And yes, even Microsoft’s email services got hit: In a statement to TechCrunch, Microsoft admitted a data breach of its non-corporate email services, including @msn.com, @hotmail.com, and @outlook.com. The breach, which lasted from January 1 to March 28, 2019, allowed hackers to access email accounts by misusing Microsoft’s customer-support portal.
Microsoft Office 365 has made it extremely easy to upload vast amounts of data to the cloud with just a few clicks. Although organizations are getting more comfortable entrusting their data to cloud services, steps must be taken to ensure employees don’t expose sensitive or send sensitive data against company policies (e.g. by forwarding to unauthorized parties, downloading to unprotected devices, etc.). According to McAfee, many Microsoft environments encourage employees to unknowingly "click-to-contravention":
- OneDrive for Business has the highest active-usage rate, at 18.6 percent of all enterprise employees.
- Exchange Online has the second-highest penetration rate: 66.9 percent of enterprises have at least 100 users.
- 35.3 percent of enterprises and 2.1 percent of users have moved to SharePoint.
- Regarding online financial services, 39.3 percent actively use OneDrive for Business, and 17.3 percent actively use Skype for Business.
- Healthcare’s primary communications platform is Skype for Business. 14.2 percent of users rely on it for meetings, messaging, and audio/video calls.
- Manufacturing leads adoption of Microsoft Exchange Online, with 12.9 percent actively using the cloud-based email platform.
For these reasons, Data Loss Prevention (DLP) efforts have been expanded to include any company data residing in the cloud -- including financial data or personally identifiable information (PII), such as credit card and social security numbers, and health records.
The Office 365 Data-Loss Prevention works similarly to other DLP tools in that it follows a set of specific rules. Policies defined within Office 365 govern data and issue alerts when someone violates a rule. Office 365’s DLP enables users to:
- Identify sensitive information across locations, such as Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams
- Prevent accidental sharing of sensitive information
- Monitor and protect sensitive information (in the desktop versions of Excel, PowerPoint, and Word)
- Keep compliant without having their workflow interrupted
- View reports featuring content relevant to your organization's DLP policies
Getting Started with Office 365 DLP
Getting started with DLP is simple. The first step is to establish a DLP policy. Microsoft provides policy templates that include HIPAA, U.S. PII, PCI-DSS, etc. You may also want to add a condition to a template policy and use labels as a condition to a policy. Here are the "ABCs" of getting started to consider:
Microsoft prevents your users from being adversely affected by offering several ways to test -- without causing the help desk to be flooded with calls. "Test mode" is accomplished by activating a simple option at the end of the policy, and allows your organization to quickly go from idea to research phase to proof-of-concept.
Office 365 DLP provides several communication options, and various combinations are possible, such as:
- Policy Tips -- quick, to the point and effective reminders for users
- Email notifications sent to offending users
- Incident reports emailed to Global Admins
Additionally, DLP reports provide insights and allow you to tier critical policies to trigger email notifications to both Global Admins and/or the offending user. In addition to issuing notifications, content may also be blocked.
In terms of managing Office 365 DLP, Microsoft understands your IT department may not have (or want) responsibility for sensitive HR areas or government regulations that have the potential to become legal matters. Rather, your Security and Compliance team may be the preferred DLP administrators. The recommended approach is to create a security group and assign the appropriate permissions. This approach allows members to create and apply DLP policies, without requiring access to the protected content.
Convincing management that Office 365 is secure is not as difficult as it might seem. One of the best methods to prove to managers, CIOs, CTOs, etc. that DLP provides value, and is worth investing time and/or money in, is by providing reports generated during Test-Mode and by providing a 30-minute demo based on a hypothetical data-loss scenario. Because what demonstrates more value than proof? By doing so, you can prove that if the policy you created had been enforced, it would have prevented X from happening. Further, remind your audience that the ability to test without unintended consequences also provides value by removing the IT department’s fear of gaining a bad reputation during the deployment of a new project.
If further assistance is needed, seek out Office 365 Migration Kickstart programs that provide a roadmap to help you enable security, compliance, conditional access, and data loss prevention.
Matt Dierolf is Enterprise Architect at digital business solutions provider Anexinet. He provides customers with current and future state architecture, as well as migration/upgrade strategies for a broad range of infrastructure technologies -- including Microsoft, VDI, virtualization, hyper-converged, and cloud. Matt has nearly 20 years of experience in IT management and administration, with previous roles at STV, Traffic Planning and Design, Acelity and Unisys. He has earned numerous certifications from Microsoft, as well as Nutanix, Citrix and VMware. Matt holds a BS in Information Systems from Penn State University and a MBA in Computer/Information Technology Administration and Management from the University of Phoenix.