Security in SharePoint and Teams with DLP, IRM, and AIP Tim Beamer, Senior Microsoft Solution Architect, Logicalis tim.beamer@plusconsulting.com

Agenda Introduction Identify Setup Monitor Block End User Education DLP vs IRM vs AIP Identify Engine Setup Emails Policies Monitor DLP Queries DLP Policies Block Permissions End User Education Policy Tips Limitations IRM AIP Q&A

The “good old days”…NOT Files in file shares (NTFS permissions) Move the file? Lose the permissions! E-mail the file? Lose the permissions! SharePoint “Secure” the doc library with permissions No notification of sensitive information Policies “I didn’t know…” A policy with no enforcement mechanism is useless!

What’s in the toolbox? DLP IRM AIP Inspect – Detect – Act Tooltips Define permissions Encrypt – regardless of destination AIP Define data classification Inspect content and act based on classification May include modifications of permissions

What is data loss prevention? Introduction What is data loss prevention?

What is DLP? Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside your organization DLP software products use business rules to classify and protect confidential and critical information so that unauthorized end users cannot accidentally or maliciously share data whose disclosure could put the organization at risk

Data Loss Prevention in SharePoint Find that information before it’s too late! Search for sensitive content in your existing eDiscovery Center, keeping content in place and enabling you to search in real time. Credit Card Numbers, SSN, Bank Account Numbers, Passports (100 total information types!) Define once and protect across Exchange, SharePoint, Teams and OneDrive! NOTE: If you have document libraries with Search disabled, DLP will NOT work in them

Data Loss Prevention in SharePoint Identify Monitor Protect End User Education

How does SharePoint find this information? Identify How does SharePoint find this information?

DLP Processing in SharePoint Content Sources Crawler Content Processing Index Query Unified Policy Processing Tasks Policy Definitions

Sensitive Information Evaluation 16 digits dddd-dddd-dddd-dddd dddddddddddddddd CVN, CVV2, CID Visa, MasterCard, Amex Expiration Date Card Holder

Sensitive Information Evaluation (regex) A DLP policy is 85% confident that it's detected this type of sensitive information if, within a proximity of 300 characters: The functionFunc_credit_cardfinds content that matches the pattern. One of the following is true: A keyword fromKeyword_cc_verificationis found. A keyword fromKeyword_cc_nameis found. The functionFunc_expiration_datefinds a date in the right date format. A DLP policy is 65% confident that it's detected this type of sensitive information if, within a proximity of 300 characters:

Sensitive Information Evaluation (regex)

Requirements to make it work! Setup Requirements to make it work!

Configure the search service application Prerequisites Configure the search service application Crawl the location of the conflicting documents Configure outgoing email Your users need to have an email address in their profile

Compliance Policy Center: Site Collections EDiscovery Center: A site to manage the preservation, search, and export of content for legal matters and investigations Compliance Policy Center: A site to manage compliance and retention policies

Monitor

EDiscovery Center

Found it!

EDiscovery Center - Excel Reports

DLP Policy Demo

End User Education

In Context Information Blocked documents are visible directly in the document library (Demo)

Perfection doesn’t exist! Limitations Perfection doesn’t exist!

Information Rights Management IRM allow enterprises to define, implement & track information usage “policies”. A “policy” defines : WHO can use the information People & groups within and outside of the organization can be defined as rightful users of the information WHAT can each person do Individual actions like reading, editing, printing, distributing, copy-pasting, screen grabbing etc. can be controlled WHEN can they use it Information usage can be time based e.g. can only be used by Mr. A till 28th Sept OR only for the 2 days WHERE can they use it from Information can be linked to locations e.g. only 3rd floor office by private/public IP addresses

Configure RMS for Office 365

Configure RMS for Office 365

Configure RMS for Office 365

Enable in SharePoint Online

Enable in a Document Library

Secure a document

Azure Information Protection

AIP AIP – P1 USER is responsible for applying the correct label AIP – P2 Combine the capabilities of DLP and IRM Content inspection can apply the label automatically

DEMO

Schedule a Security Focused CIE Call to action Schedule a Security Focused CIE Hands-on session We can deliver at our office or yours (need Wi-Fi and Power) Engage with Security Practice to define data classification, labels, risk, and required protections

Q&A Thank you!