Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intro to Data Loss Prevention In SharePoint 2016\Office 365

Published byMaud Nash Modified over 6 years ago

Similar presentations

Presentation on theme: "Intro to Data Loss Prevention In SharePoint 2016\Office 365"— Presentation transcript:

1 Intro to Data Loss Prevention In SharePoint 2016\Office 365
By Craig Jahnke Strategic Advisor JuNE 17TH, 2017

2 About Craig Jahnke – Strategic Advisor at AvePoint, Inc.
Working with SharePoint for last 8 years M.S. in Information Systems Organize SPS Chicago Suburbs and Cloud Saturday Chicago @TechJahnke on Twitter

3 Platinum Sponsors

4 Platinum Sponsors

5 Gold Sponsors

6 Attendee Shirts

7 Agenda What is Data Loss Prevention (DLP) ? Sensitive Data
DLP in SharePoint 2016 DLP Queries & Policies Limitations Reminders DLP in Office 365 Questions

8 What is Data Loss Prevention (DLP)?
Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. DLP Software products help a network administrator control what data end users can transfer so that users cannot accidentally or maliciously share data that could put the organization at risk.

9 Types of Data in Regards to DLP
In Use Forms that check data as its entered In Motion Exchange Online At Rest SharePoint On-Premises

10 Data Loss Prevention In SharePoint 2016
With a data loss prevention (DLP) policy in SharePoint Server 2016, you can identify, monitor, and automatically protect sensitive information across your site collections. Search for sensitive content in your existing eDiscovery Center enabling real time searching while keeping content in place. Searches across SharePoint 2016, One Drive for Business and SharePoint Online.

11 Examples of Sensitive Information
Data loss prevention (DLP) includes 88 sensitive information types that are ready for you to use in your DLP policies. Personal Identifiable Information (PII) Credit Card Numbers Social Security Numbers Bank Account Numbers Passport Numbers Driver’s License Numbers

12 Match Accuracy For example, the sensitive information type named Credit Card Number is defined by two patterns: A pattern with 65% confidence that requires: A number in the format of a credit card number. A number that passes the checksum. A pattern with 85% confidence that requires: A keyword or an expiration date in the right format.

13 DLP Processing in SharePoint 2016
Crawler Query Content Sources Content Processing Index User Typically Search works like this Backend You have searchable content It is crawled – goes in the content and capture all the information Content processing will analyze and apply exclusion and pass to index Front End A user makes a query The query searches the index for the information and responds back to the user DLP creates uses the Policy Definition Looks for information in the index. You need to have the information in the index before you can apply policies to it *** If you don’t search a site collection you can’’ apply policies to it. If you are doing daily crawls, you could have a gap of 24 hours before it is indexed. Policy Definitions Unified Policy Processing Tasks

14 DLP Queries & Policies DLP Queries DLP Policies
See what and where sensitive information exists. Better understand your risks, Determine what and where is the content that your DLP policies need to protect DLP Policies Conditions that the content must match before the rule is enforced -- for example, look only for content containing Social Security numbers that have been shared with people outside your organization. Actions that you want the rule to take automatically when content matching the conditions is found -- for example, block access to the document and send both the user and compliance officer an notification.

15 eDiscovery Center To create and run DLP queries, you must set up an eDiscovery Center site collection.

16 Compliance Policy Center
To create DLP Policies, you must set up a Compliance Policy Center site collection.

17 DLP Templates When you create a DLP query or a DLP policy, you can choose from a list of DLP templates that correspond to common regulatory requirements. Each DLP template identifies specific types of sensitive information When you create a DLP query or a DLP policy, you can choose from a list of DLP templates that correspond to common regulatory requirements. Each DLP template identifies specific types of sensitive information – for example, the template named U.S. Personally Identifiable Information (PII) Data identifies content that contains U.S. and U.K. passport numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), or U.S. Social Security Numbers (SSN).

18 DLP Queries Before you create your DLP policies, you might want to see what sensitive information already exists across your site collections. To do this, you create and run DLP queries in the eDiscovery Center. A DLP query works the same as an eDiscovery query. Based on which DLP template you choose, the DLP query is configured to search for specific types of sensitive information. First choose the locations you want to search, and then you can fine tune the query because it supports Keyword Query Language (KQL). In addition, you can narrow down the query by selecting a date range, specific authors, SharePoint property values, or locations. And just like an eDiscovery query, you can preview, export, and download the query results.

19 DLP Queries A DLP query works the same as an eDiscovery query.
Based on which DLP template you choose, the DLP query is configured to search for specific types of sensitive information. A DLP query works the same as an eDiscovery query. Based on which DLP template you choose, the DLP query is configured to search for specific types of sensitive information. First choose the locations you want to search, and then you can fine tune the query because it supports Keyword Query Language (KQL). In addition, you can narrow down the query by selecting a date range, specific authors, SharePoint property values, or locations. And just like an eDiscovery query, you can preview, export, and download the query results.

20 DLP Policies A DLP policy helps you identify, monitor, and automatically protect sensitive information that’s subject to common industry regulations. You choose what types of sensitive information to protect, and what actions to take when content containing such sensitive information is detected. A DLP policy can notify the compliance officer by sending an incident report, notify the user with a policy tip on the site, and optionally block access to the document for everyone but the site owner, content owner, and whoever last modified the document. Finally, the policy tip has an option to override the blocking action, so that people can continue to work with documents if they have a business justification or need to report a false positive. A DLP policy helps you identify, monitor, and automatically protect sensitive information that’s subject to common industry regulations. You choose what types of sensitive information to protect, and what actions to take when content containing such sensitive information is detected. A DLP policy can notify the compliance officer by sending an incident report, notify the user with a policy tip on the site, and optionally block access to the document for everyone but the site owner, content owner, and whoever last modified the document. Finally, the policy tip has an option to override the blocking action, so that people can continue to work with documents if they have a business justification or need to report a false positive.

21 Creating DLP Policies You create and manage DLP policies in the Compliance Policy Center. Creating a DLP policy is a two-step process: first you create the DLP policy, and then you assign the policy to a site collection.

22 Step 1 – Create DLP Policy
When you create a DLP policy, you choose a DLP template that looks for the types of sensitive information that you need to identify, monitor, and automatically protect. When a DLP policy finds content that includes the minimum number of instances of a specific type of sensitive information, it can automatically protect the sensitive information by taking the following actions: Send an Incident Report Notify the user with a policy tip Block access to the content When a DLP policy finds content that includes the minimum number of instances of a specific type of sensitive information that you choose – for example, five credit card numbers, or a single social security number – then the DLP policy can automatically protect the sensitive information by taking the following actions: Sending an incident report to the people you choose (such as your compliance officer) with details of the event. This report includes details about the detected content such as the title, document owner, and what sensitive information was detected. To send incident reports, you need to configure outgoing settings in Central Administration. Notifying the user with a policy tip when documents that contain sensitive information are saved or edited. The policy tip explains why that document conflicts with a DLP policy, so that people can take remedial action, such as removing the sensitive information from the document. When the document is in compliance, the policy tip disappears. Blocking access to the content for everyone except the site owner, document owner, and person who last modified the document. These people can remove the sensitive information from the document or take other remedial action. When the document is in compliance, the original permissions will be automatically restored. It’s important to understand that the policy tip gives people the option to override the blocking action. Policy tips can thus help educate users about your DLP policies and enforce them without preventing people from doing their work.

23 Step 2 - Assign the DLP Policy
After you create a DLP policy, you need to assign it to one or more site collections, where it can begin to help protect sensitive information in those locations. A single policy can be assigned to many site collections, but each assignment needs to be created one at a time.

24 Policy Tips You want people in your organization who work with sensitive information to stay compliant with your DLP policies, but you don’t want to block them unnecessarily from getting their work done. A policy tip is a notification or warning that appears when someone is working with content that conflicts with a DLP policy You can use policy tips to increase awareness and help educate people about your organization’s policies. Policy tips also give people the option to override the policy, so that they’re not blocked if they have a valid business need or if the policy is detecting a false positive. You want people in your organization who work with sensitive information to stay compliant with your DLP policies, but you don’t want to block them unnecessarily from getting their work done. This is where policy tips can help. A policy tip is a notification or warning that appears when someone is working with content that conflicts with a DLP policy — for example, content like an Excel workbook that contains personally identifiable information (PII) and that’s saved to a site. You can use policy tips to increase awareness and help educate people about your organization’s policies. Policy tips also give people the option to override the policy, so that they’re not blocked if they have a valid business need or if the policy is detecting a false positive.

25 Viewing or overriding a policy tip
To take action on a document, such as overriding the DLP policy or reporting a false positive, you can select the Open ... menu for the item > View policy tip. The policy tip lists the issues with the content, and you can choose Resolve, and then Override the policy tip or Report a false positive. Details about how policy tips work Note that it’s possible for content to match more than one DLP policy, but only the policy tip from the most restrictive, highest-priority policy will be shown. For example, a policy tip from a DLP policy that blocks access to content will be shown over a policy tip from a rule that simply notifies the user. This prevents people from seeing a cascade of policy tips. Also, if the policy tips in the most restrictive policy allow people to override the policy, then overriding this policy also overrides any other policies that the content matched. DLP policies are synced to sites and contented is evaluated against them periodically and asynchronously (see the next section), so there may be a short delay between the time you create the DLP policy and the time you begin to see policy tips.

26 How DLP Policies Work DLP detects sensitive information by using deep content analysis. This deep content analysis uses keyword matches, the evaluation of regular expressions, internal functions, and other methods to detect content that matches your DLP policies. Potentially only a small percentage of your data is considered sensitive. A DLP policy can identify, monitor, and automatically protect just that data.. After you create a DLP policy in the Compliance Policy Center, it’s stored as a policy definition in that site. Assign the policy to different site collections, it starts to evaluate content and enforce actions like sending incident reports, showing policy tips, and blocking access. DLP detects sensitive information by using deep content analysis (not just a simple text scan).

27 Policy Evaluation in Sites
Across all of your site collections, documents are constantly changing. They are continually being created, edited, shared, and so on. This means documents can conflict or become compliant with a DLP policy at any time. DLP policies check documents for policy matches frequently in the background. You can think of this as asynchronous policy evaluation. Across all of your site collections, documents are constantly changing — they’re continually being created, edited, shared, and so on. This means documents can conflict or become compliant with a DLP policy at any time. For example, a person can upload a document that contains no sensitive information to their team site, but later, a different person can edit the same document and add sensitive information to it. For this reason, DLP policies check documents for policy matches frequently in the background. You can think of this as asynchronous policy evaluation. Here’s how it works. As people add or change documents in their sites, the search engine scans the content, so that you can search for it later. While this is happening, the content’s also scanned for sensitive information. Any sensitive information that’s found is stored securely in the search index, so that only the compliance team can access it, but not typical users. Each DLP policy that you’ve turned on runs in the background (asynchronously), checking search frequently for any content that matches a policy, and applying actions to protect it from inadvertent leaks. Finally, documents can conflict with a DLP policy, but they can also become compliant with a DLP policy. For example, if a person adds credit card numbers to a document, it might cause a DLP policy to block access to the document automatically. But if the person later removes the sensitive information, the action (in this case, blocking) is automatically undone the next time the document is evaluated against the policy. DLP evaluates any content that can be indexed. For more information on what file types are crawled by default, see Default crawled file name extensions and parsed file types.

28 View DLP Events in the Usage Logs
You can view DLP policy activity in the usage logs on the server running SharePoint Server 2016. Example - view the text entered by users when they override a policy tip or report a false positive. Turn on the option in Central Administration (Monitoring > Configure usage and health data collection > Simple Log Event Usage Data_SPUnifiedAuditEntry). For more information about usage logging, see Configure usage and health data collection. You can view DLP policy activity in the usage logs on the server running SharePoint Server For example, you can view the text entered by users when they override a policy tip or report a false positive. First you need to turn on the option in Central Administration (Monitoring > Configure usage and health data collection > Simple Log Event Usage Data_SPUnifiedAuditEntry). For more information about usage logging, see Configure usage and health data collection.

29 Limitation Cannot Create Custom Rules
1 Policy Center Per Web Applications No “Clean” PowerShell CMDLETS for Automation One-to-one Site Collections & Policy Mappings Hybrid Does not Work That Well… Systems actions – Blocking, flagging, etc. works by timer jobs Office 365 cannot access On-Premises timer jobs Cannot Edit s That Are Sent To End User

30 DLP Reminders Start the search service and define a crawl schedule for your content. Turn on out-going . To view user overrides and other DLP events, turn on the usage report. For DLP queries, create the eDiscovery Center site collection. For DLP policies, create the Compliance Policy Center site collection. Create a security group for your compliance team, and add security group to the Owners group in the eDiscovery Center or Compliance Policy Center. To run DLP queries, view permissions are required for all content that the query will search – for more information

31 Questions?

32 References sharepoint-2016-and-sharepoint-online/ Vlad Catrinescu - blog at

33 DLP in Office 365 Create and manage DLP policies on the Data loss prevention page in the Office 365 Security & Compliance Center.

34 Location in Exchange Online, SharePoint Online, or OneDrive for Business. You can easily choose to protect all sites or mailboxes, or just specific ones.

35 Rules Rules are what enforce your business requirements on the information stored by your organization. A policy contains one or more rules, and each rule consists of conditions and actions. For each rule, when the conditions are met, the actions are taken automatically. Rules are executed sequentially, starting with the highest-priority rule in each policy. A rule also provides options to notify users and admins that content has matched the rule.

36 Conditions Conditions are important because they determine what types of information you’re looking for, and when to take an action. Conditions focus on the content, such as what types of sensitive information you’re looking for, and also on the context, such as who the document is shared with. You can use conditions to assign different actions to different risk levels

37 Types of sensitive information
A DLP policy can help protect sensitive information, which is defined as a sensitive information type. Office 365 includes definitions for many common sensitive information types across many different regions that are ready for you to use, such as a credit card number, bank account numbers, national ID numbers, and passport numbers.

38 Actions When content matches a condition in a rule, you can apply actions to automatically protect the document or content.

39 Restrict Access Restrict access to the content For site content, this means that permissions for the document are restricted for everyone except the primary site collection administrator, document owner, and person who last modified the document. These people can remove the sensitive information from the document or take other remedial action. When the document is in compliance, the original permissions will be automatically restored. When access to a document is blocked, the document appears with a special policy tip icon in the library on the site.

40 User notifications and user overrides
You can use notifications and overrides to educate your users about DLP policies and help them remain compliant without blocking their work. For example, if a user tries to share a document containing sensitive information, a DLP policy can both send them an notification and show them a policy tip in the context of the document library that allows them to override the policy if they have a business justification

41 Policy Tips In addition to sending an notification, a user notification displays a policy tip: In Outlook 2013 and later and Outlook on the web. For the document on a SharePoint Online or OneDrive for Business site. In Excel 2016, PowerPoint 2016, and Word 2016, when the document is stored on a site included in a DLP policy.

42

43

Download ppt "Intro to Data Loss Prevention In SharePoint 2016\Office 365"

Similar presentations

Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely P J Human Resources Pte Ltd presents:

Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely P J Human Resources Pte Ltd presents:
Help the users find what they need using the Search Speaker: Frédérique Harmsze 15 th November 2014 Host: Matthew Hughes.

Help the users find what they need using the Search Speaker: Frédérique Harmsze 15 th November 2014 Host: Matthew Hughes.
“ “ Accidental email with attachment exposed hundreds of individuals’ names and Social Security Numbers… “ “

“ “ Accidental with attachment exposed hundreds of individuals’ names and Social Security Numbers… “ “
Acceleratio Ltd. is a software development company based in Zagreb, Croatia, founded in 2009. Acceleratio specializes in developing high-quality enterprise.

Acceleratio Ltd. is a software development company based in Zagreb, Croatia, founded in Acceleratio specializes in developing high-quality enterprise.
“ “ Accidental email with attachment exposed hundreds of individuals’ names and Social Security Numbers… “ “

“ “ Accidental with attachment exposed hundreds of individuals’ names and Social Security Numbers… “ “
Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304.

Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304.
1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
1 of 6 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 6 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
Microsoft Ignite /17/2017 2:11 PM

Microsoft Ignite /17/2017 2:11 PM
Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Exchange Online Office 365 Overview & InfrastructureLync Online Administration.

Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Exchange Online Office 365 Overview & InfrastructureLync Online Administration.
8/9/2015 1:47 AM SurveyCentralOverview.ppt CSC ©Copyright 2012 Online Survey Application: CSC Survey Central System Overview November 26, 2012 Supported.

8/9/2015 1:47 AM SurveyCentralOverview.ppt CSC ©Copyright 2012 Online Survey Application: CSC Survey Central System Overview November 26, 2012 Supported.
Definitions Collaboration – working together on team projects and sharing information, often through ad-hoc processes, to accomplish project goals. Document.

Definitions Collaboration – working together on team projects and sharing information, often through ad-hoc processes, to accomplish project goals. Document.
Welcome to the Exchange 2013 Webcast Archiving, eDiscovery, & Data Loss Prevention.

Welcome to the Exchange 2013 Webcast Archiving, eDiscovery, & Data Loss Prevention.
1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
“ “ Accidental email with attachment exposed hundreds of individuals’ names and Social Security Numbers… “ “

“ “ Accidental with attachment exposed hundreds of individuals’ names and Social Security Numbers… “ “
“ “ Accidental email with attachment exposed hundreds of individuals’ names and Social Security Numbers… “ “

“ “ Accidental with attachment exposed hundreds of individuals’ names and Social Security Numbers… “ “
Developing Workflows with SharePoint Designer David Coe Application Development Consultant Microsoft Corporation.

Developing Workflows with SharePoint Designer David Coe Application Development Consultant Microsoft Corporation.
Module 9 Configuring Messaging Policy and Compliance.

Module 9 Configuring Messaging Policy and Compliance.
1 of 8 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 8 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
Module 9 Configuring Messaging Policy and Compliance.

Module 9 Configuring Messaging Policy and Compliance.

Similar presentations

Ads by Google