Office 365: Securing Information with Data Loss Prevention (DLP) Policies

Let’s talk about Office 365 Data Loss Prevention (DLP), what I feel is a very under-utilized feature by a lot of organizations. This is a compliance feature that is designed to help prevent the accidental, or intentional, exposure of sensitive information. It uses a content analysis engine to examine the content of email messages and documents, identifies sensitive information, and takes action if it is about to be exposed. In a security conscious business world, why wouldn’t you want any opportunity available to you to protect your information?

Initially only for Exchange Online, this feature has expanded to also work with documents stored in OneDrive for Business, SharePoint Online, or Teams. The DLP engine can be configured to look for various pieces of pre-defined sensitive information, such as credit card and social security numbers. Once you’ve identified what you want to protect, or your conditions, you can use a template or custom policy to define the action. Actions vary from simply logging the event, warning prior to the event occurs, or blocking and alerting a specific person or group when the event is attempted.

How is the engine able to pick out this information? By using regular expression pattern matching, in combination with other indications, such as the proximity of keywords. For example, an American Express credit card number is 15 digits. This could be formatted in various ways, for example with or without dashes or spaces. However, just because it’s a 15-digit number, formatted a specific way, does not mean it’s necessarily sensitive information. By doing a checksum to confirm the numbers match known patterns, and looking for keywords like AMEX or VISA, along with date values and additional number patterns (CCV) in proximity to the text, a decision is made by the content analysis engine on whether that number is in fact a credit card or not.

Microsoft has a long list of sensitive information types for you to review to get more examples of how DLP can be used in your organization. This is where I feel this excellent feature becomes overlooked. Maybe you don’t process customer credit cards, so someone would never be emailing one. Your company directory, which may contain your employee’s home phone numbers and addresses, can be just as sensitive as a credit card number. People might not consider that this information is like candy to identity thieves, as they export the directory and share it via unsecure email.

Data Loss Prevention requires user accounts to be licensed with E3 or E5 licensing. Given that this license type is very common, you may already be paying for this great feature and just need to configure it. We’d be happy to help find where it can fit into your organization and assist with implementation, so you can better secure your employee and customer information! Please contact us at any time.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author