Examine data loss prevention for workloads

  • 6 minutes

Microsoft Purview Data Loss Prevention (DLP) helps organizations protect sensitive and confidential data. It detects when users expose, misuse, and mishandle such data. Microsoft Purview DLP addresses the following areas of concern related to data loss prevention:

  • Compliance. Many industries and countries or regions have regulations and laws that require companies to protect sensitive data. DLP can help companies meet these requirements and avoid legal consequences.
  • Reputation. A data breach can severely damage a company's reputation and trust among its customers, employees, and stakeholders. DLP can help companies prevent such incidents and maintain their reputation.
  • Intellectual Property Protection. Companies invest many resources in creating and developing intellectual property like patents, copyrights, and trade secrets. DLP can help protect this valuable information from theft and unauthorized access.
  • Cost Savings. A data breach can be expensive for a company, with costs associated with lost productivity, legal fees, and damage to brand reputation. DLP can help companies avoid these costs and save money.

In Microsoft Purview, data loss prevention is implemented by defining and applying DLP policies. With a DLP policy, you can identify, monitor, and automatically protect sensitive items across:

  • Microsoft 365 services such as Teams, Exchange, SharePoint, and OneDrive
  • Office applications such as Word, Excel, and PowerPoint
  • Windows 10/11 and macOS (Catalina 10.15 and higher) endpoints
  • Non-Microsoft cloud apps
  • On-premises file shares and on-premises SharePoint

Microsoft Purview DLP enables organizations to create policies that automatically detect and classify sensitive data across their data estate. It doesn't matter the location of the data, whether it's in the cloud, on-premises, or in third-party applications. Organizations can customize the policies to meet specific compliance and regulatory requirements.

Microsoft Purview DLP also provides alerts and notifications to administrators when it detects sensitive data. Doing so enables them to take appropriate action to prevent data loss or misuse. Additionally, Microsoft Purview DLP provides insights and reports that help organizations understand their data landscape, identify risks, and implement appropriate controls to manage those risks.

These DLP tools monitor and control the flow of information within an organization's network. Their goal is to prevent any unauthorized data access, copying, or sharing. They use various techniques like content filtering, data encryption, and user access controls to secure sensitive data.

DLP detects sensitive items by using deep content analysis rather than simple text scans. DLP analyzes content:

  • By primary data matches to keywords.
  • By evaluating regular expressions.
  • By validating internal functions.
  • By secondary data matches that are in proximity to the primary data match.

DLP also uses machine learning algorithms and other methods to detect content that matches your DLP policies.

When DLP takes action on a sensitive item, it can notify you of that action through a configurable alert. Rather than having these alerts pile up in a mailbox for you to sift through, the Microsoft Purview compliance portal makes them available in the DLP Alerts Management Dashboard. This dashboard enables organizations to configure alerts, review them, triage them, and track their resolution.

Protective actions of DLP policies

Organizations use DLP policies to implement Microsoft Purview Data Loss Prevention. DLP policies enable organizations to:

  • Monitor the activities that users take on:
    • Sensitive items at rest
    • Sensitive items in transit
    • Sensitive items in use
  • Take protective actions.

For example, when a user attempts to take a prohibited action, like copying a sensitive item to an unapproved location or sharing medical information in an email, DLP policies can:

  • Show a pop-up policy tip to the user that warns them that they might be trying to share a sensitive item inappropriately.
  • Block the sharing and, through a policy tip, allow the user to override the block and capture the users' justification.
  • Block the sharing without the override option.
  • Lock and move sensitive items at rest to a secure quarantine location.
  • Prevent Teams chat from displaying sensitive information.

DLP lifecycle

A Microsoft Purview DLP implementation typically follows these major phases:

  • Phase 1 - Plan for DLP
  • Phase 2 - Prepare for DLP
  • Phase 3 - Deploy your policies in production

The following sections introduce each of these phases.

Phase 1 - Plan for DLP

DLP monitoring and protection are native to the applications that users use every day. This design helps to protect an organization's sensitive items from risky activities, even if its users are unaccustomed to data loss prevention thinking and practices.

If an organization and its users are new to data loss prevention practices, the adoption of DLP might require a change to its business processes. This scenario usually involves a culture shift for the organization's users. But, with proper planning, testing and tuning, an organization's DLP policies can protect its sensitive items while minimizing any potential business process disruptions.

Planning for data loss prevention should include the following facets:

  • Technology planning for DLP. Keep in mind that DLP as a technology can monitor and protect your data at rest, data in use, and data in motion. There are planning implications for:
    • The different locations.
    • The type of data you want to monitor and protect.
    • The actions you should take when a policy match occurs.
  • Business processes planning for DLP. DLP policies can block prohibited activities, like inappropriate sharing of sensitive information within email. As you plan your DLP policies, you must identify the business processes that touch your sensitive items. The business process owners can help you identify appropriate user behaviors that you should allow and inappropriate user behaviors that you should protect against. You should plan your policies and deploy them in test mode. You should then evaluate their effect through Activity Explorer first, before applying them in more restrictive modes.
  • Organizational culture planning for DLP. A successful DLP implementation is as much dependent on getting your users trained and acclimated to data loss prevention practices as it is on well-planned and fine-tuned policies. Since a DLP implementation heavily involves a company's users, you must plan for training for them too. You can strategically use policy tips to raise awareness with your users before changing the policy enforcement from test mode to more restrictive modes.

Phase 2 - Prepare for DLP

You can apply DLP policies to data at rest, data in use, and data in motion. Data can be in various locations, such as:

  • Exchange Online email
  • SharePoint Online sites
  • OneDrive accounts
  • Teams chat and channel messages
  • Microsoft Cloud App Security
  • Windows 10, Windows 11, and macOS (Catalina 10.15 and higher) devices
  • On-premises repositories
  • Power BI sites

Each location has different prerequisites. You can bring the sensitive items in locations like Exchange Online under the DLP umbrella. To do so, you must configure a policy that applies just to them. Other locations, such as on-premises file repositories, require a deployment of Microsoft Entra ID Protection scanner. You must prepare your environment, create draft policies, and test them thoroughly before activating any blocking actions.

Note

Azure Active Directory (Azure AD) is now Microsoft Entra ID. Learn more.

Phase 3 - Deploy your policies in production

Deploying DLP policies into an organization's production environment should include the following tasks:

  • Design your policies. An organization should start by defining its control objectives, and how they apply across each respective workload. It should draft a policy that embodies its objectives. It should feel free to start with one workload at a time, or across all workloads - there's no effect yet.
  • Implement policy in test mode. Evaluate the effect of the controls by implementing them with a DLP policy in test mode. An organization can apply the policy to all workloads in test mode. This practice enables it to receive the full breadth of results, but it can start with one workload if it wants to.
  • Monitor outcomes and fine-tune the policy. While in test mode, an organization should monitor the outcomes of the policy and fine-tune it so that it meets the company's control objectives. While fine tuning, the organization should ensure it isn't adversely or inadvertently impacting valid user workflows and productivity. Some of the things to fine-tune might include:
    • Adjusting the locations and people/places that are in or out of scope.
    • Tune the conditions and exceptions that determine if an item, and the user's action with it, matches the policy.
    • The sensitive information definition/s.
    • The actions.
    • The level of restrictions.
    • Add new controls.
    • Add new people.
    • Add new restricted apps.
    • Add new restricted sites.

Note

In the Microsoft Purview compliance portal, the Supervision policies section includes the Stop processing more rules option. This setting doesn't work in test made even when you turn it on. The purpose of this option is to stop processing more rules after finding a match. If a Supervision policy is in test mode, it still triggers notifications and shows the policy hits in the reports. However, it doesn't take any other actions such as stopping further processing of the rules. The intent of test mode is to allow policy administrators to evaluate the effectiveness of their policies without enforcing them. As a result, it doesn't actually stop the processing of rules even if you enable the Stop processing more rules option. Therefore, if you want to test the Stop processing more rules option, you should do it in a non-test policy.

Once the policy meets all the organization's objectives, the organization should turn on the policy. It should then continue to monitor the outcomes of the policy application and fine tune it as needed.

Note

In general, policies take effect about an hour after you turn them on.

Knowledge check

Choose the best response for the following question. Then select “Check your answers.”

Check your knowledge

1.

Contoso is planning to implement Microsoft Purview Data Loss Prevention. It just finished planning its business processes for DLP. It created its policies and deployed them in test mode. What's the next step that it should complete?