Data loss prevention with Microsoft Purview
Scope of Concern
Companies spend huge amounts of money on preventing threats and ensuring data confidentiality caused by home office and distributed working practices. Microsoft has also identified this market and, in addition to Endpoint Protection in Microsoft 365, offers the comprehensive Purview Compliance Manager designed to prevent the outflow of confidential data through data loss prevention.
Microsoft Purview
The Microsoft Compliance Center has been around for a while, but it was renamed Microsoft Purview in April 2022. With Purview, Microsoft combines compliance with data governance, primarily to accommodate the new hybrid working world, where connectivity is required all the time, wherever people happen to be. Documents are exchanged flexibly and are no longer simply transmitted by email, but by instant messaging tools such as Teams or OneDrive. The result is data fragmentation and data spread across applications and devices. Purview offers a number of approaches to protect and manage data by combining the functions of Azure Purview and Microsoft 365 Compliance.
Purview's scope is broad and includes information protection and governance, data protection, insider risk management, and investigation and response. Information protection and governance includes the dataset management, information protection, data life-cycle management, and data loss prevention tasks. In this article, I take a closer look at data loss prevention. For an overview of the various services in Microsoft Purview, see the Microsoft documentation [1].
Confidential Data at a Glance
The data loss prevention (DLP) module is designed to prevent the leakage of confidential data. In most cases, Exchange administrators are already familiar with DLP. This consolidation in Microsoft Purview also means that DLP has migrated from Exchange Online to the new Compliance Manager and can no longer be found in the current Exchange Administration Center. In the old view, the link is still there, but you will be redirected to Microsoft Purview.
In addition to Exchange, the DLP function also monitors other services. For Microsoft 365, these include Teams, SharePoint, and OneDrive. Also on the table are the Office applications such as Word, Excel, and PowerPoint. In addition to monitoring Windows 10 and Windows 11 endpoints, macOS is covered starting with Catalina 10.15, as well as local shares and local SharePoint instances. To identify the data, extensive content analysis takes a closer look – and not just a simple text review; the process includes machine learning algorithms.
Predefined DLP policy templates for the different areas that work with confidential data take into account data protection legislation, personal data, or financial data in various countries. More than 250 predefined confidential data types are available and can be broken down to 38 countries. Custom data types can also be created in Microsoft Purview; the procedure is described in the documentation. You can find an excerpt of the templates provided by Microsoft in Table 1 and a detailed overview of the DLP policy templates online [2].
Table 1
Purview DLP Templates
Templates Integrated in Purview | Description |
---|---|
France: Data Protection Act | Information that is usually covered by data protection law in France, such as the French Carte nationale d'identité (CNI) and the French social security number (INSEE). |
Germany: personally identifiable information (PII data) | Data that is usually considered personal information in Germany, such as driver's license and passport numbers. |
Israel: PII data | Information that is normally considered personal information in Israel, such as ID card information. |
Saudi Arabia: PII data | Personal data in Saudi Arabia, such as information on national IDs. |
UK: Access to Medical Reports Act | Information covered by the Access to Medical Reports Act in the United Kingdom, such as the UK National Health Service number and the UK National Insurance Number (NINO). |
UK: Data Protection Act | Data covered by the Data Protection Act in the UK, such as the UK passport number. |
UK: Online Code of Conduct for personal information | Information covered by the Personal Information Online Code of Practice in the United Kingdom, such as the UK NINO and the UK National Health Service number. |
US: Health Insurance Portability and Accountability Act (HIPAA) | Information that falls under HIPAA in the US, such as the US Social Security Number (SSN) and Drug Enforcement Agency (DEA) number information. |
US: Patriot Act | Data that falls under the Patriot Act in the US, such as credit card number, bank account number, US tax identification number (ITIN), and US SSN. |
US: state social security number confidentiality laws | Information covered by state social security number confidentiality laws, such as the US SSN. |
The DLP Cockpit at a Glance
DLP configuration takes place in the browser in Microsoft Purview. You can access the page from the Microsoft 365 Admin Center or directly by the compliance URL [3]. In Purview, a menu for the various services is on the left and is also where you will find the Data loss prevention section (Figure 1). Go there to complete the configuration. The DLP toolbar at the top comprises the entries:
- Overview : information and resources for DLP
- Policies : existing policies are edited or deleted and new policies are created
- Alerts : notifications originating from DLP actions and detailed information about an event
- Endpoint DLP settings : detailed settings for monitoring content on Windows and Mac devices
- Activities explorer : a history of the activities related to the data
The Policies window shows the existing policies. The name, sequence, date of change, and status are displayed first. The order is important, because a further check of subsequent rules can be disabled as soon as a rule has taken effect. In the case of the status, it is important to check whether a rule is enabled. Your options for a policy after creating it are Turn it on right away , Keep it off , or Test it out first , and this can be done with or without policy tips. Testing a policy extensively before going live is useful to avoid having to activate a policy directly during the initial implementation phase.
Buy this article as PDF
(incl. VAT)