Use document fingerprinting to protect Exchange 2013 content

Data loss prevention keeps sensitive business information out of the wrong hands -- inside or outside a company. A great deal of sensitive data is in standardized documents or forms that end users complete and send as attachments. In part three of our series, our Exchange Server 2013 DLP checklist outlines some ways DLP can protect the vital content of completed document forms.

Organizations use document forms for a wide range of purposes -- employee information, patient data for HIPAA compliance, new sales initiatives or product development plans, for example. All of these forms can contain sensitive information and should be subject to data loss prevention (DLP) policies.

Document fingerprinting is an Exchange Server 2013 feature that converts selected document forms into information types subject to DLP policies and transport rules. Once "fingerprinted," DLP can spot those document forms and take action. It can prevent forms from being emailed from one authorized end user to another within the company or from an internal source to an external source.

Consider several potential issues when implementing document fingerprinting, which isn't designed to penetrate document protection like passwords or encryption. Therefore, protected documents aren't suited to fingerprinting. It's acceptable to include images in forms, but you cannot fingerprint forms that only use images. For example, you can insert an image of a new product into a form, but the form must include common text to form the fingerprint.

Finally, DLP must be able to spot the underlying fingerprint, so forms must contain all the text used to create the fingerprint. If an end user deletes any of the text used in the original fingerprint, they will no longer match and DLP won't be able to identify the form and take action. In this same vein, new or changed forms will need to be re-fingerprinted, and policies and transport rules may need to be tweaked accordingly.