Sergiy Serdyuk - Fotolia

Manage Learn to apply best practices and optimize your operations.

Use document fingerprinting to protect Exchange 2013 content

With document fingerprints, enterprises have a way to protect important content in confidential and completed forms.

Data loss prevention keeps sensitive business information out of the wrong hands -- inside or outside a company. A great deal of sensitive data is in standardized documents or forms that end users complete and send as attachments. In part three of our series, our Exchange Server 2013 DLP checklist outlines some ways DLP can protect the vital content of completed document forms.

Organizations use document forms for a wide range of purposes -- employee information, patient data for HIPAA compliance, new sales initiatives or product development plans, for example. All of these forms can contain sensitive information and should be subject to data loss prevention (DLP) policies.

Document fingerprinting is an Exchange Server 2013 feature that converts selected document forms into information types subject to DLP policies and transport rules. Once "fingerprinted," DLP can spot those document forms and take action. It can prevent forms from being emailed from one authorized end user to another within the company or from an internal source to an external source.

Consider several potential issues when implementing document fingerprinting, which isn't designed to penetrate document protection like passwords or encryption. Therefore, protected documents aren't suited to fingerprinting. It's acceptable to include images in forms, but you cannot fingerprint forms that only use images. For example, you can insert an image of a new product into a form, but the form must include common text to form the fingerprint.

Finally, DLP must be able to spot the underlying fingerprint, so forms must contain all the text used to create the fingerprint. If an end user deletes any of the text used in the original fingerprint, they will no longer match and DLP won't be able to identify the form and take action. In this same vein, new or changed forms will need to be re-fingerprinted, and policies and transport rules may need to be tweaked accordingly.

Next Steps

This is part three in a series about implementing data loss prevention features in Exchange Server 2013.

Part one covers DLP templates and part two covers transport rules.

Stay tuned for part four, which covers policy tips.

Dig Deeper on Exchange Server setup and troubleshooting

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

There are numerous proprietary fingerprinting algorithms on the market for DLP. Many don't have a very high resilience to data modifications including: excerpting, inserting, file type conversion, formatting, ASCII ->UNICODE conversion, UNIX–Windows conversion, partial data match, etc. and some do. Therefore, checking out the detection engine is key before deployment. Cited from GTB Technologies website "Core Technology of DLP - Protection of the Data (regardless of the device or file)"