As Office 365 gains more traction among organizations of all sizes, Microsoft refines the collaboration platform's security features to help administrators secure their perimeters. Office 365 now includes a data loss prevention feature that works across multiple services.
Administrators can enlist data loss prevention policies to scan both message text and message attachments for sensitive data, such as social security numbers or credit card numbers. These policies can now extend into Microsoft Office attachments and scan files in SharePoint and OneDrive for Business.
Build the data loss prevention policies
In the Exchange admin center, administrators can choose to build a single data loss prevention (DLP) policy (Figure 1) in the Office 365 Security and Compliance Center to guard data and messages in SharePoint, OneDrive and Exchange, or stick with the existing DLP option.
Administrators develop data loss prevention policies from rules. Each rule has a condition and an action. Administrators can apply the policy to specific locations within Office 365.
To create a DLP policy, open the Office 365 Security & Compliance Admin Center, expand the Data loss prevention container and click on the Policy container. Then click on the Create a policy button.
Now choose the information to protect. As is the case in Exchange Server, the Security & Compliance Center in Office 365 contains DLP templates to assist with regulatory compliance. For example, there are templates designed for the financial services industry (Figure 2) as well as templates meant for healthcare providers. Administrators can always create a custom policy to fit organizational needs.
Name the policy
Naming the policy also means adding a description to it. In some cases, Office 365 automatically assigns a policy name, which the administrator can modify if necessary.
Choose the locations to apply the policy. By default, data loss prevention policies extend to all locations within Office 365, but administrators can also specify policy locations. In Figure 3, manual location assignments allow for finer control. Administrators can choose which Office 365 services to apply the policy to and whether to include or exclude specific SharePoint sites or OneDrive accounts. For example, it may be permissible for members of the legal team to transmit sensitive information, but not a sales person.
While this wizard does not expose the individual rules that make up a policy, the Advanced Settings option allows the administrator to edit the policy rules and create additional ones.
Hybrid setup considerations
For businesses that use a hybrid Exchange Server deployment -- where some mailboxes reside on Exchange 2016 servers in the on-premises data center while others reside in Office 365 -- DLP policies will only apply to Exchange Online in Office 365. If you create a DLP policy within the Exchange admin center, that policy just applies to Exchange Server. Conversely, a DLP policy created in the Office 365 admin center applies to mailboxes in Exchange Online.
Refine the policy settings
Next, customize the types of sensitive information to protect with DLP policies. Figure 4 shows one policy that detects when a worker sends a message that shares credit card numbers outside of the organization. The administrator can configure the policy to monitor the use of other data types. Data loss prevention policies can also monitor when sensitive information gets shared within the organization.
The wizard allows the administrator to choose an action to take when sensitive information is shared, such as display a policy tip, block the content from being shared, or send a report to someone in the organization.
After the configuration process, the wizard will ask whether to enable the policy right away or test it.
The last step in the process is to review your selections and, if everything appears to be correct, click the Create button to generate the data loss prevention policy.
How to craft the best DLP policies
Choose the right DLP template in Exchange 2013 SP1
The top email security gateways on the market