Intro to Data Loss PreventionIn SharePoint 2016

By Craig JahnkeStrategic Advisor

March 30, 2017

Agenda

• What is Data Loss Prevention (DLP) ?• Sensitive Data• DLP in SharePoint 2016• DLP Queries & Policies• Limitations• Reminders• Questions

What is Data Loss Prevention (DLP)?

• Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. • DLP Software products help a network

administrator control what data end users can transfer so that users cannot accidentally or maliciously share data that could put the organization at risk.

Types of Data in Regards to DLP

• In Use• In Motion• Exchange Online

• At Rest• SharePoint On-Premises

Data Loss Prevention In SharePoint 2016

• With a data loss prevention (DLP) policy in SharePoint Server 2016, you can identify, monitor, and automatically protect sensitive information across your site collections.• Search for sensitive content in your existing

eDiscovery Center enabling real time searching while keeping content in place.• Searches across SharePoint 2016, One Drive

for Business and SharePoint Online.

Examples of Sensitive Information

Data loss prevention (DLP) includes 80 sensitive information types that are ready for you to use in your DLP policies.• Personal Identifiable Information (PII)• Credit Card Numbers• Social Security Numbers• Bank Account Numbers• Passport Numbers• Driver’s License Numbers• https://technet.microsoft.com/en-us/library/jj150541(v=exchg.160).asp

x

DLP Processing in SharePoint 2016

Content Sources

UserCrawler Content Processing

Index

Policy Definitions

Unified Policy Processing Tasks

Query

DLP Queries & Policies

• DLP Queries • See what and where sensitive information exists. • Better understand your risks, • Determine what and where is the content that your DLP policies need to protect

• DLP Policies• Conditions that the content must match before the rule is enforced -- for

example, look only for content containing Social Security numbers that have been shared with people outside your organization.

• Actions that you want the rule to take automatically when content matching the conditions is found -- for example, block access to the document and send both the user and compliance officer an email notification.

eDiscovery Center

To create and run DLP queries, you must set up an eDiscovery Center site collection.

Compliance Policy Center

To create DLP Policies, you must set up a Compliance Policy Center site collection.

DLP Templates

• When you create a DLP query or a DLP policy, you can choose from a list of DLP templates that correspond to common regulatory requirements.• Each DLP template identifies

specific types of sensitive information

DLP Queries

• Before you create your DLP policies, you might want to see what sensitive information already exists across your site collections. To do this, you create and run DLP queries in the eDiscovery Center.

DLP Queries

• A DLP query works the same as an eDiscovery query. • Based on which DLP template you choose, the DLP query is

configured to search for specific types of sensitive information.

DLP Policies

• A DLP policy helps you identify, monitor, and automatically protect sensitive information that’s subject to common industry regulations. • You choose what types of sensitive information to protect, and what actions to take when content containing such sensitive information is detected. • A DLP policy can notify the compliance officer by sending an incident report, notify the user with a policy tip on the site, and optionally block access to the document for everyone but the site owner, content owner, and whoever last modified the document. • Finally, the policy tip has an option to override the blocking action, so that people can continue to work with documents if they have a business justification or need to report a false positive.

Creating DLP Policies

• You create and manage DLP policies in the Compliance Policy Center. • Creating a DLP policy is a

two-step process: first you create the DLP policy, and then you assign the policy to a site collection.

Step 1 – Create DLP Policy

• When you create a DLP policy, you choose a DLP template that looks for the types of sensitive information that you need to identify, monitor, and automatically protect.• When a DLP policy finds content that includes the

minimum number of instances of a specific type of sensitive information, it can automatically protect the sensitive information by taking the following actions:• Send an Incident Report• Notify the user with a policy tip• Block access to the content

Step 2 - Assign the DLP Policy

• After you create a DLP policy, you need to assign it to one or more site collections, where it can begin to help protect sensitive information in those locations.• A single policy can be assigned to many site collections,

but each assignment needs to be created one at a time.

Policy Tips

• You want people in your organization who work with sensitive information to stay compliant with your DLP policies, but you don’t want to block them unnecessarily from getting their work done. • A policy tip is a notification or warning that appears when

someone is working with content that conflicts with a DLP policy• You can use policy tips to increase awareness and help educate

people about your organization’s policies. • Policy tips also give people the option to override the policy, so

that they’re not blocked if they have a valid business need or if the policy is detecting a false positive.

Viewing or overriding a policy tip

• To take action on a document, such as overriding the DLP policy or reporting a false positive, you can select the Open ... menu for the item > View policy tip.• The policy tip lists the issues with

the content, and you can choose Resolve, and then Override the policy tip or Report a false positive.

How DLP Policies Work

• DLP detects sensitive information by using deep content analysis. • This deep content analysis uses keyword matches, the evaluation of

regular expressions, internal functions, and other methods to detect content that matches your DLP policies. • Potentially only a small percentage of your data is considered

sensitive. A DLP policy can identify, monitor, and automatically protect just that data..• After you create a DLP policy in the Compliance Policy Center, it’s

stored as a policy definition in that site. • Assign the policy to different site collections, it starts to evaluate

content and enforce actions like sending incident reports, showing policy tips, and blocking access.

Policy Evaluation in Sites

• Across all of your site collections, documents are constantly changing. • They are continually being created, edited,

shared, and so on. • This means documents can conflict or

become compliant with a DLP policy at any time. • DLP policies check documents for policy

matches frequently in the background. • You can think of this as asynchronous policy

evaluation.

View DLP Events in the Usage Logs

• You can view DLP policy activity in the usage logs on the server running SharePoint Server 2016. • Example - view the text entered by users when

they override a policy tip or report a false positive.• Turn on the option in Central Administration

(Monitoring > Configure usage and health data collection > Simple Log Event Usage Data_SPUnifiedAuditEntry). • For more information about usage logging, see

Configure usage and health data collection.

Limitation

• Cannot Create Custom Rules• 1 Policy Center Per Web Applications• No “Clean” PowerShell CMDLETS for Automation• One-to-one Site Collections & Policy Mappings• Hybrid Does not Work That Well…

• Systems actions – Blocking, flagging, etc. works by timer jobs• Office 365 cannot access On-Premises timer jobs

• Cannot Edit Emails That Are Sent To End User

DLP Reminders

• Start the search service and define a crawl schedule for your content.• Turn on out-going email.• To view user overrides and other DLP events, turn on the usage

report.• For DLP queries, create the eDiscovery Center site collection.• For DLP policies, create the Compliance Policy Center site

collection.• Create a security group for your compliance team, and add security

group to the Owners group in the eDiscovery Center or Compliance Policy Center.• To run DLP queries, view permissions are required for all content

that the query will search – for more information

Questions?

References

• https://technet.microsoft.com/en-us/library/mt346121(v=office.16).aspx• https://blogs.msdn.microsoft.com/mvpawardprogram/

2016/01/13/data-loss-prevention-dlp-in-sharepoint-2016-and-sharepoint-online/• Vlad Catrinescu - blog at https://absolute-sharepoint.com/

Wait there is more…

• Data Theft• Bad actors• SharePoint 2016 – monitors but can’t stop• Office 365 can stop

Data Theft

• Data theft is a term used to describe when information is illegally copied or taken from a business or other individual. Commonly, this information is user information such as passwords, social security numbers, credit card information, other personal information, or other confidential corporate information.

Bad Actors

• Snowden• Gov Contractors• Wikileaks