Driving Behavioral Change for Information Management through Data-Driven Gree...
Intro to Data Loss Prevention in SharePoint 2016
1. Intro to Data Loss Prevention
In SharePoint 2016
By Craig Jahnke
Strategic Advisor
March 30, 2017
2. Agenda
• What is Data Loss Prevention
(DLP) ?
• Sensitive Data
• DLP in SharePoint 2016
• DLP Queries & Policies
• Limitations
• Reminders
• Questions
3. What is Data Loss Prevention (DLP)?
• Data loss prevention (DLP) is a strategy for
making sure that end users do not send
sensitive or critical information outside the
corporate network.
• DLP Software products help a network
administrator control what data end users can
transfer so that users cannot accidentally or
maliciously share data that could put the
organization at risk.
4. Types of Data in Regards to DLP
• In Use
• In Motion
• Exchange Online
• At Rest
• SharePoint On-Premises
5. Data Loss Prevention In SharePoint 2016
• With a data loss prevention (DLP) policy in
SharePoint Server 2016, you can identify,
monitor, and automatically protect sensitive
information across your site collections.
• Search for sensitive content in your existing
eDiscovery Center enabling real time searching
while keeping content in place.
• Searches across SharePoint 2016, One Drive for
Business and SharePoint Online.
6. Examples of Sensitive Information
Data loss prevention (DLP) includes 80 sensitive information types that are ready
for you to use in your DLP policies.
• Personal Identifiable Information (PII)
• Credit Card Numbers
• Social Security Numbers
• Bank Account Numbers
• Passport Numbers
• Driver’s License Numbers
• https://technet.microsoft.com/en-us/library/jj150541(v=exchg.160).aspx
7. DLP Processing in SharePoint 2016
Content
Sources UserCrawler Content Processing Index
Policy Definitions Unified Policy Processing Tasks
Query
8. DLP Queries & Policies
• DLP Queries
• See what and where sensitive information exists.
• Better understand your risks,
• Determine what and where is the content that your DLP policies need to protect
• DLP Policies
• Conditions that the content must match before the rule is enforced -- for example,
look only for content containing Social Security numbers that have been shared with
people outside your organization.
• Actions that you want the rule to take automatically when content matching the
conditions is found -- for example, block access to the document and send both the
user and compliance officer an email notification.
10. Compliance Policy Center
To create DLP Policies, you must set up a Compliance Policy Center
site collection.
11. DLP Templates
• When you create a DLP query or a
DLP policy, you can choose from a
list of DLP templates that
correspond to common regulatory
requirements.
• Each DLP template identifies
specific types of sensitive
information
12. DLP Queries
• Before you create your DLP policies, you might want to see what
sensitive information already exists across your site collections. To
do this, you create and run DLP queries in the eDiscovery Center.
13. DLP Queries
• A DLP query works the same as an eDiscovery query.
• Based on which DLP template you choose, the DLP query is
configured to search for specific types of sensitive information.
14. DLP Policies
• A DLP policy helps you identify, monitor, and automatically protect sensitive
information that’s subject to common industry regulations.
• You choose what types of sensitive information to protect, and what actions
to take when content containing such sensitive information is detected.
• A DLP policy can notify the compliance officer by sending an incident
report, notify the user with a policy tip on the site, and optionally block
access to the document for everyone but the site owner, content owner, and
whoever last modified the document.
• Finally, the policy tip has an option to override the blocking action, so that
people can continue to work with documents if they have a business
justification or need to report a false positive.
15. Creating DLP Policies
• You create and manage DLP
policies in the Compliance
Policy Center.
• Creating a DLP policy is a two-
step process: first you create
the DLP policy, and then you
assign the policy to a site
collection.
16. Step 1 – Create DLP Policy
• When you create a DLP policy, you choose a DLP
template that looks for the types of sensitive
information that you need to identify, monitor, and
automatically protect.
• When a DLP policy finds content that includes the
minimum number of instances of a specific type of
sensitive information, it can automatically protect
the sensitive information by taking the following
actions:
• Send an Incident Report
• Notify the user with a policy tip
• Block access to the content
17. Step 2 - Assign the DLP Policy
• After you create a DLP policy, you need to assign it to one or more
site collections, where it can begin to help protect sensitive
information in those locations.
• A single policy can be assigned to many site collections, but each
assignment needs to be created one at a time.
18. Policy Tips
• You want people in your organization who work with sensitive
information to stay compliant with your DLP policies, but you don’t want
to block them unnecessarily from getting their work done.
• A policy tip is a notification or warning that appears when someone is
working with content that conflicts with a DLP policy
• You can use policy tips to increase awareness and help educate people
about your organization’s policies.
• Policy tips also give people the option to override the policy, so that
they’re not blocked if they have a valid business need or if the policy is
detecting a false positive.
19. Viewing or overriding a policy tip
• To take action on a document, such as
overriding the DLP policy or reporting a
false positive, you can select the Open
... menu for the item > View policy tip.
• The policy tip lists the issues with the
content, and you can choose Resolve,
and then Override the policy tip or
Report a false positive.
20. How DLP Policies Work
• DLP detects sensitive information by using deep content analysis.
• This deep content analysis uses keyword matches, the evaluation of regular
expressions, internal functions, and other methods to detect content that
matches your DLP policies.
• Potentially only a small percentage of your data is considered sensitive. A DLP
policy can identify, monitor, and automatically protect just that data..
• After you create a DLP policy in the Compliance Policy Center, it’s stored as a
policy definition in that site.
• Assign the policy to different site collections, it starts to evaluate content
and enforce actions like sending incident reports, showing policy tips, and
blocking access.
21. Policy Evaluation in Sites
• Across all of your site collections, documents are
constantly changing.
• They are continually being created, edited,
shared, and so on.
• This means documents can conflict or become
compliant with a DLP policy at any time.
• DLP policies check documents for policy matches
frequently in the background.
• You can think of this as asynchronous policy
evaluation.
22. View DLP Events in the Usage Logs
• You can view DLP policy activity in the usage logs
on the server running SharePoint Server 2016.
• Example - view the text entered by users when
they override a policy tip or report a false positive.
• Turn on the option in Central Administration
(Monitoring > Configure usage and health data
collection > Simple Log Event Usage
Data_SPUnifiedAuditEntry).
• For more information about usage logging, see
Configure usage and health data collection.
23. Limitation
• Cannot Create Custom Rules
• 1 Policy Center Per Web Applications
• No “Clean” PowerShell CMDLETS for Automation
• One-to-one Site Collections & Policy Mappings
• Hybrid Does not Work That Well…
• Systems actions – Blocking, flagging, etc. works by timer jobs
• Office 365 cannot access On-Premises timer jobs
• Cannot Edit Emails That Are Sent To End User
24. DLP Reminders
• Start the search service and define a crawl schedule for your content.
• Turn on out-going email.
• To view user overrides and other DLP events, turn on the usage report.
• For DLP queries, create the eDiscovery Center site collection.
• For DLP policies, create the Compliance Policy Center site collection.
• Create a security group for your compliance team, and add security group
to the Owners group in the eDiscovery Center or Compliance Policy Center.
• To run DLP queries, view permissions are required for all content that the
query will search – for more information
27. Wait there is more…
• Data Theft
• Bad actors
• SharePoint 2016 – monitors but can’t stop
• Office 365 can stop
28. Data Theft
• Data theft is a term used to describe when information is illegally
copied or taken from a business or other individual. Commonly,
this information is user information such as passwords, social
security numbers, credit card information, other personal
information, or other confidential corporate information.
Typically Search works like this
Backend
You have searchable content
It is crawled – goes in the content and capture all the information
Content processing will analyze and apply exclusion and pass to index
Front End
A user makes a query
The query searches the index for the information and responds back to the user
DLP creates uses the Policy Definition
Looks for information in the index.
You need to have the information in the index before you can apply policies to it
*** If you don’t search a site collection you can’’ apply policies to it.
If you are doing daily crawls, you could have a gap of 24 hours before it is indexed.
When you create a DLP query or a DLP policy, you can choose from a list of DLP templates that correspond to common regulatory requirements. Each DLP template identifies specific types of sensitive information – for example, the template named U.S. Personally Identifiable Information (PII) Data identifies content that contains U.S. and U.K. passport numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), or U.S. Social Security Numbers (SSN).
A DLP query works the same as an eDiscovery query. Based on which DLP template you choose, the DLP query is configured to search for specific types of sensitive information. First choose the locations you want to search, and then you can fine tune the query because it supports Keyword Query Language (KQL). In addition, you can narrow down the query by selecting a date range, specific authors, SharePoint property values, or locations. And just like an eDiscovery query, you can preview, export, and download the query results.
A DLP query works the same as an eDiscovery query.
Based on which DLP template you choose, the DLP query is configured to search for specific types of sensitive information.
First choose the locations you want to search, and then you can fine tune the query because it supports Keyword Query Language (KQL).
In addition, you can narrow down the query by selecting a date range, specific authors, SharePoint property values, or locations.
And just like an eDiscovery query, you can preview, export, and download the query results.
A DLP policy helps you identify, monitor, and automatically protect sensitive information that’s subject to common industry regulations.
You choose what types of sensitive information to protect, and what actions to take when content containing such sensitive information is detected.
A DLP policy can notify the compliance officer by sending an incident report, notify the user with a policy tip on the site, and optionally block access to the document for everyone but the site owner, content owner, and whoever last modified the document.
Finally, the policy tip has an option to override the blocking action, so that people can continue to work with documents if they have a business justification or need to report a false positive.
When a DLP policy finds content that includes the minimum number of instances of a specific type of sensitive information that you choose – for example, five credit card numbers, or a single social security number – then the DLP policy can automatically protect the sensitive information by taking the following actions:
Sending an incident report to the people you choose (such as your compliance officer) with details of the event. This report includes details about the detected content such as the title, document owner, and what sensitive information was detected. To send incident reports, you need to configure outgoing e-mail settings in Central Administration.
Notifying the user with a policy tip when documents that contain sensitive information are saved or edited. The policy tip explains why that document conflicts with a DLP policy, so that people can take remedial action, such as removing the sensitive information from the document. When the document is in compliance, the policy tip disappears.
Blocking access to the content for everyone except the site owner, document owner, and person who last modified the document. These people can remove the sensitive information from the document or take other remedial action. When the document is in compliance, the original permissions will be automatically restored. It’s important to understand that the policy tip gives people the option to override the blocking action. Policy tips can thus help educate users about your DLP policies and enforce them without preventing people from doing their work.
You want people in your organization who work with sensitive information to stay compliant with your DLP policies, but you don’t want to block them unnecessarily from getting their work done. This is where policy tips can help.
A policy tip is a notification or warning that appears when someone is working with content that conflicts with a DLP policy — for example, content like an Excel workbook that contains personally identifiable information (PII) and that’s saved to a site.
You can use policy tips to increase awareness and help educate people about your organization’s policies.
Policy tips also give people the option to override the policy, so that they’re not blocked if they have a valid business need or if the policy is detecting a false positive.
Details about how policy tips work
Note that it’s possible for content to match more than one DLP policy, but only the policy tip from the most restrictive, highest-priority policy will be shown. For example, a policy tip from a DLP policy that blocks access to content will be shown over a policy tip from a rule that simply notifies the user. This prevents people from seeing a cascade of policy tips. Also, if the policy tips in the most restrictive policy allow people to override the policy, then overriding this policy also overrides any other policies that the content matched.
DLP policies are synced to sites and contented is evaluated against them periodically and asynchronously (see the next section), so there may be a short delay between the time you create the DLP policy and the time you begin to see policy tips.
DLP detects sensitive information by using deep content analysis (not just a simple text scan).
Across all of your site collections, documents are constantly changing — they’re continually being created, edited, shared, and so on. This means documents can conflict or become compliant with a DLP policy at any time. For example, a person can upload a document that contains no sensitive information to their team site, but later, a different person can edit the same document and add sensitive information to it.
For this reason, DLP policies check documents for policy matches frequently in the background. You can think of this as asynchronous policy evaluation.
Here’s how it works. As people add or change documents in their sites, the search engine scans the content, so that you can search for it later. While this is happening, the content’s also scanned for sensitive information. Any sensitive information that’s found is stored securely in the search index, so that only the compliance team can access it, but not typical users. Each DLP policy that you’ve turned on runs in the background (asynchronously), checking search frequently for any content that matches a policy, and applying actions to protect it from inadvertent leaks.
Finally, documents can conflict with a DLP policy, but they can also become compliant with a DLP policy. For example, if a person adds credit card numbers to a document, it might cause a DLP policy to block access to the document automatically. But if the person later removes the sensitive information, the action (in this case, blocking) is automatically undone the next time the document is evaluated against the policy.
DLP evaluates any content that can be indexed. For more information on what file types are crawled by default, see Default crawled file name extensions and parsed file types.
You can view DLP policy activity in the usage logs on the server running SharePoint Server 2016. For example, you can view the text entered by users when they override a policy tip or report a false positive.
First you need to turn on the option in Central Administration (Monitoring > Configure usage and health data collection > Simple Log Event Usage Data_SPUnifiedAuditEntry). For more information about usage logging, see Configure usage and health data collection.