Data Loss Prevention in SharePoint: Protect Your Sensitive Information
Enterprise SharePoint deployments contain sensitive data, from intellectual property to compliance impacting information (PII, PCI and PHI). Users are not always aware of what data is classified as sensitive and they can unknowingly create information security and compliance issues. Microsoft SharePoint 2016 provides new Data Loss Prevention (DLP) capabilities that allow us to find and protect sensitive information in SharePoint and OneDrive for business. These capabilities alert users to when they are working with sensitive information, and they help you work with users to reduce the risk to your organization and remain compliant with industry regulations. In this session weโll demonstrate how to deploy and configure DLP in SharePoint 2016 to support your security and compliance objectives. Weโll also look at the DLP capabilities in SharePoint Online within Office 365 and discuss some of the differences in this capability between the premise and online platforms.
Data Loss Prevention in SharePoint - Protect your Sensitive Information
1. Data Loss Prevention in SharePoint
Protect Your Sensitive Information
ANTONIO MAIO
PROTIVITI SENIOR MANAGER, SENIOR SHAREPOINT ARCHITECT
MICROSOFT OFFICE SERVER & SERVICES MVP
Email: antonio.maio@protiviti.com
Twitter: @AntonioMaio2
Blog: www.TrustSharePoint.com
2. Who We Are
3,300
professionals
Over 20 countries
in the Americas, Europe, the Middle East
and Asia-Pacific
70+
offices
IT Consulting
โบ Enterprise Content
Management
Solutions
Protiviti is a global consulting firm that helps companies solve
problems in finance, technology, operations, governance, risk and
internal audit, and has served more than 40 percent of FORTUNE
1000ยฎ and FORTUNE Global 500ยฎ companies.
Protiviti serve clients through a network of more than 70 locations
in over 20 countries. Protiviti is a wholly owned subsidiary of
Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a
member of the S&P 500 index.
4. โข Security and Compliance Console
โข Retention Policies
โข Information Rights Management
โข Activity Monitoring
โข Data Loss Prevention
โข External Sharing Controls
โข SharePoint Permissions
โข SharePoint Audit Reports
โข (built in) TLS 1.2 Communication
โข (built in) Encrypted Data at Rest
SharePoint/Office 365 Security Capabilities
โข Customer Lockbox
โข Advanced Security Management
โข Azure AD Identity Protection
โข Azure AD Conditional Access Policies
โข Azure AD Multi-Factor Authentication
โข Azure AD Information Protection
โข Bring your Own Key (roadmap 2016)
โข Office 365 Trust Center
5. Data Loss Prevention (DLP)
Goals
โข Protect the business (compliance violations, legal action, sanctions, reputation)
โข Identify sensitive information
โข Comply with regulations and business standards
DLP is about Finding and Protecting sensitive information
โข Personally Identifiable Information (PII)
โข Payment Credit Industry Data (PCI, PCI DSS)
โข Financial Data
โข Health Insurance Data
etcโฆ
6. DLP Policies & Rules
Data Loss Prevention Policy
Locations
โข SharePoint Online
โข All Sites
โข Specific Sites
โข OneDrive for Business
โข All Sites
โข Specific Sites
Rule
Condition
โข Sensitive Data Type (Credit Card Number, SSN, SIN, etc.)
โข Who Content is Shared With (people inside, people outside)
โข Metadata Properties (multiple, built in or custom)
Incident Reports
โข Severity Level
โข Logged
โข Email report
Action
โข Send Notification
โข Show Policy Tip
โข Allow Override
โข Block Content
Rule
Condition Incident ReportsAction
Ruleโฆ
SharePoint 2016
โข Only assign to site
collections
โข Need separate
Compliance Center for
each web app
SharePoint 2016
โข Only pick sensitive data types (10)
Rules do not
have Events!
SharePoint 2016
โข All actions
supported
SharePoint 2016
โข No configurable severity
level.
7. Data Loss Prevention in Office 365
Available throughโฆ
โข Exchange Admin Center
โข Security & Compliance Center
8. Data Loss Prevention in SharePoint 2016
Available throughโฆ
โข Improved eDiscovery Site Collection
โข New Compliance Policy Center Site Collection
9. SharePoint 2016
DLP Policies for eDiscovery
eDiscovery Center
โข Create & run DLP Queries to identity sensitive data
โข Save Queries
โข Export Data
โข Highly dependent on SharePoint Search Index!
10. SharePoint 2016
DLP Policies for Compliance
Compliance Center
โข Create DLP Policies to monitor and enforce protection of
sensitive information
โข Provide administrator notification (via email)
โข Provide policy tips to users and owners
โข Block access to files containing sensitive content
โข Assign policies to existing site collections
โข Highly dependent on SharePoint Search Index!
11. SharePoint 2016
DLP Prerequisites
โข Create a Search Service Application (mandatory)
โข Start the search service, Define a crawl schedule, Perform a full crawl
โข Must have a healthy search index and crawl
โข Configure out-going email (recommended)
โข Turn on Usage reports (recommended)
โข Create the eDiscovery or Compliance Center site collections (mandatoryโ both not needed)
โข eDiscovery โ for DLP Queries to identify where sensitive data exists
โข Compliance Policy Center โ for DLP Policies to monitor or enforce policies
โข Assign permissions to Compliance team through the
Site Collection Members group (recommended)
12. SharePoint 2016
Creating the Compliance Center
โข Create a new Site Collection
โข Site Template - Select the Enterprise tab
โข Select Compliance Policy Center template
โข Only One Compliance Center Site Collection per Web Application
โข Compliance Center cannot cross Web Application boundary
(eDiscovery Center can query across Web Applications)
13. SharePoint 2016
Create DLP Policies
โข Create DLP Policies using Policy Templates
โข 10 policy templates available
โข Looking for 10 sensitive data types
โข U.S. / U.K. Passport Number
โข U.S. Individual Taxpayer Identification Number (ITIN)
โข U.S. Social Security Number (SSN)
โข Credit Card Number
โข U.S. Bank Account Number
โข U.S. Individual Taxpayer Identification Number (ITIN)
โข U.S. Social Security Number (SSN)โข Credit Card Number
โข Credit Card Number
โข EU Debit Card Number
โข SWIFT Code
โข ABA Routing Number
โข Credit Card Number
โข U.S. Bank Account Number
โข U.K. National Insurance Number (NINO)
โข U.S. / U.K. Passport Numberโข SWIFT Code
โข U.K. National Insurance Number (NINO)
โข U.S. / U.K. Passport Number
โข SWIFT Code
โข U.S. Social Security Number (SSN)
โข Credit Card Number
โข U.S. Bank Account Number
โข U.S. Driver's License Number
โข U.S. Social Security Number (SSN)
โข No health related data
โข Cannot customize policy templates or data types
14. SharePoint 2016
Create DLP Policies
โข Create New Policies
โข Provide Name
โข Select 1 of 10 templates (no customization)
โข Select # of instances of sensitive data
โข Email address to send incident reports
โข Select to Notify with Policy Tip
โข Select to Block Access
โข Assign Policies to site collections
(one at time)
16. Avoiding False Positives
Looking for More Than Regular Expressions
Finding Credit Card Numbers
โข Format
โข Pattern
โข Checksum (Luhn Algorithm)
โข 191 related keywords
โข Confidence Definition
โข 85% confident if all found within 300 chars
โข 65% confidence if number found & checksum passes
Full Definitions found here:
https://support.office.com/en-ie/article/What-the-sensitive-information-types-in-
SharePoint-Server-2016-look-for-ec9fdbe2-bb77-455f-a2f6-407a4f54fca5
17. Finding US Driverโs License Numbers
โข Format โ State Dependent
โข Pattern
โข 16 related abbreviations & 75 keywords
โข State name & State Abbreviation
โข Confidence Definition
โข 75% confident if all found within 300 chars
โข 65% confidence if all found (except keywords) within 300 chars
Avoiding False Positives
Looking for More Than Regular Expressions
Full Definitions found here:
https://support.office.com/en-ie/article/What-the-sensitive-information-types-in-
SharePoint-Server-2016-look-for-ec9fdbe2-bb77-455f-a2f6-407a4f54fca5
18. Important Technical Notes
โข If its not in the search index DLP policies will not be enforced
โข Consider your crawl schedule
โข 4 Timer Jobs used to enforce policies
โข Policies not enforced on new documents until search crawl and timer jobs complete
โข Timeliness of policy enforcement depends on priority of policy template
โข Can take up to 24 hours
โข Cannot enforce policies on list items โ only documents
19. Final Thoughts
โข Data Loss Prevention just one critical part of securing
sensitive data
โข Identifying sensitive data, monitoring its usage and enforcing policies
โข DLP requires regular management of policies โ refine to avoid noise of false positives
โข Office 365 & SharePoint 2016 DLP is a great start!
โข Start learning and testing SharePoint DLP Today
โข Critical to have healthy search index
โข Test policies in Staging before deploying to Prod
20. Questions & Thank You!
ANTONIO MAIO
PROTIVITI SENIOR MANAGER
MICROSOFT OFFICE 365 & OFFICE SERVICES MVP
Email: antonio.maio@protiviti.com
Twitter: @AntonioMaio2
Blog: www.TrustSharePoint.com
Editor's Notes
Data Loss Prevention in SharePoint: Protect Your Sensitive Information
ย
Enterprise SharePoint deployments contain sensitive data, from intellectual property to compliance impacting information (PII, PCI and PHI). Users are not always aware of what data is classified as sensitive and they can unknowingly create information security and compliance issues. Microsoft SharePoint 2016 provides new Data Loss Prevention (DLP) capabilities that allow us to find and protect sensitive information in SharePoint and OneDrive for business. These capabilities alert users to when they are working with sensitive information, and they help you work with users to reduce the risk to your organization and remain compliant with industry regulations. In this session weโll demonstrate how to deploy and configure DLP in SharePoint 2016 to support your security and compliance objectives. Weโll also look at the DLP capabilities in SharePoint Online within Office 365 and discuss some of the differences in this capability between the premise and online platforms.
Looking forward to the evolution - Areas of improvement:
More policy templates
Customizable sensitive data types (Exchange Online has 80 types now, SharePoint Online has 51 types now)
Today policies are based on location (which site collection), conditions (like what sensitive data type is found & number of instances) and actions (like notify, provide tip, block access)
Would like to see Event based policies - like enforce policies when events occur like upload a document, edit a document, delete a document, etc.)
Would like to see more actions like encrypt content with IRM on download
One compliance center for all sites including MySites - across all web applications (eDiscovery Center can today in SharePoint 2016, SharePoint Online and OneDrive for business can today)
More control over when policies are run โ or ability to say โevaluate all policies nowโ
Document matching capabilities