Data Loss Prevention in SharePoint: Protect Your Sensitive Information Enterprise SharePoint deployments contain sensitive data, from intellectual property to compliance impacting information (PII, PCI and PHI). Users are not always aware of what data is classified as sensitive and they can unknowingly create information security and compliance issues. Microsoft SharePoint 2016 provides new Data Loss Prevention (DLP) capabilities that allow us to find and protect sensitive information in SharePoint and OneDrive for business. These capabilities alert users to when they are working with sensitive information, and they help you work with users to reduce the risk to your organization and remain compliant with industry regulations. In this session we’ll demonstrate how to deploy and configure DLP in SharePoint 2016 to support your security and compliance objectives. We’ll also look at the DLP capabilities in SharePoint Online within Office 365 and discuss some of the differences in this capability between the premise and online platforms.

1. Data Loss Prevention in SharePoint
Protect Your Sensitive Information
ANTONIO MAIO
PROTIVITI SENIOR MANAGER, SENIOR SHAREPOINT ARCHITECT
MICROSOFT OFFICE SERVER & SERVICES MVP
Email: antonio.maio@protiviti.com
Twitter: @AntonioMaio2
Blog: www.TrustSharePoint.com

2. Who We Are
3,300
professionals
Over 20 countries
in the Americas, Europe, the Middle East
and Asia-Pacific
70+
offices
IT Consulting
► Enterprise Content
Management
Solutions
Protiviti is a global consulting firm that helps companies solve
problems in finance, technology, operations, governance, risk and
internal audit, and has served more than 40 percent of FORTUNE
1000® and FORTUNE Global 500® companies.
Protiviti serve clients through a network of more than 70 locations
in over 20 countries. Protiviti is a wholly owned subsidiary of
Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a
member of the S&P 500 index.

3. Data Loss Prevention in SharePoint
Protect Your Sensitive Information

4. • Security and Compliance Console
• Retention Policies
• Information Rights Management
• Activity Monitoring
• Data Loss Prevention
• External Sharing Controls
• SharePoint Permissions
• SharePoint Audit Reports
• (built in) TLS 1.2 Communication
• (built in) Encrypted Data at Rest
SharePoint/Office 365 Security Capabilities
• Customer Lockbox
• Advanced Security Management
• Azure AD Identity Protection
• Azure AD Conditional Access Policies
• Azure AD Multi-Factor Authentication
• Azure AD Information Protection
• Bring your Own Key (roadmap 2016)
• Office 365 Trust Center

5. Data Loss Prevention (DLP)
Goals
• Protect the business (compliance violations, legal action, sanctions, reputation)
• Identify sensitive information
• Comply with regulations and business standards
DLP is about Finding and Protecting sensitive information
• Personally Identifiable Information (PII)
• Payment Credit Industry Data (PCI, PCI DSS)
• Financial Data
• Health Insurance Data
etc…

6. DLP Policies & Rules
Data Loss Prevention Policy
Locations
• SharePoint Online
• All Sites
• Specific Sites
• OneDrive for Business
• All Sites
• Specific Sites
Rule
Condition
• Sensitive Data Type (Credit Card Number, SSN, SIN, etc.)
• Who Content is Shared With (people inside, people outside)
• Metadata Properties (multiple, built in or custom)
Incident Reports
• Severity Level
• Logged
• Email report
Action
• Send Notification
• Show Policy Tip
• Allow Override
• Block Content
Rule
Condition Incident ReportsAction
Rule…
SharePoint 2016
• Only assign to site
collections
• Need separate
Compliance Center for
each web app
SharePoint 2016
• Only pick sensitive data types (10)
Rules do not
have Events!
SharePoint 2016
• All actions
supported
SharePoint 2016
• No configurable severity
level.

7. Data Loss Prevention in Office 365
Available through…
• Exchange Admin Center
• Security & Compliance Center

8. Data Loss Prevention in SharePoint 2016
Available through…
• Improved eDiscovery Site Collection
• New Compliance Policy Center Site Collection

9. SharePoint 2016
DLP Policies for eDiscovery
eDiscovery Center
• Create & run DLP Queries to identity sensitive data
• Save Queries
• Export Data
• Highly dependent on SharePoint Search Index!

10. SharePoint 2016
DLP Policies for Compliance
Compliance Center
• Create DLP Policies to monitor and enforce protection of
sensitive information
• Provide administrator notification (via email)
• Provide policy tips to users and owners
• Block access to files containing sensitive content
• Assign policies to existing site collections
• Highly dependent on SharePoint Search Index!

11. SharePoint 2016
DLP Prerequisites
• Create a Search Service Application (mandatory)
• Start the search service, Define a crawl schedule, Perform a full crawl
• Must have a healthy search index and crawl
• Configure out-going email (recommended)
• Turn on Usage reports (recommended)
• Create the eDiscovery or Compliance Center site collections (mandatory– both not needed)
• eDiscovery – for DLP Queries to identify where sensitive data exists
• Compliance Policy Center – for DLP Policies to monitor or enforce policies
• Assign permissions to Compliance team through the
Site Collection Members group (recommended)

12. SharePoint 2016
Creating the Compliance Center
• Create a new Site Collection
• Site Template - Select the Enterprise tab
• Select Compliance Policy Center template
• Only One Compliance Center Site Collection per Web Application
• Compliance Center cannot cross Web Application boundary
(eDiscovery Center can query across Web Applications)

13. SharePoint 2016
Create DLP Policies
• Create DLP Policies using Policy Templates
• 10 policy templates available
• Looking for 10 sensitive data types
• U.S. / U.K. Passport Number
• U.S. Individual Taxpayer Identification Number (ITIN)
• U.S. Social Security Number (SSN)
• Credit Card Number
• U.S. Bank Account Number
• U.S. Individual Taxpayer Identification Number (ITIN)
• U.S. Social Security Number (SSN)• Credit Card Number
• Credit Card Number
• EU Debit Card Number
• SWIFT Code
• ABA Routing Number
• Credit Card Number
• U.S. Bank Account Number
• U.K. National Insurance Number (NINO)
• U.S. / U.K. Passport Number• SWIFT Code
• U.K. National Insurance Number (NINO)
• U.S. / U.K. Passport Number
• SWIFT Code
• U.S. Social Security Number (SSN)
• Credit Card Number
• U.S. Bank Account Number
• U.S. Driver's License Number
• U.S. Social Security Number (SSN)
• No health related data
• Cannot customize policy templates or data types

14. SharePoint 2016
Create DLP Policies
• Create New Policies
• Provide Name
• Select 1 of 10 templates (no customization)
• Select # of instances of sensitive data
• Email address to send incident reports
• Select to Notify with Policy Tip
• Select to Block Access
• Assign Policies to site collections
(one at time)

15. DEMONSTRATION

16. Avoiding False Positives
Looking for More Than Regular Expressions
Finding Credit Card Numbers
• Format
• Pattern
• Checksum (Luhn Algorithm)
• 191 related keywords
• Confidence Definition
• 85% confident if all found within 300 chars
• 65% confidence if number found & checksum passes
Full Definitions found here:
https://support.office.com/en-ie/article/What-the-sensitive-information-types-in-
SharePoint-Server-2016-look-for-ec9fdbe2-bb77-455f-a2f6-407a4f54fca5

17. Finding US Driver’s License Numbers
• Format – State Dependent
• Pattern
• 16 related abbreviations & 75 keywords
• State name & State Abbreviation
• Confidence Definition
• 75% confident if all found within 300 chars
• 65% confidence if all found (except keywords) within 300 chars
Avoiding False Positives
Looking for More Than Regular Expressions
Full Definitions found here:
https://support.office.com/en-ie/article/What-the-sensitive-information-types-in-
SharePoint-Server-2016-look-for-ec9fdbe2-bb77-455f-a2f6-407a4f54fca5

18. Important Technical Notes
• If its not in the search index DLP policies will not be enforced
• Consider your crawl schedule
• 4 Timer Jobs used to enforce policies
• Policies not enforced on new documents until search crawl and timer jobs complete
• Timeliness of policy enforcement depends on priority of policy template
• Can take up to 24 hours
• Cannot enforce policies on list items – only documents

19. Final Thoughts
• Data Loss Prevention just one critical part of securing
sensitive data
• Identifying sensitive data, monitoring its usage and enforcing policies
• DLP requires regular management of policies – refine to avoid noise of false positives
• Office 365 & SharePoint 2016 DLP is a great start!
• Start learning and testing SharePoint DLP Today
• Critical to have healthy search index
• Test policies in Staging before deploying to Prod

20. Questions & Thank You!
ANTONIO MAIO
PROTIVITI SENIOR MANAGER
MICROSOFT OFFICE 365 & OFFICE SERVICES MVP
Email: antonio.maio@protiviti.com
Twitter: @AntonioMaio2
Blog: www.TrustSharePoint.com