Everything You Need to Know About Microsoft DLP

A strong data loss prevention (DLP) strategy protects intellectual property, trade secrets, sensitive personal data, and more from unintended exposure, and the perfect DLP implementation does so without undermining productivity in the process. Microsoft DLP achieves this by providing all the necessary tools for the company's proprietary environment.

This article should help you understand the finer points of Microsoft DLP and how it can fit into your organization's defensive digital strategy overall.

In this article:

• What is Microsoft DLP? 
• Microsoft Purview DLP Features
• Best Practices for Microsoft DLP
• Frequently Asked Questions (FAQs)

What is Microsoft DLP?

Data loss prevention solutions enable many organizations to meet ever-increasing expectations of efficiency, consistency, and security in today's world of hyper-connectivity.

More than this, DLP solutions shed light on the way critical data moves throughout an organization’s environment and provides the means for controlling this movement to support business objectives. Maintaining compliance while preserving a company’s competitive advantage is a top priority when implementing DLP techniques.

It can be challenging to truly discover how data makes its way around your company. Clamping down on loose ends without such knowledge can be a chore at best or outright impossible at worst.

Microsoft DLP is a comprehensive data loss prevention solution that’s integrated into Microsoft Purview. It’s designed for cloud deployment and enhanced with centrally managed policy controls. It is an appropriate choice for those working within the Azure ecosystem and leveraging Microsoft's array of tools.

Microsoft Purview offers a compliance portal through which you can directly create and configure your own DLP policies to more effectively monitor the ongoing transmission of sensitive data.

Microsoft DLP helps to monitor and control data across the following platforms and services within Microsoft's ecosystem:

• Microsoft Office applications (now part of Microsoft 365) - PowerPoint, Word, Excel, etc.
• Microsoft 365 services - SharePoint, Teams, OneDrive, etc.
• Microsoft Windows operating systems - Windows 10 and Windows 11

The following platforms and services outside of Microsoft's ecosystem can also be monitored via Microsoft DLP:

• Recently released macOS endpoints
• Some non-Microsoft cloud applications
• Microsoft Power BI
   

Microsoft DLP Pricing

As a part of the Microsoft 365 E5 Compliance Suite, Microsoft DLP can be obtained through a monthly subscription to the entire suite. Each subscription must be purchased on a per-user basis.

At the time of this writing, the price for a single user to access Microsoft 365 E5 Compliance Suite is $12 (USD) per month, billed annually. 

Below, we'll discuss the features offered by Microsoft DLP as well as a few best practices for proper implementation of this critical security resource within your organization.

Microsoft Purview DLP Features

Many companies find utility in data loss prevention tools, and these tools help them find vulnerabilities within their own ranks without dramatically impacting their ability to get things done. Yet, these tools are only as useful as their general scope allows them to be.

Microsoft Purview's DLP functionality extends to most points within Microsoft's ecosystem, aiding organizations in preventing any unauthorized access to restricted data on a variety of applications and devices. Below, we’ll review a few of Microsoft DLP’s core features.

Sensitive Content Detection

With Microsoft DLP, organizations can detect potentially sensitive content as it moves from person to person and system to system. 

Sensitive content detection is handled in a variety of ways by Microsoft DLP behind the scenes. The main mechanisms at play include:

• Basic text scanning - Here, common tools such as regular expressions are used to identify positive matches for phrases and words specified in your DLP policy as requiring special attention. 
• Proximity-based data matching - When a primary data match is found, secondary matches are detected to provide context and accommodate more granular policy rule sets.
• Machine learning algorithms - By applying machine learning approaches to capabilities such as optical character recognition, Microsoft DLP can also detect files containing sensitive information in non-textual formats.
   

Access Management

Carefully controlling access to private internal data is a standard approach to data loss prevention that predates the digital age by a fair margin. Yet, it continues to work even as information finds its way onto personal computers and servers around the world.

Microsoft DLP supports granular access management in various ways, allowing certain data types to be exchanged only by authorized personnel, notifying users of risky data usage, and more.

A useful facet of the access management tooling provided by Microsoft DLP is configurable administrative scoping. This allows individual DLP policies to be assigned to and managed by designated administrative units. 

Each administrative unit can have multiple administrators assigned to it, and they can work in tandem to manage the policies they have access to. Policy scoping of this variety can be leveraged to support more complex organizational workflows and authentication requirements.

Policy Implementation Test Modes

Pressing "play" on a newly designed DLP policy within Microsoft Purview can be a nerve-wracking experience if potential issues have yet to be ironed out. 

An integrated policy test mode is available for precisely this reason, making it easier for admins to safely assess side effects before changes go live. Policies placed in test mode are safe to apply to any number of workloads simultaneously and can be fine-tuned while in place. 

Test modes make it possible for issues with sensitive information definitions to be sorted out as they become apparent rather than entirely preemptively. 

Restrictions affecting specific users, applications, domains, and more can also be added or removed without negatively impacting existing workflows. 

Conditioned Policy Design

Policies in Microsoft DLP can be defined and tuned to work on the data types you deem important, regardless of where those data types are accessed or distributed within Microsoft's ecosystem of supported services.

Policies are based on conditions your administrative team specifies. When your conditions are met, certain actions can be taken automatically to mitigate potential data loss risks.

Conditions in Microsoft DLP are flexible enough to accommodate a wide variety of workflows, and a number of predefined defaults are available to implement directly or to use as a starting point in fleshing out custom options. These conditions can center on data types or activities.

Regardless of the types of conditions you define, appropriate actions can be triggered in response to them. Whether you intend to block the transfer of sensitive data to a USB storage device or keep critical intel out of a chat, you can configure your DLP policy to support your objectives automatically. 

However, Microsoft DLP is limited to triggering certain types of administrative actions on certain apps or platforms within its ecosystem. For instance, files may be quarantined automatically when unauthorized on-premises file shares occur, but not necessarily on personal computers. Similarly, sensitive information can be blocked automatically in a Teams chat session, but not necessarily in another chat system being used on a company machine.

Central Policy Management

DLP policies can be managed from the Microsoft Purview center, allowing policy creation and deployment to be handled in the same central space.

The compliance portal (contained within the Microsoft Purview center) stores the policies you create or modify by replicating them across all relevant content sources. 

This process is relatively quick but not immediate, and policies can take upwards of an hour to propagate fully across your network. Once propagation is complete, content is evaluated in real time, and suitable actions are triggered whenever your predefined conditions are met.

Integrated Reporting 

Reports are essential in the digital security space, and DLP is certainly no exception to this rule. Microsoft DLP collects telemetry information in the Microsoft Purview compliance portal's  audit logs for initial processing before routing it to relevant reporting tools.

Microsoft DLP can also notify administrators whenever certain actions are taken, although these are only available via the DLP Alerts Management Dashboard within Microsoft Purview center.

For a bit more information about these features, check out the following video:
 

Best Practices for Microsoft DLP

Microsoft DLP offers suitable data loss prevention functionality for organizations when implemented correctly. However, organizations that fumble their implementations are likely to lose data and are almost guaranteed to also lose money in the process.

There are many ideas, strategies, and techniques you can employ to help make Microsoft DLP more useful to your team. We’ll discuss a few of these below

Combine Microsoft DLP with Digital Guardian

Limitations are a fact of life, but those imposed by Microsoft DLP can be overcome with more comprehensive tooling. Digital Guardian offers complementary functionality to fortify your organization's defenses where Microsoft DLP leaves considerable gaps.

Microsoft DLP is designed to support services and devices within Microsoft's proprietary ecosystem. Most services and devices your team uses that do not fall under Microsoft's umbrella are unlikely to be supported to any significant degree.

Digital Guardian's built-in support for DLP enforcement across a broad range of endpoints, including Linux devices, makes it the appropriate choice for organizations that use several non-Microsoft-based systems to get things done.

Everything from custom reports (at no extra charge) to additional policy actions not available in standard Microsoft DLP implementations comes as part of Digital Guardian's unique DLP offering. 

Management of your Digital Guardian implementation is easy as well, allowing for existing policies to be propagated to new systems automatically after installation.  

Leverage Sensitive Domain Groupings

Restricting data flow to and from certain domains, either within or outside your network, can morph into quite a chore as lists of relevant domains expand with time. Grouping domains by restriction level can really cut down on time spent defining these types of rules.

Microsoft DLP supports this approach, allowing separate rules to be applied to domains within specified groups, as well as domains that have not been added to any groups at all.

Avoid Encrypting All Communication

Over-playing the encryption card can be a convenient approach to securing communication within an organization, but it has a bad habit of backfiring in the form of contributing stifling complexity to a wide variety of otherwise simple tasks. 

This can lead to a slowdown in productivity among your personnel and could even impact morale if the situation deteriorates. Instead, it pays to provide room in your DLP policies for certain kinds of data flows to proceed without active encryption. 

Microsoft DLP allows for this distinction to be made without human intervention through the use of automated data labeling. Users can also be notified in real time on the type of label they ought to apply to a given document as they interact with it.

Businesses of all types leverage DLP solutions to protect their trade secrets and intellectual property, while those that don't risk winding up with nothing left to defend. 

Microsoft DLP delivers the kind of functionality companies need to ensure critical data is not escaping their organization, albeit without supporting many devices outside of Microsoft's ecosystem.

For more comprehensive data loss prevention coverage that pairs well with Microsoft's own DLP tool set, consider Digital Guardian's enhanced DLP offering.