The many ways to prevent data leakage in Microsoft 365

Back to Blog
17Dec2019

The many ways to prevent data leakage in Microsoft 365

Office 365 Data Loss Prevention (DLP), Windows Information Protection (aka Endpoint DLP), Conditional Access App Enforced Restrictions, Conditional Access App Control with Microsoft Cloud App security, Sensitivity labels, Retention labels–are you thoroughly confused yet?

All of the above can help you to prevent the leakage of sensitive data under certain circumstances. But how do you know what to use and when?

Good question, reader. Let’s tackle that now.

I created the below “Cheat sheet” to go along with this post (TL;DR version).

Office 365 DLP (Sensitive info types and Retention labels)

This option specifically targets data that resides within Office 365. As of today, DLP rules can be written to trigger an action based on exactly two things:

  1. Sensitive information types
  2. Retention labels

The actions you can define based on the above conditions include:

  • Filing an incident report
  • Notifying / warning the end user
  • Automatically encrypting the message (Exchange Online only)
  • Block the message / sharing attempt

Even when you pick the most restrictive option (block external sharing), it is not hard to figure out your way around DLP policies. Downloading a copy of the data locally and sending it out on the hush over email (corporate or personal, depending) is one example. So it is certainly not a comprehensive solution on its own, and would need to be combined with other options for better coverage.

However, in some cases this is all that is required–just a little fencing to remind the user population at large about corporate policies around the sharing of certain sensitive information.

Windows Information Protection (aka Endpoint DLP)

Windows Information Protection (WIP) will take over when the file is transferred from its origin in the cloud, to a local Windows device. And note: you can accomplish similar results for iOS and Android devices using MAM policies. These “App Protection Policies” can be targeted against managed and unmanaged devices alike.

While Office 365 DLP will place a “fence” around content stored in the Online services, WIP places a fence on the endpoint, that runs around the corporate apps and network data locations (which you define in a policy). Therefore, Windows will only allow corporate data to be saved or transferred to other approved corporate apps, sites and locations that live inside the fence. Personal and non-approved apps that are outside the fence cannot save or receive copies of corporate data.

See this article for more details. The other major benefit to using app protection (on any platform) is that you can wipe corporate data on the endpoint, effectively removing access to corporate info (e.g. loss, theft, departure), and without harming any personal data or apps on the device.

Policies for WIP and MAM are found under Microsoft Endpoint Manager > Apps > App protection policies.

Again, this takes us further than Office 365 DLP alone, but it still isn’t a perfect solution. It doesn’t cover Mac or other *nix platforms, for instance. And a savvy user might still be able to figure out their way around it. For instance, downloading content to a personal location via a non-enlightened browser.

Conditional Access: App enforced restrictions

Office 365 Exchange Online and Office 365 SharePoint Online (and by extension OneDrive, Teams, etc.) support limited, web-only access for unmanaged devices. That means that attachments or files stored in Office 365 cannot be downloaded to a non-corporate device.

You can build this under Conditional Access, using a Session control (rather than a Grant/Block Access control).

While it is possible to enable this policy whole-sale across the board in PowerShell, we can also now target it more precisely on a per-site basis. Therefore you can protect only your most sensitive locations with this kind of policy. More on that later.

While this doesn’t necessarily help contain the data once it is downloaded on a managed device, it does cut out the possibility that data could be downloaded, even accidentally, to an unmanaged device–so that really limits exposure (e.g. managed devices can be wiped remotely, unmanaged cannot).

Optionally, using Conditional access you could also enforce a policy that would block unmanaged devices and unsupported platforms entirely–further limiting exposure outside of corporate contexts.

Sensitivity labels

Let’s be honest–data is much too slippery nowadays to assume it will always remain within our corporate boundaries. The container-based methodology belongs to a legacy security model, similar to the firewall– it’s just another form of “perimeter.” Now our perimeter is everywhere a user comes in contact with our data–which is a much larger surface area than we’ve had to deal with in the past.

None of the previous methods I mentioned can enforce strong identity-based encryption on the file itself, whether it lives inside or outside of corporate boundary lines. Data is encrypted at rest in Office 365. Data protected by Windows Information Protection is encrypted at rest on the endpoint. But what happens once that data travels to another (non-corporate) location?

Enter Sensitivity labels (and its predecessor, Azure Information Protection). If a label is enabled for encryption, then it is capable of stamping corporate data with a tattoo that travels with the file–wherever it roams. Sent by email? Encrypted. Copied to external media? Encrypted. Shared over a chat or social media? You get the idea.

Sensitivity labels are therefore the strongest form of protection Microsoft 365 offers currently. The problem is, they also screw up the best collaboration features in Microsoft 365: Co-authoring, Delve, Search, etc. So very few customers like to implement this when they are used to having richer collaboration features available.

NOTE: Actually, this is changing right now–it’s still not perfect, but there is a public preview you can opt into that enables Sensitivity labels for SharePoint and OneDrive. At the same time, there is another preview that enables labeling of Office 365 Groups (e.g. Teams)–more on this coming soon.

MCAS and Conditonal Access App Control

Microsoft Cloud App Security is probably my favorite security app in Microsoft 365. Included with E5 plans or available as an add-on to others. MCAS might just be able to help you get the best of all worlds. And it works with many popular third-party apps, too.

There are several problems with implementing stuff like Conditional Access on a global scale. Sure, you can turn on a policy that blocks download on unmanaged devices, but the reason you would want to do that is probably only because of a small portion of your overall data, so why make life harder everywhere else?

Using Conditional Access App Control via MCAS, it is possible to create policies that monitor for specific parameters, and you can get pretty granular using custom expressions and other options.

Maybe you have certain keywords or project names that are private in nature, or even certain file extensions that you care about protecting more than others in specific cloud locations.

Consider this scenario: document encryption (e.g. applied via a label) will tend ruin some of the collaboration and productivity experience in Microsoft 365, so why not only require the file to be stamped upon download? This could be a better solution than having the content labeled in the cloud (at least until they finish working out the kinks in the current preview).

Note: This is technically applying AIP labels, and not the newer UL “Sensitivity labels” you find via the Security & Compliance center–but they have the same effect.

In this example, people are encouraged to collaborate and work with the files in the Office apps online, but they also still have the option of downloading them–at which point a label would be applied.

You can see that this is the only solution that will allow you to apply DLP to third-party apps, so that makes it an easy choice if you have that requirement but want to integrate it with some of the security goodness in Microsoft 365 like Conditional Access and classification labels.

Even outside of third-party app support, it’s value is in the degrees of customization it offers, and the granular control over policies (alert only, take a governance action like block download or apply classification, etc.)

In Summary

As you can see, we have many, many options. Hopefully this provides a good overview of “what’s possible” and why you might want to combine more than one technology from the Microsoft 365 suite in your own Data Loss Prevention strategy.

Thanks for reading. Leave questions or comments below (or email me).

Productivity, Technical , , , , , , 5 Comments
Share:

Comments (5)

  • Nigel Frank Reply

    Thanks for clarrifying and the easy explanation. Are you ging to do a write up about MCAS and some best practises on that subject?

    December 17, 2019 at 2:14 pm
    • Alex Reply

      Not sure if there are best practices, but certainly some “gotcha’s” to be aware of. Good idea for some content. Adding to list.

      December 19, 2019 at 4:00 am
  • Ra Reply

    Hi Alex,

    Is this cheat sheet with all the changes still applicable? TY!

    April 26, 2022 at 11:11 am
    • Alex Fields Reply

      While this is still pretty much accurate, it is probably due for an update, since we do have a couple additional options to choose from now such as Endpoint DLP (E5 subscriptions only), and (coming very soon) MAM for Edge on Windows. The others are still available, and Sensitivity Labels have improved so we have more features supported such as co-authoring (you have to opt into it but still–getting better all the time). But yeah, it’s a good idea for me to do an updated post about this. The universe continues to expand…

      April 26, 2022 at 4:00 pm
      • Ra Reply

        TY Alex, I’m a fan of your work and contributions to the community! :)

        April 27, 2022 at 6:02 pm

Leave a Reply

Back to Blog

Related Posts

13Aug

Teams, SharePoint and OneDrive best practices? Part 2: Access control and notifications

In part 1 of this series we discussed how there is really no such thing as "best practices" on a rich and flexible collaboration platform like Office 365, which includes many applications--Teams, SharePoint and OneDrive to name just a few. However, you can certainly end... read more
27Dec

How to use DLP to automatically file HIPAA incident reports in Microsoft 365

I have previously written about Data Loss Prevention (DLP) on this site, and today I am going to demonstrate another important use of this technology in helping to meet certain compliance requirements for HIPAA.* You can also apply this process to other sensitive information types,... read more
13Oct

Top Mobility-Enabling Security Features in Office 365

At this point, even the staunchest conservatives among us have to admit that we live in a post-perimeter world. In recent years there have been even more developments and trends chipping away at our traditional conceptions of so-called perimeter-based security. Cloud and mobility means two things: Users... read more
03Dec

How to require MFA for Azure AD Join, and enable Enterprise State Roaming

Hey folks! We have already covered a few posts on Azure AD Premium and Conditional access; and that's great--because you do things like enforce requirements like Multi-factor Auth, but only in situations where devices are unmanaged. This provides a way better user experience than enabling MFA... read more
28Jun

Does Microsoft backup my data in Office 365? Do I need more or additional backup?

A new reader question came in, and frankly it's one that I hear a lot. I'm sure I have smatterings referring to this issue in other articles, but this one should stand to clear up the questions once and for all--this will be something I... read more
14Sep

How to Setup and Configure Azure Backup for File, Folder and System State Protection

Until very recently, the Azure Backup agent only supported file and folder backup from an on-premises server to the cloud. We now have support for System State protection added to this list, so we will cover how to configure that today. Azure Backup also offers... read more
26May

Migration path from SBS to Office 365 & Windows Server 2016

So many small businesses adopted Microsoft's Windows Small Business Server (SBS) product--now that the product has been discontinued, these organizations tend to need a little more guidance regarding the migration path forward from SBS 2003, 2008 or 2011. Do I still need an On-premises Windows Server? With the option to... read more
15Jul

Microsoft 365 Device Management / Intune best practices checklist

Update: Downloadable, printable copies of the Microsoft 365 Best practices checklists and guides are now available. Thanks for your support! Similar to the checklist for Azure AD which I recently published, this resource is designed to get you up and running quickly with what I consider... read more
02Jul

An overview of the most common Office 365 subscriptions for the SMB

I get asked about this SO frequently, that I decided a post was in order. Update: Also check out my 365 Licensing Guide page. Apparently people don't find it that easy to navigate all the subscriptions which are now available via the Office 365 portal. To... read more
30Mar

Why you need UAC (and how to enable it)

I don't know why it has come to this, but here it is. Here we are. We need to review why it is that you need User Account Control (UAC), and how to go about turning it on. I know! Like, why is this even... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me