Data loss prevention (DLP) has been in Exchange for a long time, in the form of rules that ensure employees don’t send out confidential or personal information via email. Over the years, Microsoft has extended DLP to more of Office (although the name for that is Microsoft Information Protection, or MIP), covering Exchange, SharePoint, Teams, OneDrive for Business and Office apps like Word, PowerPoint, Excel and Outlook, as well as third-party applications that incorporate the MIP SDK.
Now it’s integrated into Windows 10 (build 1809 and later) and the new Edge browser (version 85 and later), without needing an additional agent. So the same information protection and conditional access policies that admins write to protect email and documents stored on SharePoint apply to everything users do on Windows, including sending tweets.
“We support over a hundred sensitive information types out of the box with MIP and 40 industry templates, and those are supported out of the box with Endpoint DLP,” Alym Rayani, general manager for Microsoft compliance, told TechRepublic.
If you don’t already have policies set up, the templates cover different regulations, including suggested PII policies for various locations, plus tools to help you create policies based on documents that contain potentially sensitive data.
Endpoint DLP is included in Microsoft 365 E5 and A5 subscriptions (or the compliance or information protection add-ons). You use the new Microsoft 365 compliance center to start managing devices — although you can onboard devices using Group Policy, Microsoft Endpoint Configuration Manager, MDM or a local script. All devices need to be joined to either Azure Active Directory or Hybrid Azure AD.
Remote work means more endpoints
Currently in public preview, Endpoint DLP is expected to be generally available this month (October 2020). That’s fast progress for a new service, but the current situation had customers who were early design partners pushing for a quick launch. “They were saying ‘we want you to hurry up on this one’,” Rayani said.
In a customer survey Microsoft ran in mid-spring, 60% of compliance teams said data leaks were their top concern, due to the pandemic.
“As people have moved to remote work in a massive way, that’s increased the need for many of our customers to re-evaluate their security and risk management practice,” Rayani said. “A recurring theme we’ve heard is ‘I’ve moved quickly to support remote work — sometimes overnight, sometimes within a few weeks — and now I’m going back and re-evaluating security and compliance; I had to sprint so I couldn’t think about all those things, but I’m going back’.”
Customers turned on remote-work features like Teams overnight, Rayani points out, “and now they have to do discovery against that, so they want a compliance solution that fits their new productivity situation.”
It’s not just that the switch to remote work was sudden, but a lot of new endpoints are also in use — many of them older personal devices that weren’t used for work before. “They have a lot of employees that are accessing corporate data on their home computers at times, or they’re sharing and collaborating in new ways,” Rayani said. “Organisations feel this increased risk, and they also feel the need to deploy things rapidly to solve that. Customers told us ‘I want to get started right away. I don’t want to have to go through this process of deploying an agent and managing those agents, I want to be able to have these insights right away’.”
Data loss protection is something both security and compliance teams care about, Rayani noted. “They said, ‘my most desired outcome here in terms of risk mitigation — in the sense of protecting information, but also adhering to standards and regulations — is, I want data protection across my apps, across my services, across my endpoints’.”
That means any policies you’ve created using the labelling and classification system in Microsoft Information Protection for compliance or security, now cover Windows 10 PCs without any extra work. “You have a portal for data loss prevention, and any policies you had already running, you would toggle that button that says ‘Windows devices’ to on, and you inherit all of those policies you’ve already configured across Teams, SharePoint, OneDrive and they just start working on Windows,” Rayani said.
Endpoint DLP offers what Rayani calls ‘context-based policy enforcement’ on data — “understanding what the data is and then taking a particular action based on that data, which could be anything from a warning to the user, all the way through a hard block on moving information.”
Policies can block (with or without the option for the employee to override the block) a range of activities or just track for audit: copying data to the clipboard, to a removable USB drive, or to a network share; printing; uploading to cloud services; and opening data in apps or browsers that aren’t approved. It can also track file creation and renaming for audit, but not block that.
“The idea of allowing the user to override the block is that you trust your employees and you train them on how to care for data,” Rayani explains. “The popups guide them: ‘hey, this is sensitive, do you really want to continue?’, or if the policy is to block ‘here’s why it was blocked’. You want the user to be able to make a decision and not block their productivity, while maintaining security and compliance.”
Endpoint DLP uses MIME types rather than file extensions (which can be changed), and the preview watches Word, PowerPoint, Excel, CSV, TSV and PDF files, plus C, Java and related files: user actions in TXT and source code files are also evaluated against policy.
More options in Edge
Organisations that have adopted the new Edge browser can also choose a more granular level of control than just blocking, Rayani says. “If you’re using another browser, sensitive information will not flow through that third-party browser, but with Edge, because we’ve integrated it natively, you can understand which website I’m going to. If I’m going to a company SharePoint site and I upload something from my device, that’s very different than if I’m going to my personal OneDrive.”
This means that an employee using Chrome would be blocked from uploading a file including sensitive information you’ve configured a policy to catch, like a National Insurance number, even on your SharePoint site. Using Edge, they’d be able to upload it to SharePoint, but not elsewhere.
For Edge, you can choose whether you want the list of domains you create to be a block list, where you choose specific sites for the browser to warn about or block uploads of sensitive data, or an allow list of the only sites users can upload sensitive data to. You can also list the browsers that you don’t want to have handle sensitive files. If users try to access a file that matches a DLP policy, they will be prompted to open the file in Edge — which can then block or restrict specific activities rather than the whole file, or allow the user to override the block in exchange for having the upload tracked.
“If you have a user trying to upload a PDF with content that’s considered sensitive to a shared Dropbox, the content is being blocked. In Edge, the pop-up says they can override it; if they were in another browser, we would just block it and they wouldn’t have that override approval,” says Rayani.
Applying DLP to browsers allows enterprises to control how employees use cloud storage without being heavy-handed. “We hear from customers that they often have users using cloud storage solutions to transfer data, but they’re doing it through the web,” Rayani says. “If I’m using my personal OneDrive to do something and it’s sensitive data, that’s very different than it is if I use the corporate OneDrive. There’s a slew of third-party cloud solutions that people use and consumer ones like Dropbox and others, and they were forced into using those to transfer data in this remote-work situation.”
In due course, says Rayani, Edge will have more granular options for approved sites, which might even include conditional access based on the Microsoft Graph: “Say there are these three people in this group and they should have access to this kind of information, so you’re allowed to upload it.”
It may also take more advantage of the trainable classifiers in MIP to help guide creating policies, Rayani says.
“Say you have a very confidential project, like a merger and acquisition, and you never want that to leave any boundary, so anytime you see that you want to put in extra protection in place. One of the things we did with trainable classifiers is allow the system to learn what the information is. You point it at a SharePoint site with 30 documents and it would learn that and once you’ve validated it you would implement that policy because it’s just so sensitive that you don’t want any of your users making a decision about that.”
Again, that’s about increasing the granularity of controls. “There isn’t a one size fits all when it comes to data and how you want to protect and classify and manage it, so there are different levels of controls that you want to enable to do that.”
Blocking and auditing the use of sensitive information is a useful signal for other security tools, like Microsoft Defender. “Customers can use this to help them prioritise incident response and forensic investigations,” Rayani says. “Imagine you’ve had a DLP event that triggered on a very sensitive piece of data that flowed on that device. And then also you could look at that same device and investigate whether they had a potential breach happen on that device. So you can start to correlate these things across incidents and see what happens.”
Signals from Endpoint DLP also flow into Microsoft’s insider risk management solution: “If someone downloaded a bunch of sensitive content from SharePoint, you could see what they were doing with that sensitive content in terms of triggering a policy through Endpoint DLP.”
So far, Endpoint DLP is only for Windows, but Rayani says that, like Microsoft’s other security and compliance offerings, “We’re going to go where our customers are. I’m not making any commitments, but we’ll continue to use that same approach with Endpoint DLP”.
Given that Microsoft Defender for Endpoint (the renamed Defender Advanced Threat Protection) is available on macOS, Linux and Android and in public preview on iOS (with threat and vulnerability management also in public preview for macOS), it seems likely that Endpoint DLP will be available cross-platform in future.