Data Loss Prevention in Office 365: Part Four

In part three of this mini series on data loss prevention, we examined a PCI policy’s properties in some detail.  Today, we’ll finish our look at this policy.

When we left off, we were examining the options available via the policy’s “Custom content”  option (see screenshot below) –

screenshot one

The custom content option gives you the ability to determine what properties of the examined message will be sent to the DLP report’s recipient:

screenshot two

As you can see, it can get pretty involved.  This feature is not only useful because of what can be included, but also because of what can be excluded.  For example, the details of a message can be removed to preserve privacy while tracking incidents of your DLP rule being triggered.

Note also that actions can be added to create even more sophisticated, compound logic conditions.

And there can also be exceptions:

screenshot three

These exceptions can be very precise, for example:

screenshot four

The remaining properties are shown in the screenshot below:

screenshot five

You can:

  1. Choose the rule’s priority (this determines the priority it receives relative to other rules.  For example, rules with a priority of 0 are processed first, 1 second and so on).
  2. Choose the rule’s severity level – Low, Medium and High
  3. Choose the rule’s mode – Enforce, Test with Policy Tips, Test without Policy Tips.
  4. Choose a date range for the rule to be in-effect (leave this blank to configure the rule to run without date restrictions).
  5. Choose whether or not to use the “stop processing more rules” option (see this Office 365 community blog post regarding when and how to use this)
  6. Choose what component of the (analyzed) message will be examined for the sender’s address – Header, Envelope or both Header and Envelope
  7. Choose which DLP policy the rule-set will be applied to.


Needless to say, we’ve only scratched this topic’s surface. Hopefully this series of posts has given you a good idea of what’s possible and where to look for more information.

Happy hunting!

Data Loss Prevention in Office 365:

Part One.

Part Two.

Part Three.

Oh and it should also be noted that you can (of course) create and modify DLP Policies using PowerShell’s New-DlpPolicy and Get-DlpPolicy cmdlets.

Data Loss Prevention in Office 365: Part Three


In part two of this mini-series on data loss prevention, I showed you how to create a new policy and explained the link between data loss prevention policies in Office 365 and sensitive information types.

This week, we’ll take a closer look at a policy’s configuration once it’s been created.

Credit Card Policy 4

Note the screenshot above, which shows the main page of the Exchange Admin Center’s data loss prevention section. As you can see, there are two policies in-place, one that tests for the presence of HIPAA information and another which reports the transmission of credit card data (searching for possible PCI violations).

We’re going to focus on the credit card data transmission report.

By clicking on the pencil icon while the policy you want to edit is highlighted, you’ll be brought to the general configuration page:

Credit Card Policy 1

In the general section, we name the policy, enter a description, choose the policy’s state (enabled or disabled) and choose a requirements mode (i.e., whether or not the policy will be enforced, test without policy tips or test with policy tips).

If you’re wondering about policy tips, see this comprehensive overview. The short version is that policy tips can be used to inform your Outlook 2013, OWA and OWA for mobile devices users that the message they’re sending may violate a policy (or at least, is triggering notice).

Once you’ve entered the information and actions you want, click the rules option on the left-hand side of the interface to configure finer-grained actions:

Credit Card Policy 2

In the example, I’ve already configured the sensitive information type used and the policy’s actions.  By clicking the pencil icon, we can take a closer look at what I did:

Credit Card Policy 3

In the name field, I entered the label “PCI DSS…”, the policy’s rule set has been configured to apply if:

  1. The recipient is located outside of the organization
  2. The message contains sensitive information (type: credit card number).

If these conditions are met, the policy will generate an incident report and send it to an internal recipient (email address obscured for this post). The “Custom Content” referenced is the following:

Credit Card Policy 8

And that’s all the time I have for now.  In the next post, we’ll finish our look at this policy and describe some of the other actions you can take.



Data Loss Prevention in Office 365: Part Two


In a previous post, I provided a brief introduction to Office 365’s data loss prevention offering.

This time, we’ll walk through the process of creating a DLP policy from a template.

Before we start, let’s keep three key ideas in mind:

1.) Data Loss Prevention (DLP) policies are intended to prevent the accidental or malicious transmission of sensitive company and/or customer data (for example, emailing a social security number unencrypted to a recipient).

2.) In Office 365, DLP policies are built upon sensitive information types.

3.) Sensitive information types are, as the phrase implies, the confidential or otherwise protected information you want to prevent from being freely transmitted.

This TechNet link provides a listing of the current inventory of sensitive information types that can be used in a DLP policy.

So now let’s walk through the creation of a DLP Policy.

1.) Login to the Exchange Admin Center and choose compliance management and then, data loss prevention (note that in the screenshot, a policy for reporting credit card data is shown):

DLP Walkthrough 1
2.) Click the plus symbol to select New DLP Policy from template option



3.) Now you can browse through the selection of sensitive information types:

DLP Walkthrough 2


4.) Notice that the PCI Data Security Standard (or, PCI DSS) is selected. Click Save to continue.  You’ll be returned to the main screen.

DLP Walkthrough 1


5.) The DLP policy is in-place but its properties – including the actions you’d like it to take – have not been configured. Click the pencil icon to edit the policy.

DLP Walkthrough 3

6.) The general section is where you set the policy’s name, write a description, choose its state and also select whether or not you want the policy to be enforced or act in a testing mode.  Next, click the rules link.

DLP Walkthrough 4

And that’s it for now.  In the next post, we’ll complete the creation of this policy and review some of its finer grained elements.


Data Loss Prevention in Office 365: Part One


As you surely know, email is at the very heart of business communication (as I’ve probably said and/or written about a million times – or perhaps only 10).

Which means that all sorts of information can pass through your messaging system – not all of it desirable; some of it potentially damaging.

For example, let’s say you’re concerned about credit card data being sent to external recipients in potential violation of the Payment card Industry Data Security Standard (PCI DSS), how would you know, and what could you do to prevent it?

The answer is data loss prevention – also known as DLP.

The Wikipedia entry on DLP summarizes:

Data loss/leak prevention solution is a system that is designed to detect potential data breach / data ex-filtration transmissions and prevent them by monitoring, detecting and blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage). In data leakage incidents, sensitive data is disclosed to unauthorized personnel either by malicious intent or inadvertent mistake.

Such sensitive data can come in the form of private or company information, intellectual property (IP), financial or patient information, credit-card data, and other information depending on the business and the industry.

If your email platform is Office 365 (or Exchange 2013 on premise), Microsoft has provided a host of built-in sensitive data type templates you can employ as a part of a DLP strategy.

Although the underlying algorithms are quite complex, the initial workflow is fairly simple to understand so long as you recall that sensitive information types form the foundation of the data loss prevention policy’s actions.

Note the following for example:

The screenshot shows a DLP policy configured to capture potential instances of PCI-DSS violations (in this case, messages sent to external recipients that contain numerical sequences which seem to match the standard credit card format).

Note also that you access the DLP screen from the Exchange Admin Center by selecting the compliance management option.

In the next post, we’ll review in greater detail the process of creating a DLP from a template – or from scratch – including the relationship between sensitive information types and DLP policies.

Until then, check out these links: