Data Loss Prevention

Posted 8 May 2017 12:00 AM by Vishan Sondhi, Business Productivity Specialist @ ClearPeople

To add onto my last blog about Security, I wanted to write about a new feature available with the on-premise version of SharePoint 2016, Data Loss Prevention. Now I’m sure you have all heard of Data Loss Prevention within the compliance centre in Office 365 – but I wanted to discuss what it is and how it works on-premise. This blog will demonstrate how DLP works, and how to set it up on SharePoint 2016. 

What is Data Loss Prevention?

“Data Loss Prevention is a way to ensuring that sensitive data is not sent outside of the corporate network”

How does SharePoint know what sensitive data is?

In SharePoint sensitive information is defined by a pattern which is identified by a regular expression e.g a bank number. In addition to this, the search engine contains a number of pre-defined keywords and checksums that are used to identify sensitive information alongside a confidence level process. You can view a list of the pre-defined keywords, checksums here 
For example if a DLP has been configured where a UK Passport Number cannot be sent, the following checks are done:

Format  Nine digits 
Pattern
Nine consecutive digits
Checksum
No
Definition A DLP policy is 75% confident that it's detected this type of sensitive information if, within a proximity of 300 characters:
  • The function Func_usa_uk_passport finds content that matches the pattern.
  • A keyword from Keyword_passport is found.

<Entity id="178ec42a-18b4-47cc-85c7-d62c92fd67f8" patternsProximity="300" recommendedConfidence="75">
<Pattern confidenceLevel="75">
<IdMatch idRef="Func_usa_uk_passport" />
<Match idRef="Keyword_passport" />
</Pattern>
</Entity>

Keywords

Keywords Keyword_uk_drivers_license
Passport Number
Passport No
Passport #
Passport#
PassportID
Passportno
passportnumber
パスポート
パスポート番号
パスポートのNum
パスポート#
Numéro de passeport
Passeport n °
Passeport Non
Passeport #
Passeport#
PasseportNon
Passeportn °

Hope that has given you a good understanding of what DLP is and how it works. Now I will show you how to set this up in a few easy steps. 

To set up DLP on SharePoint on-premise, there are a few pre-requisites that need to be setup prior.

  • SharePoint Server 2016
  • Search service application configured and running crawls. 
  • Compliance Centre
  • eDiscovery Centre
  • Outgoing email with emails configured on users. 
From within the eDiscovery site collection you have to select ‘Create DLP Query’, as below

Data Loss Prevention 1

Then select New Item

Data Loss Prevention 2

From the New DLP Query pop up box, choose the template you wish to use, for example, above I used the Passport Number example, so for this demo, I will use the “UK Data Protection Act”, as below

(Ensure to change the number at the bottom from 9 to 1)

Data Loss Prevention 3

Select Next

Give the Query a Name, and a start and end data and choose the source you want the DLP to work from as below (for this demo, I will leave the source as ‘Search Everything in SharePoint’).

Data Loss Prevention 4
Select Save. 

That’s it, the DLP query has been created. Now upload a document into SharePoint which contains nine consecutive numbers and a term from the Keyword, something like below. Save the document into SharePoint as Loreum ipsum. 

loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum 789208725 passportno loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum

Run a crawl, and select Search, you should see the document appear 

Data Loss Prevention 5

So you can see that the document I uploaded which contained nine consecutive numbers and a term from the keywords has been flagged up via the eDiscovery Centre. 

Now we need to create a Policy for this DLP.
Navigate to the Compliance Centre and select ‘Data Loss Prevention Policies’ 

Data Loss Prevention 6

Select New Item and select then a name for the policy, select Template you chose above and edit the 9 to a 1 to change the number to 1 conflict before the rule to take effect. Insert an email address so that a when a DLP finds a match, it will email this person. And then choose what to do with the file once a match is find, i.e. show a policy tip and block document, as below

Data Loss Prevention 7

Select Save. 

After the Policy is created, we must assign that policy to a site collection. From the Compliance centre select DLP Policy Assignments for Site Collections

Data Loss Prevention 8

Select New Item and choose, First Choose a site Collection.
When a document in a library meets a Policy, a Policy tip is shown and the document is blocked, as below

Data Loss Prevention 9

Select Save
Now under Managed Assigned Policy, assign your Policy to the site collection.
Data Loss Prevention 10

Select Save
Please note that when you add a New Policy Assignment, it may take 24 hours to apply, but High Priority rules such as Credit Cards and Passport numbers take up to 15 mins.

Data Loss Prevention 11

Policy Tips
In the Compliance Policy, we ticked a box to say we wanted to enable Policy Tips and to block access to documents which meet the DLP policy rules, well this is what a Policy tips looks is and how it behaves. 

Data Loss Prevention 12

The Policy tip displays an error on the document informing the user it is blocked (as we selected in the compliance centre).
The tip informs who the document is open to, the user the problems with the document. The Owner, last modifier or the site owner can go into the document in remove the passport number, or if they think its an error, click resolve. 

Data Loss Prevention 14
When you click resolve, you can override the policy, which means that you are aware and its normal that the data lives in the document. The other choice is Report an issue, where you think the document in fine and that it shouldn’t trigger a policy. 

Data Loss Prevention 13

When you click on override, you must give a business justification as to why you want to over ride the rule, as below

Data Loss Prevention 15

The rule has been overwritten, and the error image is now been removed.

Data Loss Prevention 16

Share:

Add your comment

 
 

 

Archive

Tagcloud

Digital Transformation employee engagement staff satisfaction productivity Microsoft Teams Office 365 Yammer cms content management system agile GDPR Microsoft Graph collaboration Microsoft sharepoint 2016 upgrade migration SharePoint Online 2016 Tech Trends Digital Disruption Context marketing marketing SharePoint 2010 SharePoint 2013 TFS Git security kentico Analytics intranet jquery QA Quality Assurance testing digital workspace content management websites Sitecore sitecore marketplace sitecore module cloud Microsoft Cloud Storage digital strategy technical consulting sitecore modules Experience database Sitecore 7 Sitecore 8 support account management customer experience Data Storage windows azure cms integration front end front end development prototype Cloud Storage StorSimple Front-end Development Layout SharePoint 2013 colour palette UI design website design log viewer sitecore cms website Azure big data business-critical sharepoint accessibility android apple chrome clear people clearpeople debug emulator ios mobile testing opera resize adobe desktop flash ie10 internet explorer 10 metro windows 8 bcsp SharePoint Advanced System Reporter reporting framework ControlMode form control master page placeholder publishing console SharePoint 2007 SharePoint error search search results search values software testing testing scenario audit content information architecture retention schedules PowerShell QuickLaunch scripts SharePoint server 2010 business solutions metalogix replication replicator storagepoint stena technet UK Technet picture library slideshow web part RTM released to manufacturing caml caml query MOSS 2007 query infopath