Wednesday, May 23, 2018

Office 365 DLP Document Finger Printing

Data Loss Prevention (DLP) is a way of preventing sensitive information inside you organisation from being sent places you don’t want. Office 365 E3 and above have always included DLP but now Microsoft 365 Business also includes DLP.

There a number of different options you can configure when it comes to DLP inside Office 365. One of these ways is to use DLP is via Document Fingerprinting that allows Office 365 to check information against a template you provide.

Here’s how it works.

image

The first thing I do is create a template of the information I want to be fingerprinted against. Here I have created an invoice template as shown above. Thus, information being sent from my tenant will be checked (‘fingerprinted’) against this to prevent documents that ‘look like’ this template from being sent externally.

image

To configure DLP Document Fingerprinting you’ll need to navigate to the Exchange Admin Center and then the compliance management option on the left. You’ll then need to select the data loss prevention option at the top of the page on the right.

On this page you’ll need to select the Manage document fingerprints hyperlink in the top half of the page as shown above. 

image

Here you will see any document fingerprints already configured. Press the plus (+) key to add a new fingerprint document.

image

Simply give the fingerprint a name (in this case Invoice – DLP).

image

In the lower window you’ll need to select the plus (+) symbol and upload the template document that you have created. In my case, I’m going to upload the invoice template shown earlier.

Save you selections.

image

In the lower part of the data loss prevention page you’ll see a list of DLP policies in your tenant. Some of these policies may have been created elsewhere (like the Office 365 Security and Compliance Center). Locate the document fingerprint policies you just created (here called Check for Invoices), select it and then select the edit icon from the menu at the top as shown.

image

You can then further configure the DLP policy. Here I have elected to enable and enforce the policy but there are other options you can select.

Select the rules option from the menu on the left.

image

To create a new rule, select the plus (+) icon from the menu across the top.

image

Here is where you will create the outbound transport rule to check information sent via email. In this case, the rule will apply of the recipient is outside my Office 365 tenant.

image

When I select the type of sensitive information I can now select from the document fingerprint I just created.

When there is a policy match, I then elect to block the document, notify the user via a policy tip and send a report to a nominated user.

image

With my new document fingerprinting DLP policy in place I now create a new invoice based on the original template as shown above that you can see is different from the original template but still similar in format.

image

As you can see above, when I attempt to attach this new document via Outlook on the desktop that looks like the previously configured fingerprint document, it activates my DLP policy and prevents the item being sent outside the organisation as desired.

image

I get a similar result if I try and do this using the Outlook Web Client (OWA).

image

I get a policy tip at the top of email as shown above.

image

and when I attempt to send the email I can’t. DLP in action!

This is one example of the DLP capabilities of suitably licensed Office 365 and Microsoft 365 tenants. DLP is great way to prevent standard information, like invoices, being accidentally or maliciously sent outside your organisation.

As I mentioned, DLP is now part of Microsoft 365 Business which means that it an even more enticing offering for SMB who are subject to compliance regulations.