SC-400 Microsoft Information Protection Administrator – Creating and Configuring Data Loss Prevention Policies

  1. Understanding the purpose of Data Loss Prevention

Okay, so what is DLP? Data loss prevention. One of the biggest things about this concept is it’s all about trying to comply with business and industry standards that are important in our workplaces today. So when you think about working for an organization or working for a business, high security needs and all that, you have to consider the types of information that are flowing through your business. So think about your users and the documents and emails and team messages and all that stuff that they’re working with and consider if there is any information that could potentially be passed outside the organization.

Now, there is a term that involves anytime information is being passed to a place that’s not supposed to be like the outside world. They use a term called data exfiltration. There’s another term called data leakage as well. And so one of the things we want to think about with DLP is that this is all about trying to prevent that sort of thing from happening, prevent information that’s supposed to be kept on the inside from making itself to the outside.

So in order to do that, we have to first be able to identify what information is sensitive and then we have to have controls in place that can prevent that sensitive information from making its way out, right? So data loss prevention, that is one of the number one goals, is to prevent this type of scenario from happening. Data exfiltration, data leakage, all of that good stuff. Now here are some examples when you want to think in terms of sensitive information.

So this works hand in hand with hand in hand with sensitivity labels, the information protection side of what we get with Azure and Microsoft 365. So we’re looking at things like financial information. We’ve got pi personally identifiable information. We’ve got phi protected health information, tax information. You have to think about people’s Social Security numbers, tax ID numbers, company tax ID numbers. All of that stuff is going to fall into this category of sensitive information.

And for compliance purposes, our company needs to keep a close eye on it and make sure that information doesn’t flow from one place to the other that it’s not supposed to. So there’s all sorts of different sensitive pieces of information that we can draw upon and look at and scan utilizing information protection and data loss prevention. Now, again, this does work hand in hand with the information protection side of Azure and Microsoft 365. It’s going to look at sensitivity labels and allow us to identify with the help of sensitivity labels, we can identify which pieces of information is considered sensitive.

And then from there, we can create our data loss prevention policies to analyze those things. Whether a person is trying to share, let’s say, a document, let’s say a document has a Social Security number in it or a credit card number or something like that, and maybe they’re trying to share that information via email DLP with the help of Exchange online data loss prevention, it’s going to prevent that. Or how about SharePoint or teams with data loss prevention policies put in place? It is going to be monitoring those sorts of things and looking for those. And the thing you want to remember here is that it’s not always a malicious insider that’s doing this. It’s not always like somebody who’s evil that’s inside your company or that’s hacked into your company and they’re sharing information out.

If you think about it, a lot of it’s accidental, right? I’m sure some of you can relate and say, well I’ve accidentally emailed the wrong person before. Have you ever done that? Or maybe you almost did that. What if you had a sensitive piece of information attached to an email and you emailed the wrong person? Or what if you were communicating on teams and you posted a document in a teams channel that was accessible by people that should not have access to certain information? Perhaps you have somebody that’s in a finance environment, they’re a finance person and they have a document that has payroll information in it and they accidentally post this document. Instead of posting it in the team’s channel for the finance, they post it in a public channel that other employees that are not part of finance have access to.

So it’s important for us to have policies and other controls in place that can analyze this sort of thing and monitor this sort of thing and prevent that from happening, whether it’s something that’s happening maliciously or whether it’s something that’s accidental, right? Another thing that data loss prevention policies are helpful about is that they can provide tips to users. If they do accidentally make a mistake, it can pop a message up and say, hey, you’re not supposed to do that. Here’s why. And then also another thing about policies is that we can allow a user to justify why they’re doing something. Perhaps there’s a scenario where a data loss prevention policy sees that there is a Social Security number that’s being shared. But what if it’s not actually a Social Security number?

What if it thinks it’s a Social Security number because it matches a pattern of a Social Security number, but it’s actually not a number that’s a sensitive number. A user could be given the option to justify it. So this is another thing that data loss prevention policies is going to let you do. And so finally, with data loss prevention, not only can we put these policies in place, but we also have nice little reports and monitoring capabilities that’s going to tell us anytime a data loss prevention policy has prevented something or if it allowed a user to justify it and flow through successfully. Ultimately though, as administrators, we have the ability to utilize these reports to monitor what’s going on. All right, so data loss prevention policies is a very effective system that Microsoft has supplied us with for keeping a close eye on the things that are being shared in our environment.

  1. Recommending a Data Loss Prevention Solution for an Organization

Now if we’re in a position where we are going to be implementing data loss prevention policies, it’s important for us to understand what’s available to us, what the licensing options are. If we’re going to be recommending this to an organization of some kind, these are some of the facts we need to know. Now. We need to understand too the benefits here and then what those benefits are actually going to apply to. So again, data loss prevention policies is going to really help us prevent data leakage in an organization and it can work across multiple platforms. Now we have a few different platforms that this is going to be associated with in our Microsoft 365 environment.

We have Exchange, SharePoint OneDrive, and if we’re going to implement data loss prevention in those particular services, we have to understand what the license requirements are. So if you take a look here, you’ll notice that the licenses that are going to be needed are listed there in the second to last paragraph right there on the screen. Microsoft 365 e three a three. Business Premium Office. 365 e three a three. You can also just purchase outright an office 365 data loss prevention and F Five compliance license along with the F Five security and compliance So you’re going to actually find that a lot of your standard Office licenses are going to come with the licensing needed for Exchange, Online, SharePoint One Driver for Business, all that. Okay? And from there there are also going to be some default policies that are going to be put into play as soon as you start using your Microsoft 365 services with these licenses. In fact, as I get into the hands on stuff here shortly, you’re going to see a lot of that, okay? Now of course I know one of the things that you might be thinking right now is, well, I don’t see teams on the list.

So what about data loss prevention licensing for Microsoft teams? So for Microsoft Teams, you have to have some extended capabilities there to support this. And you’ll see that with teams. One of the things we can do is have data Loss Prevention analyze, channel messages and all that and you’ll notice that those are going to come with your Office 365 E Five A course.

The Microsoft 365 equivalents of that E five A can also get the G five Information, Production, Governance, Compliance and F five Security and Compliance. All of those licenses are going to come with it. Now the other thing to understand here too though, if you kind of look towards the bottom of this, it tells you that the Office 365 and the Microsoft 365 E Three gives you the SharePoint OneDrive and Exchange. But this also includes files that are shared through teams because of teams using SharePoint and OneDrive and all that.

So when you’re sharing information through teams, your E Three is going to provide you with the licensing for that but what you’re not getting is the private messaging channels and all that stuff. So it’s important to understand that in order for us to support being able to handle private messaging and analyzing private messaging channels, we’re going to need one of the E Five or a equivalent. So the E Three is going to give you some support for teams, but it’s not going to give you the full support for teams. Microsoft wants you to get an E Five or one of the five base licenses basically to get the full capabilities of that. Now let me show you real quick where we can take a look at our licensing that we have in our tenant as of right now. Now here on Portal Azure. com, I can very quickly click the little menu button here, go to Azure Active Directory. From there I can click on Licenses and then click All Products and you can see the products that I have available. Now the only ones that really matter for what we’re doing right now is the EMS Interpretability Plus Security E Five and the Office 365 E Five.

These other ones, don’t worry about those, but essentially those are going to be our products that are doing this. So you guys can see that I’ve got the Office 365 E Five which has given me the capabilities that I want. I can click on that and I can see the service plan details and you can see everything that’s going to be included with this capability. Now you can also jump over to Portal Microsoft. com, click Show All Drop down where it says Billing, and you can look at your products if you want and that will show you the same thing. Or also you can click on Purchase Services and this is where I can go and look through some of the other options for purchasing licenses if I want. Microsoft makes it pretty easy for us to go through and take a look at the things that are available to us and we can also compare what’s available to us.

So if you look at Microsoft 365 here, if I want, I can go Microsoft 365 or Office 365 and I could compare like say the E Three with E Five if I want. Click Compare right here and it’ll build me a little table that will show me the different options. So it’s important again to be able to go through and see what’s available, know what’s available license wise that’s going to help me. But ultimately, if you’re wanting the full functionality with data loss prevention, then you’re definitely going to want to have the Office 365 E Five. You’re going to want to have basically a Microsoft 365 E five or Office 365 E five. You’re going to want that. E five. You’re going to want a five. I should say it could be G Five, F Five, whatever, but you’re going to want that five on the end of your license because that’s going to give you the full functionality.

Okay? Now, another thing to consider here when it comes to understanding sensitivity labels and all of that is it’s also a good idea to have the EMS as well. Enterprise ability plus security. Because that license gives you this right here, azure Active Director Premium Two, which is needed if you’re going to do what’s called auto labeling of sensitivity labels. So it’s really a good idea to have five on all of it. Of course, it is more expensive, but if you’re going to really lock down and take advantage of security, the five is where you want to go. And so if you’re taking the exam taking exam, you’re going to want to remember the E five is going to be the thing that’s going to give you the most capabilities. And especially when it comes to teams, you’re going to want to remember that five because the three licenses are going to give you most capabilities but not full functionality. When it comes to teams.

  1. Configuring Data Loss Prevention for Policy Precedence

So let’s take a look at the area where we’re going to be managing data loss prevention policies. And I want to show you one of the first lessons you’re going to want to make sure you’re aware of when dealing with these. So we’re starting out here on portal Microsoft. com. We’re going to click Show All and we’re going to go to the compliance center. So we’re just going to click on the compliance blade that’s going to take us to the compliance center. And then from there here we’re going to scroll down and click on Data Loss Prevention.

Okay? So on Data Loss Prevention we’re going to click the policies button here and then you’re going to notice that we have some policies. Now right out of the gate you’re going to notice that there is a default office 365 policy there that’s going to get into managing some of the default settings for exchange and SharePoint and all that good stuff. And then I just created three test policies. Now I’m not getting into what these policies are each doing at the moment because my whole point of this little demonstration is to explain the precedents from one policy to the other. So when you create policies, there’s going to be an order, a precedence that the policies are going to set here. And essentially what happens is you have the default policies that are in place which are going to be applying different settings in your environment regarding DLP.

And then every policy you create after that is going to go underneath that policy. So you can see that the default office 365 DLP policy was created first. Then I created a test policy one, test policy two, test policy three, and they just went in that order as they were created. Okay, now the way you want to remember this, and this is something definitely important if you’re taking the exam, is that the order involves the lower the number, the higher the priority. So if you look right here, you want to remember that whichever one of these policies has a lower number, there’s a higher priority. Now in a lot of cases that’s not going to even matter. It’s really only going to matter whenever there’s a conflict. So if you configure some kind of setting here, let’s say in test policy one, that’s going to conflict with maybe like an exchange setting or something that was in the default office or SharePoint or something, then the default office policy is going to override test policy one. Same thing for two. And three, if I’ve got a policy here that’s going to affect SharePoint and then maybe I have another policy here that’s also going to affect SharePoint in some way, maybe they have a conflict. Well then policy one, because it’s an order one would override policy two. Okay? So always remember the lower the number, the higher the priority. A lot of people get that mixed up. They think the higher the number, the higher the priority. It’s not it’s the opposite of that. The lower the number, the higher the priority. Now, if you want to adjust the priority levels, you can do that very easily. Just click the little actions ellipse symbol here.

You can say move up, and then you can also say move down. So if I want to move something down, I can move something down. Notice when I did that, I said move up. Look where it look where it moved to. So I’ll say move up, and then I’m sorry, actually, I clicked move to the top. In that case, if I just say move up, it’s going to move up one. If I say move to the top, it’s going to move to the top. So that is how that’s going to work for you. Okay? So you can very easily adjust the order in which the policies are going in. So notice I’ve changed my order. Now test policy two is going to override one and three, so on and so forth. Okay? So that is how the order in which policies are going to be created. So once you create your policies, it’s going to create them in those orders and there’s going to stack them right below, and then you can adjust that order at any time. So they make that very easy for you.