Back
Office 365

Evolving Data Loss Prevention in SharePoint Online/OneDrive for Business and Office applications

Share on Facebook Share on Twitter Share on Linkedin Share via OneNote Share via Email Print

Today’s post was written by Shobhit Sahay, technical product manager for the Office 365 team.

Everywhere your data exists, moves or is shared, we want to protect it. Office 365 has provided Data Loss Prevention (DLP) capabilities for email since Exchange 2013. As collaboration extends beyond email to sites and documents, we are extending the DLP capabilities to these services. Last year at TechEd Barcelona, we showed a quick glimpse of our vision for expanding DLP and today we are pleased to share more details on these capabilities.

Announcing upcoming public preview of DLP for SharePoint Online/OneDrive for Business

For the last couple of months, we have worked hard to test some of these cool new capabilities in a private preview with select customers. Later this quarter, we will bring a public preview of these capabilities to every single eligible Office 365 tenant.

Evolving Data Loss Prevention 1

Last year we made some early DLP capabilities from Phase 1 available allowing you to find sensitive information in SharePoint Online/OneDrive for Business. These helped you identify high-risk items and allowed you to take manual actions on that sensitive content. But with the Phase 2 public preview, you can now create proactive policies to remediate violations and empower your users with policy tips and notification emails so they can take the right decision while working with sensitive data, just like you do today with DLP in Exchange. Let us now look at these enhancements in detail.

Easily set up your DLP policies for your organization

With the public preview, admins can now easily set up DLP policies for SharePoint Online/OneDrive for Business from the Office 365 compliance center. Policies take the simple construct of conditions, actions and exceptions and admins can use any of the existing out of box templates to get started.

Evolving Data Loss Prevention 2

End users empowered through constant policy education

We understand that end users are a critical part of the solution to keeping data safe. As such, we help them make the right decisions when working with sensitive data, providing them with rich notifications in the context of where they are working. Furthermore, if they move out of context, we send an email notification with the policy tip information. All of this is configurable by the admin, who can set up rules that allow users to override policies by providing a business justification, which allows users to be productive while still being compliant.

Evolving Data Loss Prevention 3

Tracking policy usage and incident management

Admins can track the effectiveness of policies with the rich reporting built into Office 365. In addition, they can create admin-facing incident reports with information about each incident that can later be reviewed by their security teams.

Evolving Data Loss Prevention 4

What’s available now? What’s coming later?

With all the great new capabilities, you might ask, “What is coming next?” Well, we are not done here, we will continue to innovate and release a new set of capabilities in our Phase 3 release. Here is a view of what’s available now versus what is coming in Phase 3.

Available in Phase 2 public preview Coming in Phase 3
Create automated policies with any of the
available built-in sensitive information types
Exceptions for locations and conditions
Detect external sharing and apply appropriate actions Ability to encrypt content as an action
Scope the policies to specific locations or sites Support for custom classifications and document fingerprinting
Scanning for document properties (metadata) Shared by/by member of conditions
Block or restrict access to the sensitive content Detect content scanning errors
Customizable Policy tips and user notifications via policy tip and email Richer content types and more enforcement endpoints
Admin facing Incident reports and reporting

Announcing public preview of DLP for Office 2016 applications

Last month when we announced the Office 2016 preview, we mentioned DLP as one of the core capabilities within the Office applications. Later this quarter, we will make these DLP capabilities available in the preview for three different Office applications—Word, Excel and PowerPoint. With these capabilities, end users can be notified in real-time on the sensitive content they are working right within the familiar Office applications they love and use.

Let’s look at some of these capabilities in detail.

Admins can easily set up policies for SharePoint Online/OneDrive for Business that will automatically apply to Word, Excel and PowerPoint 2016 applications. If users open a sensitive file from SharePoint Online/OneDrive for Business, they will be notified of the sensitive information in context within the Office application.

Evolving Data Loss Prevention 5

Evolving Data Loss Prevention 6

Evolving Data Loss Prevention 7

Depending on the policy, the user can simply choose to ignore the policy or be asked to provide a business justification in order to continue working on the sensitive data. Users also have the option of turning off notification policies from within the Office applications.

Evolving Data Loss Prevention 8

With these advanced capabilities, you will have the ability to create DLP policies across different services while retaining the best end user experience

We look forward to you using these capabilities.

—Shobhit Sahay

Frequently asked questions

Q. When is the public preview planned for DLP in SharePoint Online/OneDrive for Business?

A. Public preview is targeted for second quarter of 2015. All eligible tenants will start seeing these capabilities in their tenants then. We will be adding more enhancements to DLP in SPO/ODB later in the second half of 2015.

Q. When is the public preview planned for DLP in Office 2016 applications? How can I get access?

A. Public preview is targeted for second quarter of 2015. For more details on the Office 2016 Preview program and instructions on how to download the applications, please visit the Office 2016 Preview program on the Microsoft Connect site.

Q. Can DLP policies on Office applications be configured on their own? (i.e., without requiring the SPO policy)

A. No, DLP policies in Office applications are designed to work in unison with SharePoint Online/OneDrive for Business, so policies created for the service are also applied in Office applications automatically.

Top