Compliance management when using Office 365 Exchange Online within your organization is a significant consideration. This is true for any organization that uses email, whether it’s an on-premises implementation or in the cloud. Therefore, it becomes imperative to understand what can be done to make sure that sensitive information doesn’t leave your organization in an unprotected fashion. This article will focus on the many considerations of securing email and how to get started with Office 365 Exchange Online Data Loss Prevention (DLP).
Why should I care about Compliance Management?
There have been studies done that prove the greatest organizational threat that incurs data loss involves employees. This is not intentional, of course, but there are very real risks here. Some organizations allow employees to have access to confidential information without any form of auditing, which allows these employees to move data around without any documented trace. Sometimes it's as simple as sharing passwords with co-workers they trust, sometimes employees receive emails that trick them into sharing confidential information such as passwords or social security numbers. Even failing to follow a procedure precisely within a critical system can lead to vulnerability. Managing organizational compliance is extremely important.
What should I consider?
Organizations handle email data loss protection in many different ways. Some organizations have written policy that stating that it's not okay to email any information that contains private customer information. The tough part about this kind of policy is that it relies on the fact that we are human and do make mistakes. Some organizations use Transport Layer Security (TLS) encryption, which simply encrypts email end-to-end while it is being transmitted. TLS can be setup in a few different ways. One is opportunistic, which means that in order for encryption to occur, the other organization must also have opportunistic TLS enabled. There is also mutual TLS, which can be set up between two organizations that want to be 100% certain TLS encryption will be used. This is set up by both companies through certificates and network rules between the two organizations. Mutual TLS ensures that messages from one organization to the other organization will always be encrypted. There is some information on how to setup encryption within Office 365 on Technet. Finally, many companies set up and configure DLP, which can be configured to encrypt mail that has confidential information within the message or prevent sensitive emails from being sent.
What? There is more to think about with DLP?
Depending on the type of organization you're setting up an email-based security policy for, there may be government regulation that needs to be followed. These policies exist to protect data from abuse, exposure, and unauthorized access.
If your organization revolves around healthcare, then you need to be concerned with HIPAA (Healthcare Insurance Portability and Accountability Act) from 1996. This policy outlines the medical security and privacy rules that should be followed in healthcare. This act requires that patient information and health records be retained for 6 years and that those records are confidential and secured. Also, there are defining policies around electronic transaction standards on how healthcare providers handle patient information. This includes the penalties for disclosure of patient information through email.
Are you working for a company in the financial services sector? If so, then your guidelines come from the Gramm-Leach Bliley Act from 1999. This act requires that financial institutions make sure all customer data is confidential and secure. All data must also be stored on a secured platform.
Publicly-traded companies also have a set of policies to follow—the Sarbanes Oxley Act from 2002 was implemented to protect investors. The guidelines imposed by this act give responsibility to the organizations to ensure that their data is safe, accurate, and secure, and also requiring that data is available in the event of a disaster including email.
Now that we understand why it's necessary, we should take a closer look at what it means to setup DLP within Office 365 Exchange Online.
Getting Started with Compliance Management for Exchange Online in Office 365?
First, sign into your Office 365 Enterprise subscription with an administrator at the Office 365 login page. On the upper right hand side of your screen, choose Admin, then click Exchange:
On the left side of the screen, select compliance management:
Click data loss prevention, located in the middle of the tabs above your information.
Currently, there are not any DLP policies set, so we need to select the + sign below to get started:
After selecting +, there will be 3 options to choose from. The options are detailed below, and for this example, we'll use the “New DLP policy from template” option.
The first option, “New DLP policy from template”, allows you to create a policy based upon the Acts outlined in the section below.
The second option, “Import DLP Policy”, allows you to use templates of Microsoft partners instead of the ones provided with Office 365.
The last option, “New custom DLP Policy”, is what you'll use to create a custom policy that suits the needs of your organization.
Once you select your desired action, as we selected the first, "New DLP policy from template", provide and name and description for this new policy:
Scroll down and choose the appropriate template. In this case, it will be the U. S. Health Insurance Act (HIPAA). Click Save in the bottom right hand corner of the screen:
After the policy is created, it will automatically be put into testing mode which can be seen on the right side of the policy and is shown below:
Note: This enables the policy, but puts it in a detection-based mode so that you can evaluate detections to make sure this is the right policy for your organization.
How to create Policy Tips
Policy Tips are a way to notify your email users before they send a message about possible non-compliant information in their message. You can configure a policy tip to notify the sender, allow the sender to override, block the message, or redirect them to a compliance URL. I this case we will go through how to create policy tip to block the message from sending.
From within the same Office 365 Exchange Online section we have been working in above, go to data loss prevention again.
Click Manage policy tips:
Create a Policy Tip to block the message as shown below and then click Save in the bottom right-hand corner:
The Policy Tip has been added. Click Close to complete and return to the mail screen for DLP configuration:
Use Policy Tips and Run a Report for Detections
Once in place, it's time to test your policy and the user experience. Once in full testing mode, this can be run for as long as appropriate, because reports can be run to see what the effect on your environment would be when enabling DLP.
In order to use your new Policy Tip that will block messages with sensitive data, you must selectTest with Policy Tips in the bottom right-hand corner of the screen:
Wait at least a few days or whatever timeframe your organization deems appropriate, and then run a detection report.
To run a report, go back in the Office 365 Exchange Online Console, go to Compliance Management and then click data loss prevention:
Click the dropdown to the right of the reporting section and choose the type of report that will prove most useful to you.
Note: Review the data and determine if the outcome is appropriate for your business before activating the tip.
To enable DLP, click Enforce:
Then select Yes:
The policy is now being enforced, as shown below.
Partner with your Security Team
Email administrators may feel that it isn't their responsibility to care about these types of security-focused problems. Administrators may feel that the organization's security team should be responsible for this, but at the end of the day, it becomes a partnership between the email administrator and the security team. Work together to put together the appropriate plan based upon your organization guidelines to protect all sensitive data. There is too much risk involved with loss of personal information. From both the perspective of the persons whose private information is being emailed outside of the organization to the company doing the message sending, all parties involved want to protect personal information, protect clients and customers, and successfully do their jobs every day.
Email security is a complex, multi-faceted topic that will have different standards and configurations in each organization. We've covered the facts and showed you how to test, run reports, and enable DLP within your Office 365 Exchange Online tenant. Now it’s time for you to take that next step and determine how DLP can better protect your organization and its customers!