Posts

What is Microsoft Office 365?

Office 365 is the “top” enterprise cloud application in the world with over 137 million commercial users contributing to nearly $25 Billion in cloud revenue for Microsoft. This includes Office (Word, Excel, PowerPoint), Exchange, SharePoint, Skype for business, and Microsoft for Teams. The following stats from McAfee highlight the need for Cloud Office 365 DLP:

  • 19% of employees use OneDrive for Business
  • 67% of companies with 100+ employees use Exchange online
  • 35% of enterprises moved to SharePoint
  • Skype for Business is healthcare’s primary communications platform

What is DLP or data loss prevention?

DLP or data loss prevention is simply the process of preventing the loss or theft of sensitive or confidential information or data, protecting data from sophisticated threats, without adversely impacting the collaboration and productivity of the teams. There are several steps to data loss prevention that your security team undertakes:

  1. Identify the assets that need protection,
  2. Define the appropriate security policies,
  3. Selects and deploys a vendor,
  4. Deploys the policies in active or passive mode,
  5. Lastly, actively monitors the system for policy enforcement

What is Office 365 DLP?

Office 365 DLP is about making data loss prevention work effectively in the Office 365 environment. This includes protecting sensitive data across all Office 365 products. It also includes defining and enforcing (role-based) access to sensitive data. And this article will provide a guide that will help you make the right choices. Your early choices will make it easy to deploy and maintain your Office 365 DLP environment.

Why this Guide?

In this guide, you understand the benefits and drawbacks of deploying a DLP system for Office 365. Additionally, you 1) Find a list of Office 365 DLP vendors; 2) Evaluate the pros and cons of cloud DLP or on-premise DLP for Office 365; 3) Find tips and recommendations for policy definition, setup, and enforcement; and 4) Calculate your 5-year cost of Office 365 DLP deployment.

After reading this guide, you’ll be ready to make your first decisions. You will be able to answer these questions:

  • Do you need Office 365 DLP?
  • Is the native Office 365 DLP suitable for your environment?
  • How do choose the right Office 365 DLP vendor?
  • Should you use endpoint DLP protection?
  • Is it enough to encrypt data-at-rest or data-in-motion?
  • Should you extend your current DLP to include Office 365?
  • Can you maintain policy consistency across your company?
  • How much does it cost?
  • What is Microsoft Intune and is it included in Office 365?
  • What is Cloud App Security and is it included in Office 365?
  • Can I apply Office 365 DLP on Skype for Business?
  • And, learn some tips on Office 365 security

In this article you will find:

  1. Benefits
  2. Drawbacks
  3. Preparation & Costs
  4. Ongoing maintenance & incident response
  5. Choosing the right vendor
  6. Summary
  7. Other Security Tips

Benefits and reasons for Office 365 DLP

Network DLP data loss prevention

Prevent data breaches

Data breaches happen at an increasing rate. Bitdefender reports that 34% of the companies were breached. And 67% of these breached companies pay $124K to avoid public shaming. Your company plans to migrate to the Office 365 solution. A DLP solution is necessary to prevent data breaches and avoid negative media headlines.

67% of breached companies pay $124K to avoid public shaming

Prevent sensitive data from being shared with unauthorized users

As a part of Office 365, Microsoft Graph provides a set of APIs that enable real-time policy enforcement. This policy enforcement covers all users and devices including BYOD. Policies could be enforced for users based on user groups, titles, specific individual privileged users, or users outside the enterprise. Policies could also be enforced by the type of sensitive data. For example, you may enforce a policy to prevent a specific type of sensitive data to be shared only with C-level executives within the company, implying that any other user will be prevented from receiving this sensitive data from the C-level executives.

Role based access to sensitive data is required to prevent business email compromise.

Prevent high-value data from being uploaded to the cloud

Microsoft Graph and Office 365 provide a comprehensive set of APIs that enable real-time policy enforcement. This policy enforcement covers specific assets or type of assets, for example high-value information such as efficacy data for a pharma company or intellectual property for a technology company. Policies could be enforced for all users to prevent this specific type of high-value data from being uploaded onto the Office 365 cloud.

Enforce policies to prevent highly sensitive or privileged data from being uploaded to cloud

Meet compliance requirements as data moves to the cloud

Office 365 provides a comprehensive ability to manage security, compliance, and data governance. A DLP implementation will further provide regulatory compliance, such as HIPAA (PHI – Personal Health Information), PCI-DSS (Payment card information), and several other regulations that cover PII (Personally identifiable information). Further new regulations such as CCPA (California Consumer Privacy Act) require adequate data security to prevent data breaches. While Office 365 provides an ability to encrypt data migrating to the cloud or at-rest in the cloud, a DLP prevents data exfiltration resulting from a compromised or malicious user.

Centralize data governance, risk, and compliance to adapt to new regulations such as CCPA

Detect insider threats and business email compromise

Office 365 DLP will provide the necessary additional defense to detect ex-filtration of highly valuable data by malicious users and compromised users. Office 365 provides comprehensive user authentication including multi-factor authentication. While enabling multi-factor authentication is sufficient to provide additional defense to gain access to privileged accounts, password usability is still a factor. Privileged users could be a target for spear-phishing. Malicious users could ex-filtrate highly valuable data. Office 365 Data Loss Prevention provides the necessary defense to prevent such data theft.

Automate remediation action

Depending on the policies you deploy, remediation actions may include either passive or active remediation. And, Office 365 DLP may provide a way to automate remediation enabling your security team to focus on exception-based alert processing. Leveraging remediation work-flow drives efficiencies and saves money. Remediation actions may include:

  • Block data or file upload
  • Block new file creation
  • Send email notification to the user
  • Quarantine file
  • Coach users regarding appropriate policies on sensitive information

Drawbacks of Office 365 DLP

Some CSOs and CISO are not fully onboard with Office 365 Data Loss Prevention. The biggest complaints are about deployment complexity and false positives. The main reason could the challenges and issues faced by these CSOs and CISOs in their enterprise DLP deployments. Often cited reasons for poor DLP performance are:

  • Educating the users across the company to do data tagging and classification is extremely challenging
  • Need better tools to automate the process of data classification
  • Metadata is not the end all and means all for classification
  • The ultimate goal would be enterprise data flow management

Complexity of deployment

The Office 365 DLP system is a business solution. It should not be considered as a technology product that is the panacea to all evils. After your company decides to deploy the Office 365 DLP, the work to make it effective really begins. You need to know where your assets are, determine which data is valuable and classify your data, define data protection policies, and refine them based on your threat vectors. Your organization is likely to move over 1 TB of data each month to OneDrive, SharePoint online. More adoption implies more data, and analyzing this volume of data each month for sensitivity is complex and expensive.

A solution to overcome this is to evaluate vendor products for real-time, sensitive data classification. Ability to auto-classify newly created data must be in your vendor evaluation.

False Positives

Office 365 DLP is likely to provide a mechanism for the user to tag a specific DLP action as inappropriate and trigger a false positive report – either for the individual’s ability to use sensitive data or incorrect classification of the data. This requires a security admin to investigate, engage the user and potentially re-classify the data. This is an expensive and time-consuming process. Given the scale of adoption, and data movement to the cloud, this could be a burden on your security budget. If you lower the threshold of sensitivity, then you are likely creating a false sense of security deploying Office 365 DLP system.

A solution to overcome this is to evaluate vendor products for accuracy of classification of your specific data. Lookout for the ability to automate policies by users’ roles.

Pricing and Cost of DLP

Office 365 DLP is natively available from Microsoft. However, the native Data Loss Prevention solution Data Loss Prevention solution is available only in Office 365 Enterprise E3 or higher bundle which requires annual commitment and near $20 per user per month. Office 365 DLP is also available with API integrations from several other vendors including McAfee, Symantec, Netskope, Digital Guardian, Forcepoint, InfoSecEnforcer, and several other vendors. Typical pricing from these vendors specifically for Office 365 ranges from $2 to $4 per user per month with likely annual commitments. While the annual licensing costs may not be burdensome on your budget, you need to evaluate vendor pricing for day 2 operational costs including cost per incident, cost of policy changes, cost of data discovery and classification, among others.

Calculate your CAPEX and OPEX costs (see below). Evaluate DLP-as-a-service option. Evaluate the possibility of a less expensive package for Office 365. Pricing choices are confusing. Take time to evaluate.

Language support

Office 365 is widely used around the world. While the sensitive classification of structured data is widely available, there is a limitation of sensitive classification of natural language and unstructured data occurring in Word, PowerPoint, PDF, and Excel documents. As a result, the wide adoption of Office 365 DLP for unstructured data is a major drawback or limitation in the deployment of Office 365 DLP.

Most DLP vendors provide an ability to classify structured data patterns. Check for vendors who have the ability to classify unstructured data in multiple languages.

Preparation for Office 365 DLP

Preparation is the most important part of Office 365 DLP deployment. First let’s review some deployment scenarios, and identify specific areas of ex-filtration of sensitive data either accidentally or maliciously.

Proper prior preparation prevents piss poor performance.

British Army

What is data loss prevention (DLP)?

Data loss prevention (DLP) is a set of tools, and business processes designed to prevent any loss, theft, misuse, or unauthorized access to sensitive information. A DLP inspects data or information and takes appropriate remediation (block, report, or allow). The data may be in-motion or at-rest. It may be on an endpoint, or within your network. Users collaborate and likely share sensitive data internally or externally.  Shared data may be public, confidential, sensitive, highly sensitive, or privileged. You may store the data on-premise, in the cloud, or a 3rd party service. The data may be regulated under HIPAA, PCI-DSS, CCPA, GDPR, GLBA, FCRA, or DPPA depending on your company and industry you operate in.

What are your business needs?

Applying DLP across everything and everywhere is expensive. Avoid applying DLP across your entire enterprise as your initial DLP deployment. Start your DLP deployment with Office 365. Further, focus on high-risk teams or users. These high-risk users are likely to have access to highly sensitive or privileged data.

Start Office 365 DLP deployment with a few high-risk users.

  1. Impact on day-to-day business: Be clear. Set user expectations. Will this new DLP deployment substantially change the way users interact with data and applications? Ensure that your DLP deployment does not severely impact critical business functions such as collaboration, customer engagement, critical projects, and the like.
  2. Endpoint protection and/or Network DLP: You should seriously consider endpoint DLP protection along with your Office 365 DLP. Office 365 does not provide native endpoint DLP protection. Check out this list of vendors for End Point Protection. However, you may consider Microsoft Intune that is likely bundled with your Office 365 Business package. It is unclear if Microsoft Intune and Office 365 DLP policies are consistently synced. Do may plan to deploy network DLP along with Office 365 DLP? You may consider a network DLP at a later stage. Office 365 DLP vendors also offer network DLP and CASB functionality.
  3. Impact on performance: Performance is a likely consideration. If you deploy an endpoint Data Loss Prevention protection, this could have a noticeable impact on your users. Most network DLPs require expensive data discovery that has a performance impact. However, this performance impact may be limited or manageable.
  4. Reliability of Office 365 DLP: As part of your business requirements you must consider your reliability policy. Do you support a fail-open or fail-close policy? Fail-open would mean that if your Office 365 DLP fails then all traffic is allowed without the DLP inspection. Fail-close would mean that if your Office 365 DLP fails then all traffic is disallowed. We strongly recommend a fail-open approach. We are unable to find a way to configure native Office 365 DLP for fail-open.
  5. Secure your sensitive data: Do you already encrypt all or most of your data at rest? We recommend this as the first major step if securing your sensitive data is critical for your business. Consider encrypting your Office 365 environment. Beyond encryption, Office 365 DLP should still be a major consideration for sensitive data as part of your data access, and collaboration. Define 3-5 levels of sensitivity and classify your data beyond compliance. See below for sensitive data.
  6. DLP incident management: Security incident management and DLP incident management should be treated differently. Because security incident management is broader and requires a broad response. DLP incident management is focused on a specific type of incident and is likely limited to a specific user. Office 365 DLP incidents are likely to increase dramatically with use. Your company may need help. Create a workflow. Identify the appropriate human resources to address these incidents. Prioritize your DLP incidents by severity or user groups. For example, highly sensitive data and executive users get higher priority. Your goals for DLP incident management should be a smooth business operation and security policy compliance.

What is sensitive information or data?

Sensitive information or data is such information that needs to be safeguarded. The purpose of safeguard could be privacy, security, competitive threat, regulatory compliance, risk of lawsuits, or a combination thereof. Sensitive information could be broadly classified as personal information, business information (very broad), intellectual property, and restricted or highly classified information. You may find additional sensitive data definitions here.

The native Microsoft Office 365 DLP provides a template for sensitive information definition. You may review this here. The built-in Office 365 DLP applies 87 built-in types of sensitive information such as credit card numbers, and other personally identifiable information. You may customize the built-in types of sensitive information. You may also further create new custom sensitive types as detailed here.

Most Office 365 DLP vendors provide templates for data classification based on multiple different compliance requirements. You may choose one or many of these classifications for your specific needs. Creating new or custom sensitive types and deploying them based on your enterprise requirements is a difficult, and expensive process. It may also be ineffective and time-consuming process.

Sensitive information classification could be another reason to evaluate native Office 365 DLP vs. 3rd party vendor Office 365 DLP. If the 87 built-in types of sensitive information are sufficient for your business needs, then native Office 365 DLP could be a good choice for your initial DLP deployment.

Evaluate native Office 365 DLP based on the 87 built-in types of sensitive data.

What are sensitivity labels in Office 365?

Sensitive information or data is different from sensitivity labels in Office 365. A sensitivity label is a type of sensitivity that is afforded the type of sensitive data. A sensitivity label is applied to classify and protect your sensitive data. Typical DLP systems have up to 5 sensitivity labels. Systems deployed in government or defense are likely to have up to 22 sensitivity labels. The native Office 365 DLP has 4 predefined sensitivity labels: 1) Public, 2) General, 3) Confidential, and 4) Highly confidential. In Office 365 sensitivity labels are used for multiple purposes.

  1. Encrypt or watermark content with the sensitivity label
  2. Protect content on endpoints using Microsoft Intune
  3. Use it with Microsoft Cloud App Security (CASB) with 3rd party web apps

For more uses of sensitivity labels please refer here. Office 365 provides an ability to define new labels or sub-labels. And you may apply these labels automatically to all your content. Consider the automatic application of sensitivity labels as vendor evaluation criteria.

What is DLP policy in Office 365?

Office 365 Data Loss Prevention policy puts it all together. A policy includes the following parts:

  1. Applications: Office 365 DLP supports Exchange Online, SharePoint, OneDrive, Teams, Skype for Business, and all Office products. Refer here for plans that support native Office 365 DLP.
  2. Groups: For each application, you may include or exclude certain groups, sites or accounts.
  3. Rules: One or more rules could be included in each policy. For each rule conditions and actions are automated.

You can find more details about Office 365 DLP policy here. However, let’s simplify all of this from the perspective of your business. Let’s consider role-based data access, data flow, and enforcement. In practice:

  1. Users and Groups: You active directory has users and groups. A user may belong to multiple groups. Multiple users may belong in one group. Of course, your Office 365 DLP deployment should not dictate changes to your organizational user and group policies. You may consider new groups based on security policies.
  2. Non-actors and outside users: A non-actor is a machine or an unknown actor in the network. In the Office 365 environment, it may be unlikely to have unknown actors. You may consider creating a group of non-actors to enforce security policies mainly for highly sensitive data. Outsider users are clearly users that may be required to receive sensitive data. You may consider a group of outside users for your security policies.
  3. Titles and organizational changes: Changes to the organizational structure are common and often. Promotions, new hires, lateral transfers, and exits are common. This requires your day 2 operational capability to consider collaboration and sensitive data access. This is a moving target.
  4. New data creation: A lot of data is created by your company. It is constantly shared. Running data classification on newly created data is expensive and time-consuming. Automation and in-line classification is the way to go. While infrequent, this could also include new types of sensitive data or new sensitivity labels.
  5. Actions and notifications: Remediation can be in the form of blocking, blocking with or without notification, blocking file creation, user notification, quarantine, or coach users. Actions and notifications may also include a work-flow. A DLP workflow could be a user override. Another work-flow could be a user override combined with a manager or security analyst override.
  6. Sensitive data type: Each sensitive data may have a different remediation action. Access to a different type of sensitive information may be granularly defined for enhanced collaboration.

You need to first consider the DLP policies you are likely to deploy based on your specific needs.

The native Office 365 DLP provides DLP policy template. However, blindly deploying these templates could create more issues than solve them.

Source: SherWeb Blog

Here are two examples of how DLP policies work in Office 365. Office desktop programs such as Excel, Word, and PowerPoint have the capabilities to identify sensitive information and apply DLP policies. These apps use the same central DLP policies and automatically classify the content and apply the respective policies. Once the DLP policies are turned on for Microsoft Teams, when a user shares sensitive data against a DLP policy, the chat message is either blocked or appropriate remediation is shown to the user.

Native Office 365 DLP templates

Office 365 delivers over 40 DLP policy templates that are easy to deploy. These include policy templates for GDPR, HIPAA, PII data, data breach notification laws, GLBA, and more. Each policy template includes the name of the rule, type of sensitive information, condition related to sharing of such sensitive information, and finally the action that is required to be done.

Office 365 DLP template includes regulation name, conditions of sharing, and action taken.

These templates may help with faster deployment for your immediate compliance needs. Implies against these policies sensitive information shared across all Office Apps is auto-detection and action taken based on the specific policy.

How much does it cost?

In the case of Equifax, the cost of the data breach was $439 Million. Your company could suffer substantial legal costs, loss of brand value, and more. For a company with $100 Million in revenue, the cost of a breach could be near $10-15 Million. For your Office 365 DLP, the overall cost of prevention is an obvious concern. Any investment in your Office 365 DLP should consider the following:

  1. Software licensing
  2. Setup, configuration, and installation
  3. Ongoing maintenance and incident response

Software licensing costs: Software licensing costs are fees to acquire a license for use of the software. Today, software-as-a-service is a more popular option for most software. There are two elements to the software-as-a-service model. One element is subscription fees. Another element is hosted or on-premise deployment.  Most 3rd party Office 365 DLP vendors offer a subscription fee model on per user basis. Office 365 is a hosted deployment. 3rd party Office 365 DLP vendors offer a hosted deployment and a few offer the option of an on-premise deployment. To compare software licensing costs it is best to compare based on the table below.

Office 365 E1 Office 365 E3 Office 365 E5 Office 365 E1 with
3rd Party DLP
$ 8.00 $ 20.00 $ 35.00 $ 10.00
Office apps, Email,
OneDrive, SharePoint,
Teams, Yammer,
Skype for Business…
+ Desktop versions + DLP
+ message encryption
+ rights management
+ Unlimited everything
+ Threat protection + BI
+ Cloud PBX …
E1 features
+ 3rd party vendor DLP

source: Microsoft partners (estimated pricing only)

Office 365 DLP subscription costs must factor the subscription costs of Office 365. Typically Microsoft partners offer custom Office 365 packages and pricing. For example, CDW offers Office 365 Enterprise ProPlus package for $11.52 which includes a full suite of Office apps, app management, and more. For a 1000 user environment, you could potentially save $120K to $400K. Evaluate any vendor Office 365 DLP based on your Office Apps requirements.

Setup, configuration, and installation: In the case of native Office 365 DLP deployment, setup, configuration, and installation services are provided by Microsoft partners. Engaging in a self-service model for this module could imply hiring the right person, training costs, policy definition costs, and more.

  Native Office 365 DLP self-service Native Office 365 DLP partner services 3rd Party Vendor Office 365 DLP
Training (3rd party) ~ $10,000 $ 0 $ 0
Setup policy definition $ 24,000 $ 12,000 $ 10,000
Time to define policy 4 weeks + 2-3 weeks 2 weeks
Configuration $ 12,000 $ 3,600 $ 1,800
Time to configure 2 weeks + 2-3 days 1-2 days
Installation $ 6,000 $ 3,600 $ 1,800
Time to configure 1 weeks + 2-3 days 1-2 days
Total estimate $ 52,000 $ 19,200 $ 13,600
Total est time 6-8 weeks 2-4 weeks 2-3 weeks

*Hourly rate of $150 is considered for calculation

Ongoing management and incident response: If you use native Office 365 DLP or you use a vendor DLP, the ongoing maintenance and incident response is similar. We recommend a turn-key managed service option or a DLP as a service option. This option is suitable for companies with under 5000 employees. For ongoing management and incident response, consider incident-based pricing. This is often difficult to predict budget item. A company with under 5000 employees can expect 100-500 incidents a month. Preparation and user coaching is critical to keep this number low. The following issues must be considered to identify the annual cost of management and incident response.

  • Number of users using Office 365
  • The breadth of sensitive data types (beyond 87 types?)
  • Business process exceptions
  • Ability to weed out false positives

These issues will determine the number of incidents reported by your DLP deployment. Incident management is discussed below. These above issues are difficult to quantify both the likely number of incidents and complexity of incidents. On average, each incident resolution takes up to 60 minutes. For a 1000 user deployment, our estimate is an annual cost of $80,000. And, this assumes 100+ incidents per month.

For pricing and budgeting, we recommend the following:

  1. 3rd party Office 365 DLP (more features, more data types, potentially less false positives)
  2. Fixed price 3rd party setup, configuration, and installation
  3. A managed security service provider ex: $5,000 per month for 100 incidents a month + $50 per incident thereafter

Ongoing maintenance and DLP incident response

Initial setup, configuration, and deployment may be simple or complex depending on your business requirements. However, ongoing maintenance and incident response is complex. The complexity depends on a number of users, breadth of your sensitive data, business process exception, and ability to weed out false positives. As part of your day 2 operations, you need to do the following:

  • Ensure smooth business operations
  • Compliance of security policies
  • New policy creation (create, test, deploy)
  • Policy tuning (tune, test, deploy)
  • 24/7 monitoring of incidents, and escalation
  • Reporting
  • Learn and improve security posture

Microsoft provides 365 Security Center. We recommend that you create your own DLP specific dashboard based on the widgets provided by the 365 Security Center. You may create your custom alert policies and fine tune these alert policies for compliance. 3rd party Office 365 DLPs provide central security console. Additionally, you may also use SIEMs.

Microsoft Office 365 Security Center

Source: Microsoft Corporation

Using 3rd party Office 365 DLP solution will be as simple or complex as the native solution. It is more likely that 3rd party solution have a larger ecosystem and partner base. You may find more effectiveness with 3rd party solutions. They are likely to provide training, operational support, and services needed for your day 2 operations.

Policy tuning, creation, testing, and deployment

Deploying a native or 3rd party Office 365 DLP is simple for a trained security technician. You may find several step-by-step configuration and deployment blogs. Here is a good list of them for native Office 365 DLP:

While policy creation may be simple. But, you need to test your policies in a sandbox environment before deployment. To test these policies in a sandbox environment, we need test data. This is a difficult and time-consuming task. You may license 3rd party test data. Or you may create your own test data for your specific business needs. The level of difficulty for new policy deployment is very high. You must ensure that your new policy does not create a lot of false positives. The trick to keeping low false positives is accurate test data and testing. After testing, deploy in a silent or observe mode before turning on more strict actions.

Choose a 3rd party Office 365 DLP solution. Depending on your budget, this may allow you to find the partners. Your partners will help with the initial policy setup and configuration. Your partners are also likely to provide ongoing policy help with changes in the regulations. For example, new upcoming privacy regulations such as CCPA will likely require new policy changes. Partners will help find the expertise needed to create policies across jurisdictions, and comply with multiple regulations in a more effective manner.

How to choose the right Office 365 DLP vendor?

Your business requirements will drive your vendor choice. The effectiveness of the right vendor for your business requirements can only be judged when you deploy a proof of concept.

We suggest that you consider the following vendors for your Office 365 DLP.

  1. InfoSecEnforcer
  2. McAfee (SkyHighNetworks)
  3. Symantec (BlueCoat/Elastica)
  4. ForcePoint (Skyfence)
  5. DigitalGuardian
  6. Netskope
  7. BitGlass
  8. Office 365 Native DLP

In order to effectively evaluate 3rd party Office 365 DLP vendors, you need to consider one or more of these criteria.

Sensitive data

List your data by 5 sensitivity levels. We recommend sensitivity levels such as public, confidential, sensitive, highly sensitive data, and privileged. Evaluate your DLP vendors to have these levels of classification. Alternately, your vendor should have the capabilities to define custom classification based on your need.

Essential feature: Custom data classification

Data types

Nearly all DLP vendors provide the ability to recognize multiple data types. Office 365 DLP recognizes 87 types of data. Several other DLP vendors have pre-built ways to recognize nearly 3000 data types. Nearly all of these are structured data types. Do you have any specialized data types? For example, if you are a pharmaceutical company, your efficacy data will have to be the highest sensitivity – privileged. Evaluate your DLP vendors to identify and classify your custom sensitive data.

Essential feature: Comprehensive built-in data types

Data Flow

Data flow means business process flow. For smooth business operations, the flow of data is critical. Data flow starts with data access. You must evaluate DLP vendors for role-based access to data. Most DLP vendors do not provide role-based data access. Alternately evaluate DLP vendors for role-based data flow. This could be done by evaluating if the DLP vendor has the ability to inspect data flow based on the following matrix.

From Whom Data Sensitivity Office365 App To Whom Action
Users
Groups
Titles
Non-Actors
Public data
Confidential
Sensitive
Highly sensitive
Privileged
Exchange
Office Apps
OneDrive
SharePoint
Teams
Skype Business
Users
Groups
Titles
Non-Actors
External Users
Allow
Block (report)
Allow + report
Quarantine

Does your business need this granular control of sensitive data flow? For example, should the VP of finance have the capability to upload privileged information, in case of pharma efficacy data, to OneDrive? The mechanisms and importance of role-based data access, data flow, and the ability to take action based on the type of data sensitivity is a subject for another article. We expect to write this in the near future.

Essential feature for CCPA and GDPR compliance: Role based data flow

DLP by Microsoft Graph API

Microsoft Graph API is simple. Once the API integration is complete, any 3rd party vendor must test the integration across all the Office 365 Apps including Exchange Online, desktop & online Office Apps, OneDrive, SharePoint, Teams, and Skype Business. Evaluate your DLP vendors and test specific Office 365 Apps for your use. Alternately, your vendor should provide you a report of what is tested and list use cases they tested. We recommend only vendors with API integration. The benefits of Office 365 DLP API integration including avoiding setting up endpoint protection, avoid proxy, and avoid restricting access from unknown IP addresses.

Essential feature: DLP fully integrated with Microsoft Office 365 API

Active (inline) vs. Passive (Log-based) DLP

Active data loss prevention vs. passive monitoring for data protection are two distinctly different approaches. Office 365 DLP is meant to monitor, detect, and block sensitive data at rest, or in motion. Most Office 365 DLPs provide active and inline ability to protect sensitive data based on appropriate policies. However, depending on your business requirements you may simply be looking for a passive monitoring solution. A passive monitoring solution mirrors traffic and provides deep visibility. A few experts recommend passive monitoring solutions. A passive solution avoids the pitfall of DLP such as too many alerts, length rollout, false positive, false negatives, and more. However, beware that a passive solution cannot prevent any data breach it simply notifies you after the breach has occurred. We recommend an active Office 365 DLP solution.

Essential feature: Active Office 365 DLP solution

Management and Reporting

Management, alerts, alert thresholds, and reporting is a key criterion for 3rd party vendor selection. Most vendors meet these criteria, and the difference would be to understand how they can support you with your specific alerts, and reporting. Alerts are an important part of a DLP system deployment. Better alerts will reduce your need for 24/7 monitoring and will help with exception based incident response. This delivers on cost savings on your day 2 operational budget.

Good to have feature: SIEM integration

Single system vs. multiple components – implies costs

Traditional network DLP systems have multiple moving parts. Selecting a 3rd party vendor for your Office 365 DLP would imply that it is time to ensure that your costs can be managed downstream. There are three big cost factors in deploying a DLP system as discussed earlier. Several DLP vendors use a multi-component deployment. Find a single system that delivers all the necessary functionality. Several DLP vendors require you to do initial data discovery. Find a system that reduces this effort substantially while maintaining high efficiency in sensitive data detection.

Essential feature: One throat to choke or one system to manage

Time to deploy

Time to deploy is indeed a major consideration. Many 3rd party DLP vendors are known to take anywhere between 6 months to 18 months for a full Data Loss Protection deployment. The more time it takes implies the bigger the budget you need. Find a system that is faster to deploy without substantially impacting its effectiveness. Evaluate 3rd party Office 365 DLP vendors on their speed of initial deployment. Set expectations of 1-4 weeks for initial fairly effective deployment.

Good to have feature: Out of the box deployment

Migration to Office 365 DLP

This is simple. Is evaluation ease of migration critical for you? It implies that you already have a network DLP or CASB or a combination of these products already deployed. It is likely that your current vendor has integration with Office 365 DLP APIs. Congratulations! You did not need to read this entire article. Now that you have read so far, we recommend that you consider another vendor to judge the effectiveness of your current solution.

Essential feature: Current DLP should have Office 365 API integration

Costs and Pricing

Last but not least, your initial costs and your operational costs may potentially outweigh all your business requirements. Evaluate 3rd party Office 365 DLP vendors and compare with your overall Office 365 costs. Compare your current DLP costs vs. your extended Office 365 DLP costs. You may not want to pay twice for the same functionality or manage two different systems. Or it may be time for you to reconsider your current DLP system.

Summary

In summary, native Office 365 DLP is limited in its capabilities. However, this may be sufficient for your business. There are several 3rd party Office 365 DLP options. Primarily, established CASB (cloud access service brokers) vendors have fully integrated with Microsoft Graph APIs to deliver active Office 365 DLP. The licensing costs may be comparable to free native Office 365 DLP. We recommend the following:

  1. First, identify your needs and inventory your sensitive, highly sensitive and privileged data
  2. Communicate your goals clearly and define your team’s responsibilities
  3. Evaluate and select a 3rd party Office 365 DLP system
  4. Subscription cost per user likely between $2-$4 per month
  5. Clearly define your Office 365 policies consistent with your current DLP policies
  6. Coach your teams on the policy on sharing sensitive data in the cloud
  7. Restrict external sharing to whitelisted domains only
  8. Have a policy on whitelisting domains of customers, partners, and suppliers
  9. Block sharing or uploading of privileged data on Office 365 cloud
  10. Build and deploy consistent policies across Office 365 and other cloud services

Security Tips for Office 365

Security experts know that security is not a point solution. The following is a list of some important security tips to further fortify your sensitive data in Office 365.

  1. Deploy multi-factor authentication, including MFA for administrator accounts
  2. Migrate legacy authentication to multi-factor authentication
  3. Enable unified auditing in the security compliance center
  4. Turn on password sync
  5. Setup encryption of all your data-at-rest
  6. Use anti-phishing protection
  7. Provide security awareness training for your users and administrators

More information on preventing data breaches

Learn about our Office 365 DLP

Complete guide to Office 365 DLP

Abstract

This white paper explores a new way to approach the adoption of data breach prevention in businesses large and small – a business solution to a technical problem. Data breaches are considered a technical problem. Prevention of data breaches using a combination of technology, security policy, and operational implementation are widely known – ask your Chief Security Officer.

Our solution explores ways to accelerate the adoption of these preventive methods for data breaches. The lifeblood of a business is its agreements with customers, partners, suppliers, and employees. A change in one or more of these agreements would have a network-wide impact. We explore a change in agreements and the impact of such change in the adoption of data breach prevention.

Our solution is to include a covenant to prevent theft of digital information in all business agreements. This inclusion adds teeth and enforceability between businesses. It establishes a business need, creates a justification, and gets buy-in from the Board of Directors and the management team. Buy-In from your Board of Directors delivers a budget. This buy-in implies that prevention of theft of digital information is not a cost of doing business, but a way of doing business. In end-user agreements, internet and consumer-centered companies may include a covenant to prevent theft of personal information. This builds further trust in your brand. Such covenant shall survive termination and will have long-term enforceability. Mutual covenant to prevent the theft of digital information has a network effect. We can free the world of data breaches.

This white paper has the following sections:

  1. Abstract
  2. Background
  3. Solution
  4. Summary
  5. References

Make the world free of data breaches

The world free of data breaches feels like a tall order. But we must make it probable and free the world of data breaches. I was walking the RSA Expo 2018. Lots of traffic, in the aisles, but in 4 hours it became clear to me that it is still business as usual. Similar pitches, discussions, and one major exhibitor said “data breaches are inevitable, and so you need threat intelligence,” yadda, yadda. Few if any discussed preventing data breaches, or finding new ways to say – no more data breaches. Let’s make the world free of data breaches with a few simple but highly effective changes to how business agreements are written.

Background – Evolving consumer expectations

Data breaches are increasing each year. Over 9.8 billion data records were stolen or lost since 2013 as a result of data breaches. (Breach Level Index by Gemalto, n.d.) Breach data is unreliable for several reasons. Despite several laws, public reporting of data breaches is inconsistent. Additionally, breaches are likely under-reported. According to Business Insider Intelligence (Toplin, 2018), of businesses that are breached 22% lost customers, 29% revenue, or 23% business opportunities. Beyond customer expectations, a federal appeals court has ruled (Attias-v-Carefirst, 2017) that consumers may seek legal relief from companies that do not protect their personal data. Additionally, businesses are most concerned about disclosures, confidential information protection, intellectual property protection (LIEW, 2013), and protection of trade secrets.

IBM cybersecurity and privacy research (IBM, 2018) found that “75 percent of consumers will not buy products from companies that they don’t trust to properly secure their data. What’s more, 73 percent said they believe businesses prioritize profits over consumers’ security needs.”

Data breach reporting laws – fall short

In the U.S., the 50 states and several territories have enacted laws regarding data breaches. These laws require businesses to notify data breaches. Specifically, data breaches involving personally identifiable information. Please review these three references (Greenberg, 2018), (Davis Wright Tremaine, 2016), and (Foley & Lardner LLP, 2018) that detail each of the data breach notifications based on each state.

These data breach notification laws are mandates of notification to the customer upon breach of personally identifiable information of that customer. Personally identifiable information (PII) may include name, social security number, driver’s license information, account numbers, or other similar information. The timing of the notification, whom to notify, or which information needs to be provided, are different for each state. And more importantly, these laws offer exemptions. All these state laws fall substantially short of preventing data breaches.

EU GDPR has a network effect

The European Union (EU) enacted the General Data Privacy Regulation (GDPR). GDPR is in effect since May 25, 2018. This law is the first step towards better privacy for citizens and residents of the EU. It has a network effect on EU businesses and their suppliers to these EU businesses and as a result the entire supply chain. The network effect is clear in the definition of a GDPR data breach – “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Despite the penalties, the GDPR falls short of prescribing prevention.

Let’s explore article 33 of the GDPR regulation – “Notification of a personal data breach to the supervisory authority.”

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.” (Vollmer, 2017)

GDPR falls short

The GDPR has one big shortfall is these words in article 33, “after having become aware of it.” Additionally, if a business relies on a data processor, the burden is on the data processor to make the business aware of a breach. However, the data processors have no time specific burden as related in this clause of article 33: “The processor shall notify the controller without undue delay after becoming aware of a personal data breach.” The creators of this regulation rightly assume that lack of precedence is likely to place the burden on a business. However, this does not prevent a data breach.

This whitepaper does not explore how this article 33 may be amended to free the world of data breaches. Instead, it implores businesses to leverage compliance funding to prevent data breaches. This is achievable. Change the goal of compliance to that of data breach prevention. This delivers the compliance by design and default at no additional cost. This solution proposed in this whitepaper explores a new way of doing business there-in establishing an essential business need to prevent data breaches.

The solution

The solution we propose in this paper is to change the way business agreements get done. A solution to prevent data breaches must be inclusive of the supply chain, and their data processing partners. We explore a three-phase approach in modifying business agreements.

Phase 1: Execute a one-sided covenant to prevent theft of digital information with customers and in end-user agreements a covenant to prevent theft of personal information

Phase 2: Include a mutual covenant to prevent theft of digital information with suppliers and partners (including data processing partners)

Phase 3: Finally, write an enforceable mutual non-disclosure agreements with business partners

We detail these phases in the sections that follow.

One-sided covenant to prevent theft of digital information

The solution we propose begins with a one-sided covenant to prevent theft of digital information. This one-sided covenant shall be written by a business in favor of a strategic customer or a partner. It assures the strategic customer or partner that their digital information or specific confidential (or proprietary) information will be protected from theft by any means possible. This section of the whitepaper details out the covenant that provides such an assurance to the strategic customer or partner.

Covenant to Prevent Theft of Digital Information.

(a)         Covenant. Company and any affiliate of the Company each covenant to prevent theft of Digital Information, and to institute any procedure, practice, or technology that expressly prevents theft of Digital Information, from any digital means (not limiting to personal, network, or cloud means) used by the Company, any subsidiary, any affiliate, or any employee of the Company.

(b)         Theft or attempt to steal by a person(s) or machines or bot(s). This covenant shall include theft prevention from any or all thefts or attempts to steal by a person(s), machine(s), bot(s), or a combination thereof.

(c)          Report attempts to steal. The Company shall provide a periodic report(s), no longer than each six (6) months of the theft incident, or an attempt to steal any or all Digital Information. The incident report of theft or attempt to steal such Digital Information shall at the minimum, include data and time of the incident, the location of the incident, details of specific Digital Information involved in the incident, the person(s) or bot(s) responsible for the incident, among other information related to the incident. At the discretion of the Company, any theft or attempt to steal highly confidential information shall be reported immediately.

(d)         Preventive and proactive incident response. The Company shall institute a procedure, practice, or technology that preventively and/or proactively addresses any known or unknown ways to steal or attempt to steal Digital Information, from known or unknown actors including persons, bots, malware, worms, or viruses.

We recommend that your legal counsel review the above article for use in your agreements while retaining the intent of the covenant.

Article (a) – The covenant

This article (a) above, intends a broad definition and expands the use of the prevention practices for all digital information. Your company may narrow this definition to proprietary information or specific referenced confidential information. Any narrow definition would imply that you require your company to implement ways to discover, classify, and deliver in-flight identification of specific referenced confidential data. Such discovery, classification, and identification also apply to public or non-public disclosures as part of compliance. If your business has a limitation in implementing ways to classify digital information in flight, it is best to treat all digital information in the same way. We recommend that your business find a way to implement classification, and role-based disclosure of digital information across your known actors.

This article (a) above, intends a broad definition and expands to company affiliates, meaning businesses wherein the company has a majority stake. Your company may narrow this definition. However, we believe that applying security policies consistently across the company, its subsidiaries, and affiliates deliver a far superior approach to preventing data breaches.

This article (a) above, intentionally does not propose a specific procedure, or practice, or technology. This implores your information security team to find cheaper means to prevent data breaches. Deploying expensive technology and subsequent operational expense to manage and maintain this technology is not the only way to prevent data breaches. Your team could find a combination of technology, policy, or process that is most effective for your business.

This article (a) above uses the term ‘digital’ and states certain means in which digital information may be stolen. Your company could carve out certain physical means in which digital information could be stolen such as the use of smartphones to take pictures of a computer screen. Your company needs to evaluate its BYOD (bring your own device) policies and relate them to your ability to implement data breach prevention. There are cases where hi-tech companies prevent the use of digital cameras in their campuses. For example, for visitors, a very large hi-tech company places watermarked tape on the cameras of electronic equipment entering their campus.

Article (b) – Theft or attempt to steal

This article (b) above intends a broad definition and expands to persons, machines, or bots. Persons could imply authorized users, malicious authorized users, careless authorized users, or unauthorized users. Machines or bots could imply known or unknown actors in the network such as compromised authorized users, hackers, scripts, bots, cronjobs, or simply spies ready to steal your intellectual property.  We recommend that you keep this article unchanged.

Article (c) – Report attempts to steal

This article (c) above uses the term ‘attempt’. When your business prevents a data breach, there is no theft. However, there is an attempt to steal. The reporting obligation is minimal. For most companies that comply with GDPR or other reporting laws, this reporting obligation is familiar.

We perceive that faster reporting at the discretion of the company is a better approach. It has certain advantages in the way you manage and maintain a relationship with your customers and partners. A counter-argument to faster reporting is more incident reporting. This implies more explanations to be given to your customer or partner. Account managers do not prefer to get this transparent with the customer and provide detailed explanations. However, we believe that customers or partners prefer transparency and resulting accountability. Soon, they will start to seek similar provisions and incident information from your competitors. This is your competitive advantage. You may at your discretion narrow down the definition of digital information to highly confidential information. This implies that you have the ability to discover, classify, and identify digital information whether the information is at-rest, or in-flight.

Article (d) – Prevention and proactive incident response

This article (d) above is a high standard for prevention. We recommend minor, if any, modifications to this. The usage of ‘known and unknown ways to steal or attempt to steal,’ is expected to set the right security policy for your business. An added advantage of this article is the prevention of intellectual property theft, and theft of trade secrets. Unknown actors are more clearly explained in the previous sections of this white paper.

One-sided covenant with your strategic customers

Our solution suggests the implementation of this change with strategic customers or partners. In your next QBR (quarterly business review) with a strategic customer, socialize this covenant and find ways to increase already high trust levels. The implication is more business and your customer opening up about their top-secret business initiatives.

The next step is to bring-in your CEO to your top 5 customers and have your CEO deliver this one-sided covenant to prevent theft of digital information. This cements an already strong relationship and potentially eases the pressure on annual price reductions. In these strategic customer and partner discussions, you will get a first-mover advantage to showcase your company as a highly trusted strategic partner. Your customers win big: They get their business terms, and they get information security compliance at the highest levels at no additional cost. You win big over your competitors.

One-sided covenant in your end-user agreements

Let’s take the case of Domino’s Pizza and how the pizza chain reintroduced “30 minutes or its free” campaign in India to get 40% market share. Under this policy, the consumers won. They got a fresh, hot product, delivered home, a value for their money. They also received a delivery that guarantees a hot, fresh product on time. (Rai, 2015)

Similar to the Domino’s Pizza policy, a covenant to prevent theft of personal information in your end-user agreement ensures that your consumers WIN two ways. They get your great product or service a value for their money. They get to use your product or service with no encumbrances of breach of their personal information or their privacy. Your business will establish a trusted brand.

The next step to this implementation is to bring in your CMO, your CISO, and General Counsel together. Draft a marketing campaign. Change and simplify terms of use. Deploy preventive measures. Launch a marketing campaign to build added trust in your brand. Get a first mover advantage and enhance your brand over your competitors.

Mutual covenant to prevent theft of digital information

Once you start implementing a one-sided covenant to prevent theft of digital information with your strategic or soon-to-be strategic customers, the next phase is the implementation of the mutual covenant with your suppliers or strategic partners. This mutual covenant shall be initially executed by your business with a few of your suppliers. The mutual nature of this covenant assures these suppliers that this is not an unreasonable ask. You may share certain elements of the implementation of security policies, technologies, or procedures with these suppliers. This delivers credibility, and intent to make the supplier successful. It also guarantees the supplier that their information is protected from theft.

Mutual Covenant to Prevent Theft of Digital Information.

(a)         Covenant. Both Parties and their respective affiliates each covenant to prevent theft of Digital Information, and to institute any procedure, practice, or technology that expressly prevents theft of Digital Information, from any digital means (not limiting to personal, network, or cloud means) used by the Receiving Party, its subsidiary, its affiliate, or any of its employees.

(b)         Theft or attempt to steal by a person(s) or machines or bot(s). This covenant shall include theft prevention from any or all thefts or attempts to steal by a person(s), machine(s), bot(s), or a combination thereof.

(c)          Report attempts to steal. Each Party shall provide the other Party periodic report(s), no longer than each six (6) months of the theft incident, or an attempt to steal any or all Digital Information. The incident report of theft or attempt to steal such Digital Information shall at the minimum, include data and time of the incident, the location of the incident, details of specific digital information involved in the incident, the person(s) or bot(s) responsible for the incident, among other information related to the incident. Either Party, at its discretion, shall immediately report any theft or attempt to steal highly confidential information.

(d)         Preventive and proactive incident response. Each Party shall institute a procedure, practice, or technology that preventively and/or proactively addresses any known or unknown ways to steal or attempt to steal Digital Information, from known or unknown actors including persons, bots, malware, worms, or viruses.

We recommend that your legal counsel review the above article for use in your agreements while retaining the intent of the covenant.

Mutual covenant with your strategic suppliers

Our solution suggests the inclusion of this change with strategic suppliers or partners. In your next QBR (quarterly business review) with a strategic supplier, socialize this covenant and find ways to engage, educate, and lead by sharing your experience with your customers. The implication is better protection of your confidential information with your supplier and a guarantee of theft prevention to your supplier. You may imply better access to strategic plans and better engagement. The sales team of your supplier will be your best ambassadors, and engaging your suppliers with a mutual covenant shall prove to be an easier task.

Mutual enforceable non-disclosure agreement

As the final phase, our solution suggests the inclusion of the mutual covenant in non-disclosure agreements. This delivers a mechanism for mutual enforceability of non-disclosure of proprietary or confidential information. Today, non-disclosure agreements are difficult to enforce. This covenant adds an enforceable provision to a boiler-plate mutual non-disclosure agreement.

When a new business partner initiates discussion under non-disclosure, we recommend adding the mutual covenant for execution in a non-disclosure agreement. Upon request, a discussion on such covenant prior to execution will convince the new business partner that you take the non-disclosure of their confidential or proprietary information very seriously. It is mutual, and the business partner is extremely likely to execute this mutual enforceable non-disclosure agreement.

When you start the implementation of this final phase, we consider that you have completed the digital transformation. You now have a culture that makes preventing data breaches a way of doing business.

The Network Effect – free the world of data breaches

Your business now has a culture of prevention, the knowledge of protecting digital assets, and the know-how to prevent theft of digital information. You may also have a mechanism to discover, classify, and identify digital information at-rest and in-flight. Your customers now place significantly more trust in your brand. This may result in more business or less pressure on future price reductions.

Your customers and partners start to recognize the benefits of preventing theft of digital information and are likely to implement a similar covenant with their own customers, partners, and suppliers. Are we now on the way to free the world of data breaches?

References

Attias-v-Carefirst, 16-7108 (US Court of Appeals – DC Circuit 08 01, 2017).

Breach Level Index by Gemalto. (n.d.). Data Breach Statistics. Retrieved from https://breachlevelindex.com/

Davis Wright Tremaine. (2016, 8 6). Breach Notification Summary. Retrieved from www.dwt.com

Greenberg, P. (2018, 3 29). SECURITY BREACH NOTIFICATION LAWS. Retrieved from NCSL.

IBM. (2018, 4 24). Data Privacy Now a Top Public Priority. Retrieved from www.securityintelligence.com

LIEW, A. (2013, 10 25). Auckland District Law Society. Retrieved from ADLS

Rai, S. (2015, 01 13). How Dominos Won India. Retrieved from FastCompany

Toplin, J. (2018, 2 16). Business Insider. Retrieved from Business Insider

TrendMicro. (2017, 6 21). TrendMicro. Retrieved from www.trendmicro.com

Vollmer, N. (2017, 12 16). EU GDPR. Retrieved from EU GDPR

Acknowledgment: We acknowledge several people for their feedback, edits, and comment including – Ramana Prasad Parimi, Michael Chiu, Yasmine Staton, and Bhanu Panda.

More information on preventing data breaches

Learn about Office 365 DLP

Complete guide to Office 365 DLP