Given the threat posed by cloud data breaches, popular SaaS providers are increasingly providing privacy and security controls to help companies manage their data footprint and cloud security posture. Microsoft, for its part, offers bundles that allow organizations to leverage its cybersecurity tools—like Data Loss Prevention (DLP)—alongside Office 365, Sharepoint Online and other productivity applications. These bundles, however, require some upfront commitment, making it important for decision makers to evaluate whether the investment makes sense for their organization. We’ll cover the tradeoffs that need to be considered when evaluating your options for Office 365 DLP.
What’s the purpose of having DLP for Office 365?
Many organizations discover that SaaS environments like Office 365 naturally present data security challenges. This mainly takes the form of data sprawl, which results in files with sensitive information exchanging hands and becoming potentially accessible to unauthorized parties. Employees, for example, may make file permissions too broad, making an excel spreadsheet with business-critical financial data available to end users of any permission level. Over time, companies will have an unknown number of files with sensitive data posing potential data breach or exfiltration risk due to loose permissions and poor visibility into the location of this content. The situation becomes more complicated when taking into account hybrid environments where employees can move files between Onedrive, other sanctioned apps, sanctioned devices, or even personal devices and unsanctioned apps. The purpose of leveraging DLP is to prevent this from happening and proactively mitigate the risk of leakage.
What are the DLP options for Office 365?
Organizations that want to have DLP for Office 365 have access to Microsoft Purview Data Loss Prevention, generally through an E5 license that bundles Purview with their existing subscriptions. Though it’s worth noting that the options available to you depend on whether you’re using Office 365 or Microsoft 365. Users who are exclusively on Office 365 have the option to access DLP for emails & files as well as DLP for Microsoft Teams chat. Those using Microsoft 365 will also have access to endpoint DLP as well.
Alternatively, though, Office 365 also has the option of adopting best-of-breed data loss prevention solutions as well and these options likely won’t require upgrading in order to leverage both cloud DLP and endpoint DLP. While this option may seem like an alternative to Purview DLP, it doesn’t have to be mutually exclusive assuming your budget isn’t a limiting factor.
{{ promo }}
How good is Microsoft’s DLP for Office 365?
Microsoft’s E5 can be a compelling option, even for organizations only on Office 365, because the pricing is bundled with the service they’re already using. Additionally, Microsoft’s coverage within the office ecosystem is decent, though limited. Microsoft DLP primarily works by leveraging a proprietary Microsoft-based classification service to help classify and tag content like PII, PHI, PCI, and other sensitive information types within files. Those classifications can be used in DLP policies to identify and protect files in Office 365. Microsoft’s DLP also supports custom sensitivity labels, exact data match, and file fingerprinting.
While these options are powerful, they come with some important caveats, especially for users limited to the Office 365 E5 license. One of the main limitations is that policy options and scanning are limited to specific file types, mainly (though not exclusively) Office files. This is true for users of Microsoft’s endpoint DLP via the Microsoft 365 E5 license. This means that files containing proprietary intellectual property like source code or design files (CAD, image, video, etc.) cannot really be secured with Microsoft DLP alone.
Additionally, although Microsoft provides a CASB solution (Microsoft Defender for Cloud Apps) to provide visibility into other clouds—like Google Workspace, Box, or other cloud file shares—organizations with multiple clouds won’t have parity in terms of the actions they can enforce to identify and protect sensitive content.
What are best-of-breed alternatives to Microsoft’s DLP?
Many organizations will likely find that Microsoft DLP is best augmented with a best-of-breed solution when used. While there are many options to choose from, it’s important to evaluate solutions that move beyond simple data classification to increase the accuracy of findings and the efficacy of incident investigations. Additionally, it’s important to identify solutions that can monitor egress between cloud, endpoints, on-premises environments so that you have a complete view of data security risk throughout the entire lifecycle of data that is in use. Solutions of this type provide very specific types of functionality that will tangibly benefit your data protection program.
Best-of-breed DLP Feature #1 – Data lineage
Data lineage is increasingly becoming a core aspect of modern DLP applications and thus a part of modern DLP programs. Data lineage entails being able to see in real-time the actions being taken against sensitive data at a granular level. This means going beyond just classifying whether a file contains sensitive items, but knowing when this data was created, via what application, by what employee, how many times it was copied, etc.
For example, this functionality would allow you to know that a finding containing a customer credit card number in a Sharepoint site message originated from a CSV exported from Salesforce and into your Microsoft cloud environment by a user who did not originally have access to Salesforce. This level of detail means that notifications provide useful information to admins and that false positives remain low. It also means you can configure data loss prevention policies taking into account end user actions and not just the type of content you wish to protect.
Best-of-breed DLP Feature #2- Comprehensive scope of coverage via data detection and response (DDR)
While this was alluded to above, it’s also very important for security teams to invest in platforms that provide comprehensive coverage across multiple SaaS and cloud environments, over endpoints, and on-premises as well. Solutions that only cover one modality can’t see changes made to files elsewhere, and thus lose crucial context that can inform the accuracy and meaning behind sensitive findings.
Solutions leveraging data detection and response are capable of doing this. By starting on the endpoint and leveraging browser plugins to track data as it leaves a user device for a corporate cloud service like Office 365. This will allow you to see and classify data before it’s encrypted by the browser, while being able to distinguish between data going to personal versus corporate versions of SaaS apps, providing an experience superior to Cloud DLP or a CASB alone. You can also leverage Cloud APIs to ensure that you retain visibility and the ability to remediate incidents in the cloud.
Best-of-breed DLP Feature #3- Just-in-time user education alongside policy enforcement
Best-of-breed DLP is valuable beyond just the types of actions it can alert you to. It can allow you to create enforcement workflows that can help change user behavior. With the ability to monitor user behavior across different types of environments, you can intervene where necessary to identify incidents that will lead to increased data security risk and send custom messages to employees to inform them of the best course of action.
For example, going back to our example with a CSV originating from Salesforce. Perhaps users should be prohibited from uploading CSVs they’ve acquired from Salesforce in your organization’s Office 365 environment. You can block an employee from taking this action, and inform them of the correct file share to store this information in. Conversely, if there’s a good reason for the employee to share this information this way, they can respond with the business purpose that justifies doing so in order to proceed. This provides the perfect balance of flexibility without sacrificing policy enforcement.
Navigating the options for DLP in Office 365
When it comes to safeguarding your organization’s sensitive data, the stakes are high. Microsoft’s DLP solution for Office 365 offers a convenient, bundled approach that may seem like a no-brainer for businesses already invested in the Microsoft ecosystem. However, as we’ve outlined, this convenience comes with limitations, particularly in terms of file type coverage and multi-cloud enforcement capabilities.
Best-of-breed DLP solutions like Cyberhaven offer a more comprehensive, nuanced approach to data protection. With features like data lineage, data detection and response (DDR), and just-in-time user education, these solutions provide a 360-degree view of your data’s lifecycle. They empower you to make informed decisions, reduce false positives, and even educate your workforce in real-time. This is not just about preventing data loss; it’s about fostering a culture of data security and compliance within your organization.
The choice between Microsoft’s native DLP and a best-of-breed solution isn’t necessarily an either-or decision. Many organizations find value in using Microsoft’s DLP as a foundational layer, augmented by a more specialized solution that fills in the gaps. This hybrid approach allows you to benefit from the strengths of both, creating a robust, multi-faceted data protection strategy.
So, as you weigh your options, consider not just the immediate costs but the long-term value. Ask yourself: Can you afford to have gaps in your data protection strategy? Are you willing to compromise on features that could significantly enhance your security posture? Your answers to these questions will guide you toward the DLP solution that’s right for your organization, ensuring that you’re not just checking a compliance box but truly safeguarding your most valuable asset—your data.
By opting for a more comprehensive solution, you’re not just preventing data loss; you’re taking a proactive stance on data security, ensuring that your organization is resilient, compliant, and prepared for the challenges of today’s digital landscape.
