![]() ![]() As information workers are in the client programs, content is constantly being checked against the local DLP policy and violations will be detected real-time. This of course assumes they have the most up-to-date policy synced to their machine. As additions/changes are made to the central DLP policy store, there may be a time period when the local Office client is unaware of it. This has a direct impact on the effectiveness of DLP.Īdditionally, for domain-joined machines, the Office 2016 programs have a local synced copy of the DLP policy store that is updated every 24 hours. For those familiar with how the search crawl process works in SharePoint, you know there is a window of time between when content may have been added/changed and when it is crawled. In addition to this, there are settings within SharePoint that can exclude SharePoint document libraries (and even entire SharePoint sites) from being crawled and therefore are not included in the search index. Recall that DLP uses the search index to identify documents it must enforce its actions on. If found, it will restrict the document from being shared to anyone external to Contoso. Protecting a confidential document using DLP onlyĪt Contoso, a DLP policy was configured with a rule to automatically identify sensitive information in a document. Let’s start by defining the protection control we want to implement at Contoso to prevent sensitive information from leaving their environment.Ĭontrol: In Contoso, any document containing sensitive information (Credit card numbers, customer numbers, personally identifiable information, etc.) should be considered ‘Confidential’ and not be copied nor shared outside of Contoso. TLDR? Skip ahead to the My Takeaways section at the end. I’ll walk thru a Contoso example to demonstrate why. I’ve blogged about this in a recent post, Use AIP Labels in DLP Policy Rules.ĭo we need both DLP and AIP to protect our corporate documents? YES! Their capabilities and coverage are not the same. In addition, DLP (and other applications) can read the sensitivity property on a document to take further action. You can use AIP to encrypt a document, to apply visual markings and to assign specific actions allowed such as copy, edit, forward, etc. This property stays with the document regardless of where it is stored/shared. A label is associated to a document and then stored in clear text as a sensitivity property on it. With DLP, you can block a document from being shared or an email from being sent both within and outside of your organization if it meets the rules you have defined.ĪIP is a protection mechanism that lives within the document itself. DLP queries the search index and compares its content against the DLP policies for potential data breaches. The DLP policy store is synced to SharePoint Online, OneDrive for Business sites, Exchange Online and Office 2016 clients (Word, Excel, PowerPoint) to ensure data is being protected at all endpoints. A combination of being reliant on the freshness of the search index (crawl schedule) as well as a synced policy store means there is potential for new/changed content to be unprotected by the latest DLP policies for periods of time. It turns out… yes!ĭLP relies on the search index and a central DLP policy store (where protection rules are evaluated) to protect data. I set out to understand the differences and to determine if both were required for an organization to protect their documents. I was confused about the overlap between these two products and can only assume I’m not alone. Although DLP has been around for several years, AIP is (relatively) new on the scene. They both protect data in different ways and are part of Microsoft’s Information Protection solution to help improve your organization’s security posture. The two protection controls I’m discussing in this post are Data Loss Prevention (DLP) and Azure Information Protection (AIP).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |