While incidents like the above will likely continue, Microsoft’s core commitment to its share of responsibility will remain the same—namely, ensuring that it delivers a cloud platform (hardware and software) that is free of vulnerabilities and protected from intrusions that could lead to data loss. The customer is entrusted with the responsibility of ensuring compliance with internal policies and external regulations and that employees utilize Office 365 in a safe and secure manner. There are two primary data loss prevention (DLP) scenarios enterprises frequently look to achieve in their Office 365 environments:

Preventing inappropriate or noncompliant file sharing with unauthorized third parties outside the enterprise Preventing regulated or high-value data from being uploaded to Office 365 against internal policies or external regulations

The above scenarios are unique to the cloud, and require a holistic approach to cloud DLP that goes well beyond traditional on-premises DLP solutions, or the DLP controls provided by Microsoft. Complicating things further is the fact that Office 365 consists of several cloud applications (Exchange Online, SharePoint Online, OneDrive, etc.), each requiring a different approach to preventing data from being accessed by unauthorized parties. Below are some recommendations and best practices when thinking about the best approach to take for Office 365 DLP.

1) Inventory existing policies and define cloud policies

Organizations looking to apply DLP policies to Office 365 likely have some form of DLP for their on-premises systems, such as email and endpoint devices. The first thing to do is examine the policies and the remediation actions and identify the ones that will also apply to Office 365. This exercise ensures that data in Office 365 will be protected to the same degree as on-premises systems and reveal any policies gaps—new policies needed for Office 365.

Organizations should also define the types of sensitive data that are permitted to be uploaded to Office 365 and those that aren’t, as well as types of sensitive data that can be shared externally and with whom. They should also develop a system to map sensitive data against relevant internal policies and external regulations, which would inform the type of security solution required.

2) Understand what types of sensitive data are being uploaded to Office 365

If Office 365 has already been deployed, as a first step enterprise should audit how the service is being used and what data is being stored in the platform. No action is needed during this phase; instead the focus should be on getting granular visibility into the types of sensitive data that users are uploading to Office 365. This process can take the form of scanning data stored at rest in OneDrive, SharePoint Online, and Exchange Online mailboxes.

The types of sensitive data to look may include:

Social Security numbers

Credit card numbers

Health records and other personal health information (PHI)

Salaries

Account numbers

Spreadsheets with IP addresses

Files that contain user passwords

Outlook offline files (PST, MSG)

Draft press releases

Source code

3) Gain visibility into collaboration

Cloud services like Office 365 make collaboration simple and efficient, which increases the risk of inadvertently sharing data inappropriately. As a first step, it’s important for IT security to understand how employees are collaborating using Office 365. IT security should know how many files containing sensitive data are being shared with internal employees, how many with external partners, how many with personal email accounts (e.g. Gmail, Yahoo! Mail), and how many using anonymous links that can be forwarded to anyone. This step will then enable the security team to educate employees on secure collaboration and enforce policies.

4) Prevent sensitive data from being shared with unauthorized third parties

Microsoft has developed a robust set of APIs for Office 365 that enables real-time policy enforcement that covers all users and devices. Depending on your policy, when a violation occurs, possible remediation actions may include:

Coach users on the acceptable collaboration policy

Notify an administrator for further investigation

Revoke a shared link to prevent anonymous sharing

Curtail sharing permissions (e.g. change from edit to view)

Restrict sharing to whitelisted email domains only

5) Prevent high-value data from being uploaded to or stored in Office 365

There are certain types of sensitive data that based on your organization’s compliance or security posture are not permitted to be stored in Office 365. A pharmaceutical company that spends billions of dollars on R&D, or a government contractor in charge of developing military equipment may want to protect their core intellectual property from ever being uploaded to Office 365. A healthcare provider may want to prevent patient records from being uploaded.

Depending on your policies, you may need to identify high-value data using a combination of:

Pattern matching (e.g. Social Security numbers, credit card numbers)

Keyword matching (e.g. “confidential”, “passwords”, “salaries”)

Document fingerprinting (e.g. tax form templates, HIPAA compliance forms, patent form templates, employee information forms used by HR)

Structured data exact match (e.g. all database fields containing customer PII)

Predefined set of dictionary terms (e.g. names of pharmaceutical drugs)

Possible automated/manual remediation actions may include

Quarantine file and replace with tombstone

Permanently delete file

Block file upload

Coach users with just-in-time tips

Notify administrator via email for further investigation

6) Enforce consistent DLP policies across cloud services

It is recommended that enterprises enforce a consistent set of policies and remediation actions across Office 365 and all other cloud service providers. Utilizing a unified DLP policy engine, incident reporting, and remediation workflow will drive greater operational efficiency. Enforcing the same policies across all services will also prevent policy enforcement gaps from emerging between cloud services. Lastly, a unified DLP policy engine allows a reviewer to focus on high-priority policy violations, and more readily identify potential false positives.