Professional Documents
Culture Documents
Microsoft Purview
Data Loss
Prevention
#365EduCon
Data usage is evolving and
complex, moving outside of the
traditional borders of business
OS
OS
Organizations lack visibility into their data
OS
OS
OS
OS
We live in a hybrid technology
environment
80%
of decision makers have
Microsoft ecosystem
Support for multi-cloud, hybrid, SaaS data | Third-party/partner ecosystem
Safeguarding your
data with DLP
Classification - General
Purview Data Loss Prevention
• Regulatory Non-Compliance
M
adding to costs
Define Objectives: Clearly outline the goals and objectives of the Purview DLP deployment, including
what types of data you need to protect and WHY.
Regulatory Compliance: Identify and understand relevant data protection regulations and compliance
requirements for your organization or industry.
Data Classification: Develop a data classification scheme to categorize data by sensitivity that can be
used within DLP policies to identify and protect your most sensitive data.
Budget and Resources: Allocate the necessary budget and resources for the Purview DLP
deployment.
Implementation Plan: Map starting state to end state and how to test, train, deploy, and
operationalize.
Policy Framework: Begin outlining the DLP policy framework including key scenarios, such as financial
data exfiltration, which will be developed further in the next phases.
Planning DLP Plan
Policies
A good practice is to describe a policy with intent in words.
"We're a U.S. based organization, and we need to detect Office documents that contain sensitive health
care information covered by HIPPA that are stored in OneDrive/SharePoint and to protect against that
information being shared in Teams chat and channel messages and restrict everyone from sharing them
with unauthorized third parties".
What sensitive items are most Where are your sensitive items and what
important to start your first policy? business process are they in?
• Big differences between location • Just email supports more (i.e. encryption)
• Email supports the most
• OD/SPO similar • Audit/Block actions on devices (i.e. print)
• Teams limited
• Device includes service • Power BI limited to alerts/notifications
domains
• Continue to use activity explorer and the audit log or the CloudAppEvents table
• Custom SITs with Regex or EDM can take a lot of monitoring and adjustments
• Build knowledge articles for service desk when users see DLP actions/tips
Advanced classification
Just-in-time
•
• Continuously maintained
EXO/Purview DLP policies work together but EXO takes precedence including policy tips
New DLP analytics are in preview to help with insights for improvement
New Test-DlpPolicies cmdlet to see specific files per site that would trigger
Purview DLP Lessons from the
field
Build and name
Chrome & Firefox Utilize Information
policies by service and
Purview extension= Protection roles for
they can’t be renamed
good RBAC
- KISS
MDEClientAnalyzer is…
Understand / vs /* for Exact Data Match
awesome for
debugging exclusions (EDM) works!
Block an email or
Utilize Exchange, SharePoint, and
document from being
OneDrive DLP policies
shared externally
Twitter: @dmadelung
Website: drewmadelung.com
Slides: http://bit.ly/DrewSlides
Deep dive into
Purview Data
Loss
Prevention