Moving away from WIP towards Endpoint DLP
Data Loss Prevention (DLP) is a tool to prevent users from sharing sensitive or confidential information in case the other party is not authorized to access it. In most cases an access control list on a SharePoint or file share is sufficient. It keeps unauthorized users from accessing confidential documents and it prevents authorized users form sharing this content outside of the list. But what if certain information is accessible to a user who shares it with someone outside of the company? That’s where Microsoft Information Protection comes in to help you protect your company data.
Microsoft has announced new features during their Ignite event regarding DLP:
- MIP Sensitivity Labels for DLP policies
- Advanced controls in DLP for email protection
- Improved support for complex DLP policy definition
- Security Group & Distribution for Teams DLP policies
- DLP Alerts to manage and group DLP events
- New classifiers and content types
In this blog we want to share some insights on Endpoint DLP and what the advantages are compared to Windows Information Protection (WIP). When it comes to protection of data on Windows 10 endpoints, we used to look at WIP which allowed us to configure policies for enlightened apps.
As of November 2020, Microsoft released Endpoint DLP which is supported from Windows 10 1809. For the full endpoint requirements, please consult the Microsoft Docs page.
Features of Endpoint DLP
Microsoft 365 E5, A5 or E5/A5 compliance license is required to use Endpoint DLP. The Endpoint DLP policies can be configured from the Compliance center, which is also the place to configure your sensitivity labels (previously known as Azure Information Protection labels). When creating a DLP policy, you can select which locations the policy needs to be applied to, for example Exchange, SharePoint sites, OneDrive, Teams, devices and also on-premise repositories.
If you are thinking about starting to work with DLP policies, we advise to limit the initial scope so that you do a phased approach to test, change and document your configuration. For example, start with a single SharePoint or Teams site. If the pilot phase is completed, you can adjust the existing policy by adding additional locations to the policy.
As for the DLP rules, you can choose to use the built-in sensitive info type like EU Debit Card Number, EU Passport Number, etc. You can also create a custom sensitive info type that requires that the needs for your company based upon specific keywords or employee/customer numbers based on RegEx (regular expressions).
DLP policies are created in the compliance center, where you can assign the actions directly that will be applied to the Windows devices.
As you can see in the picture above, you can specify how each action needs to be handled on the Windows endpoint. These actions correspond with what also possible with WIP but with an additional feature where the users are required to provide a justification when you have configured the “Block with override” option.
In the DLP policy you can also configure alert aggregation, so if the policy violation occurs multiple times the alert is sent only once to the admin.
For the Endpoint DLP settings you can configure some additional settings that will be applied to all the existing and new DLP policies. There is currently no way to specify these generic Endpoint DLP settings for a group of devices, these will be applied to all devices enrolled in Endpoint DLP:
- File path exclusions
- Unallowed apps
- Unallowed Bluetooth apps
- Browser and domain restrictions to sensitive data
- Business notification options for override
To be able to deploy these policies to the Windows 10 devices, there is a requirement to onboard the Windows devices in Endpoint DLP which can be done using a deployment package using your existing management tools. The good news is that if your devices are deployed in Microsoft Defender for Endpoint no additional steps need to be taking, these devices will already be reporting to the compliance center as well meaning that you can deploy the DLP policies to those devices.
Now for most use cases the Endpoint DLP solution will cover all your needs that you could cover with WIP when talking about managed devices. There is however a big difference between WIP and Endpoint DLP for BYOD devices. With WIP it is possible to register devices without enrollment, meaning that the device will not be registered in Intune, only the apps would be managed in a light form. Now because of the enrollment requirement for Endpoint DLP, managing DLP on BYOD devices is less suitable. In such a scenario you’ll need to use different solutions like conditional access to prevent data from being stored on unmanaged devices or use sensitivity labels with protection being applied to confidential documents.
Obviously using DLP is not sufficient as a standalone tool to protect your information, it’s always a combination of using the complete Microsoft security stack.
On a closing note, two new features for Endpoint DLP have been released in public preview:
- Endpoint DLP support for Google Chrome
- Endpoint DLP support to audit and enforce egress activities to Bluetooth and RDP session
If you have any questions or would like assistance in deploying these solutions in your environment, don’t hesitate to contact us.