AIP integrate with DLP

Talking Points

Click Steps

Unified sensitivity label management in Security & Compliance Center

In this scenario, the admin will create a new sensitivity label that will be used to protect confidential information.

You can create an encryption policy immediately while creating the label or add it later.

The admin will select to encrypt email messages and files, as well as give permissions to users and groups.

Only the users and groups selected will be assigned permissions to use the content that has this label applied.

The admin will search for a group and select Project Falcon.

After encryption has been configured, the content will be marked and managed.

Enabling content marking you can add custom headers, footers, and watermarks to the content that has this label applied.

After content marking has been configured, you’ll manage data loss prevention on the endpoint, specifically Windows 10 machines.

During the final review of the settings, you can edit specific settings or choose to create the label.

After the label is created, settings can still be edited, the label can be published or deleted.

Now that the label has been creating and configured, it can be applied automatically or by the user, and the content will be protected based on the settings configured.

1. In the Security & Compliance portal, in the left-hand navigation, click Classifications.

2. Click Labels.

3. At the top, click Create a label.

4. On the Name your label page, create a label as follows:

· Label name: Confidential-PCI

· Tooltip: This content contains sensitive personal information

5. Click Next.

6. On the Encryption page, under Encryption click Off, to enable.

7. Under Grant permissions to specific users and groups, click Assign permissions.

8. Click + Add users or groups.

9. On the Add users or groups page, click + Add.

10. In the Search text box, type Project, click Project Falcon, and then click Add.

11. On the Add users and groups page, click Done.

12. On the Assign permissions page, click Save.

13. On the Encryption page, click Next.

14. On the Content marking page, click Off to enable.

15. Next to Add a watermark, click the check box, and then click Customize text.

16. In the Watermark text field, type C O N F I D E N T I A L, and then click Save.

17. On the Content marking page, click Next.

18. On the Endpoint data loss prevention page, click Off to enable.

19. Click Next.

20. On the Auto labeling page, click Off to enable.

21. Under Detect content that contains, click + Add a condition, and then click Content contains.

22. Under Content contains, click the Add drop-down list, and then click Sensitive info types.

23. On the Sensitive info types page, click + Add.

24. Select Sensitive info types as follows:

· Credit Card Number

· U.S. / U.K. Passport Number

· U.S. Bank Account Number

· U.S. Driver’s License Number

· U.S. Individual Taxpayer Identification Number (ITIN)

· U.S. Social Security Number

25. Click Add.

26. On the Sensitive info types page, verify the options and click Done.

27. On the Auto labeling page, click Next.

28. On the Review your settings page, verify the options selected, and click Create.

Configure Office 365 Data Loss Prevention in Security & Compliance Center

To comply with business standards and industry regulations, organizations need to protect sensitive information and prevent accidental oversharing and leakage.

With an Office 365 data loss prevention (DLP) policies, you can prevent the inappropriate sharing of sensitive information.

The admin will use the General Data Protection Regulation (GDPR) template, to create a DLP policy to identify personal information inside the European Union (EU).

Using a DLP policy, you can:

· Detect sensitive information across many locations, including email in Exchange Online, and documents in SharePoint Online and OneDrive for Business, and in the desktop versions of Excel, PowerPoint, Word and Outlook.

· Prevent the accidental sharing of sensitive information.

· Monitor policy violations for further investigation.

· Help users learn how to stay compliant without interrupting their workflow with notifications and “policy tips”.

A DLP policy contains a few basic settings:

· Where to protect the content – locations such as Exchange Online, SharePoint sites, and OneDrive accounts, and Microsoft Teams chats.

· Conditions for applying policy, such as a match against one of the over 90 sensitivity information types, or your own custom sensitive information types.

· When and how to protect the content by enforcing rules.

After you have created the policy, you have the option of turning on the policy or testing it first.

1. In the Security & Compliance portal, in the left-hand navigation, click Data loss prevention.

2. Click Policy.

3. Click + Create a policy.

4. On the Start with a template or create a custom policy page, click Privacy, click General Data Protection Regulation (GDPR), and then click Next.

5. On the Name your Policy page, review the defaults and click Next.

6. On the Choose locations page, click Let me choose specific locations, and then click Next.

7. On the Choose locations page, review the locations, and point out Teams chat and channel messages.

8. Click Next.

9. On the Customize the type of content you want to protect page, click Use advanced settings, and then click Next.

10. On the Customize the type of content you want to protect page click Low volume EU Sensitive content found.

11. Click Edit rule.

12. On the Low volume EU Sensitive content found configure the settings as follows:

· Conditions > Content is shared: with people outside my organization

· Actions > +Add an action > Restrict access or encrypt the content: Block people from sharing and restrict access to shared content / Only people outside your organization. People inside your organization will continue to have access.

13. Click Save.

14. On the Customize the type of content you want to protect page, click Next.

15. On the Do you want to turn on the policy or test things out first click Yes, turn it on right away and click Next.

16. On the Review your settings page, verify the options selected, and click Create.

17. On the General Data Protection Regulation page, click Close.

Speaker Script

Click Steps

Labeling in Office for Mac (Click-through-guide)

In Office apps on Mac (Word, PowerPoint, Excel and Outlook), sensitivity labels appear on the Sensitivity button, on the Home tab, and on the Ribbon. The label applied also appears in the Status bar at the bottom of the window. After a sensitivity label is applied to an email or document, the protection settings for that label are enforced on the content.

Let’s review the end user experience starting with a Mac. When collaborating with your colleagues on a document using your corporate MacBook, you’re going to use Office for Mac.

You’ve added details about a fundraiser that you’re planning, and you know your company has policies to classify and apply the correct sensitivity label to any document, even if it doesn’t contain sensitive data.

Right within Word on Mac, you can use the new, built-in label picker to easily select the right label that’s appropriate for this document. Using the Sensitivity drop-down menu, you can apply the “Highly Confidential” label.

The sensitivity label is applied to the document, and the Highly Confidential watermark is also added to the document.

Next, we’ll review how this works in Excel.

Similar to Word, in Excel, you can use the new, natively integrated label picker to easily select the right label that’s right for this document. Using the drop-down menu, you can apply “Confidential-Finance” label.

The sensitivity label is added to the document’s properties.

The new, natively integrated label picker to easily select the right label is now available in Outlook for email also. Using the drop-down menu, you can apply the “Highly Confidential” label.

When this email is sent, the receiver will see that the email is protected. The header of the email contains information indicating that it is Confidential. The header information displayed can be customized by IT admins.

1. Click the Word icon (bottom right) to maximize.

2. In the top-right corner, click Sensitivity.

3. Click Highly Confidential label from drop-down.

4. Click the Excel icon (bottom right) to maximize.

5. In Excel, click Sensitivity (top-right corner).

6. Click the Confidential-Finance label.

7. Click the Outlook icon (bottom right) to maximize.

8. Click Sensitivity.

9. Click Highly Confidential.

10. Click Send.

Office mobile apps for iOS (Click-through-guide)

In Office apps on iOS devices, sensitivity labels appear on the Sensitivity button, on the Home tab on the Ribbon. The applied label also appears in the Status bar at the bottom of the window.

Let’s review the end user experience on iOS. The Sensitivity button allows you to apply the different labels. As you apply different sensitivity labels, the watermark reflects the label selected.

Selecting a Sensitivity label is the same across apps on a platform. When using PowerPoint, you see the same sets of labels as you did in Word. Initially the document has no labels applied.

When a label is applied, the appropriate watermark and permissions are applied.

11. Click Confidential-Finance.

12. Click the screen to advance the slide and show PowerPoint.

13. In PowerPoint, click the 2^nd slide.

14. Click Sensitivity.

15. Click Highly Confidential.

16. Click the screen to advance the slide, and show the watermark applied for the sensitivity label.

17. Click the screen to advance the slide and zoom in on the watermark.

Office mobile apps for Android (Click-through-guide)

In Office apps on Android devices, sensitivity labels appear on the Sensitivity button, on the Home tab, and on the Ribbon. The label applied also appears in the Status bar at the bottom of the window.

Labels are applied very consistently across platforms. No matter what platform you’re using, the appropriate permissions and watermarks will be applied.

18. Click Highly Confidential.

19. Note that the watermark has been applied.

Office on Windows (Click-through-guide)

In Office apps on devices running Windows, sensitivity labels appear on the Sensitivity button, on the Home tab, and on the Ribbon. The label applied also appears in the Status bar at the bottom of the window.

Let’s review the sensitive labels for applications in Windows:

· Outlook

· Excel

· Word

This demonstrates that you can consistently use and apply sensitivity labels for users across all your platforms.

20. Click the screen to advance the slide and show Outlook.

21. Click the screen to advance the slide and show Excel.

22. Click the screen to advance the slide and show Word.

Speaker Script

Click Steps

Send Protected Email to a Gmail User

Isaiah needs to communicate with a PR firm about an upcoming ad campaign at Contoso. The PR firm uses Gmail as their email provider.

You can create policies that enforce encryption on all email messages sent to external recipients, so when a new message is composed to an external recipient, it is automatically protected.

For this scenario, Isaiah will manually encrypt the email being sent to an external recipient.

Gmail is not RMS-aware, so when Alex receives the message, it’s wrapped in another email that provides instructions on how to read it.

Because Alex is using Gmail, he has the option of using the new federated sign-in experience to read this message. When he signs in with his Gmail credentials, the message is displayed.

And no matter what email provider the recipient uses, they can always read an encrypted message by requesting a one-time key.

1. Switch to the browser tab with Isaiah’s email account open.

NOTE: Verify The new Outlook is selected to ensure the scenario works as written.

2. Click +New message.

3. In the To line, type the external Gmail address created during setup.

4. In the Subject line, type Project opportunity.

5. Click the Attachment icon ( ).

6. Click Cloud locations.

7. Select European Expansion.xlsx and click Next.

8. Click Attach as a copy.

9. In the message body, type Are you available to work on a new campaign?

10. Click Encrypt.

11. On the Encrypt line, click Change permissions.

12. On the Change permissions window, click the drop-down and review permissions available, and then click Cancel.

13. Click Send.

14. Switch to the web browser tab with the external Gmail account open.

15. Click on the new message from Isaiah Langer.

16. Click Read the message.

17. If required, click Sign in with Google and follow the sign in steps.

18. In the email, click European Expansion.xlsx.

Speaker Script

Click Steps

Block sharing of sensitive information from SharePoint Online

Data loss prevention in Office 365 helps organizations protect their sensitive data across their Office 365 environment, including Exchange Online, SharePoint Online, OneDrive for Business and Microsoft Teams. 

Contoso has strict requirements to protect various types of data for regulatory, policy, or privacy reasons. They use Office 365 Data Loss Prevention policies to help achieve this goal.

For example, when Isaiah Langer accesses his OneDrive for Business folders, he sees this icon on a document he owns.

This warning tells him that this document has been flagged by a DLP policy. In this case, the document has been flagged because it contains credit card information.

Isaiah wants more information, so he looks at the document properties. Here he can get more information. He can also report this to an administrator if he thinks the policy is been applied in error.

When Isaiah tries to share the content, he is informed that the item contains sensitive information and can’t be share outside the organization.

1. Switch to the browser, with OneDrive open.

2. Click to the left of Contoso Purchasing Permissions -Q1.docx.

3. In the upper right corner, click the information icon, and review the policy information.

4. Click View policy tip and review the reason the label was applied.

5. Click X to close the policy tip.

6. Click Share.

7. In Enter a name or email address, type the Gmail address, and then click the email address when it is verified.

8. Note the message informing that the item contains sensitive information and can’t be shared with people outside your organization.

9. Click X to close Share Link.

Block sharing of sensitive information from Teams

Data loss prevention (DLP) has been available for Exchange Online, SharePoint Online and OneDrive for Business for a while, and DLP has been recently extended to Microsoft Teams, to enable the blocking of sensitive information contained in chat messages and channel conversations.

This is based on the same policy engine used and proven in our other DLP services.

When someone sends a message, either within a chat or a channel, the content of the message is inspected for sensitive information in near real-time. If sensitive information is identified, then the message is revoked and no longer accessible by the recipient(s).

Similar to how DLP operates in other Office 365 services, policy tips give the sender additional information on the reason for the message being blocked, such as the presence of passport information or social security numbers.

End-users can override the blocked message or report the issue as a false positive, if allowed by IT.

For organizations that are using Microsoft Teams to accelerate their workforce collaboration and productivity, this provides a new way to ensure proper control and governance of important data – both for the purpose of achieving internal security objectives as well as meeting external compliance and privacy requirements.

10. Switch to the browser with Teams open.

11. In the chat with Allan Deyoung, type EU Passport number x13256730, and then click Send.

12. Note the message, This message was blocked.

13. Switch to the browser window with Teams signed in with Allan Deyoung.

14. Note the blocked message from Isaiah.

Speaker Script

Click Steps

Labeling documents in a 3rd party cloud service

Isaiah’s team is using a cloud storage service, such as Box, to store and share some of their confidential documents. Azure Information Protection and Microsoft Cloud App Security work together to discover, classify & label, protect and monitor files that reside in third party cloud services.

You can create a file policy using Microsoft Cloud App Security, that enables content with specific key words or sensitivity information types to be labeled and protected.

When a file is uploaded to a 3rd party service, like Box, that contains the key words or matches sensitive information types, the label will be automatically applied.
As you see, V2 is appended to the document name indicating that the file has been labeled and protected, including restricting permissions on who can access the file.

Back in Microsoft Cloud App Security, you’ll see that the document is listed as matching the policy that you created.

Azure Information Protection and Microsoft Cloud App Security work together to help protect sensitive information, even if it is stored in cloud services.

https://portal.cloudappsecurity.com

1. Switch to the click-through-guide.

2. Review the file policy and the following options:

· Create a filter for the files this policy will act on

· Content Inspection Method

3. Click the policy to scroll down.

4. Under Governance, in the Box section, review:

· Apply classification label

· Select an Azure Information Protection classification label to be used to protect matching files

5. Click to switch to the browser tab with Box open.

6. Review the files uploaded.

7. Click to “refresh” the screen and note the V2 by the document name.

8. Click to switch back to Microsoft Cloud Ap Security, Info Protection Demo Policy and review the files.

9. Click Confidential Document, to show details for the file.

10. Review the details for the file.

Speaker Script

Click Steps

Block copying and moving sensitive files on Windows 10 devices

Isaiah works in the Sales & Marketing department at Contoso. He often takes his files offline to work on at home or while travelling.

Windows understands sensitivity labels in documents and can use that information to enforce policy. This file in OneDrive is labeled as Confidential.

When Isaiah downloads this document from the Contoso OneDrive, Windows Information Protection policy is enforced based on this sensitivity labels, which means blocking or controlling the copying or transfer of information from this labeled document to other apps and locations on the device.

Isaiah finds some of this information exciting and wants to share some of it with his followers on Twitter. He opens the document using Microsoft Word, which is an approved work app. Note that the downloaded file, still has the Confidential label, as it did in OneDrive.

He copies the text and then tries to paste it into a new tweet.

Windows Information Protection prevents him from doing so because of the sensitivity label in the document, and it gives him a reminder that this is privileged business information.

If Isaiah thinks this is a reasonable use of business information, he can go ahead and allow it to be pasted. Isaiah thinks better of this and cancels the Tweet. Contoso could also configure this policy to simply block the copy and paste altogether.

Contoso can also use Windows Information Protection to ensure that labeled and protected files preserve their protection when being copied to removable storage, like a USB drive, or block copying to cloud locations, such as OneDrive for Business or other cloud repositories.

1. Begin the demo in OneDrive in the browser.

2. Under Files, click European Fashion Lines

3. Next to the file European Fashion Lines.docx, click the vertical ellipsis.

4. Click Open and then click Open in Word.

5. In Word, point out the Confidential label and the Confidential watermark.

6. Click X to close Word.

7. In OneDrive, next to the file European Fashion Lines.docx, click the vertical ellipsis.

8. Click Download.

9. At the bottom, to the right of Save, click the up arrow.

10. Click Save as.

11. In the Save As window, browse to the Documents folder and click Save.

12. At the bottom of the browser, click Open Folder.

13. Double-click to open European Fashion Lines.

14. Point out the Confidential label and the Confidential watermark.

15. Scroll down to the second page.

16. Highlight some text on the page, right-click, and then select Copy.

17. On the task bar, click the web browser and switch to the tab with Twitter already open and logged in.

18. Click What’s happening? to start a new tweet.

19. In the text box, right click and select Paste.

20. In the Use work content here? text box, point out the warning that appears, and then click No.