Exchange 2013 Brief – Data Loss Prevention (DLP)

Executive Overview

DLP capabilities help you protect your sensitive data and inform users of your policies and regulations. DLP can also help you prevent users from mistakenly sending sensitive information to unauthorized people. When you configure DLP polices, you can identify and protect sensitive data by analyzing the content of your messaging system, which includes numerous associated file types. The DLP policy templates supplied in Exchange 2013 are based on regulatory standards such as PII and payment card industry data security standards (PCI-DSS). DLP is extensible, which allows you to include other policies that important to your organization. Additionally, the new Policy Tips capability allows you to inform users about policy violations before sensitive data is sent.

Notable Features

  • DLP Policies
  • Sensitive Information Types
  • Policy Detection and Reporting
  • Policy Tips

Architecture/Components

The transport rule agent (TRA) is used in Exchange 2013 to invoke deep message content scanning and also to apply policies defined as part of Exchange Transport Rules.

  • DLP Policies: These policies contain sets of conditions which comprise of Transport rules, actions and exceptions. Conditions can be configured from scratch or modified from pre-existing policy templates in Exchange 2013. There are three supported methods to create DLP policies:
    • Create a DLP policy from an existing policy template: At the time of writing, Exchange 2013 supports over 40 policy templates to support a number of compliance requirements from various Countries and jurisdictions such as GLB and PCI-DSS.
    • Import a pre-built policy file from outside your organization: Exchange 2013 allows organizations to use DLP policies created by independent software vendors by importing these policies directly into Exchange as XML files. To define your own DLP policy template files, you must first define an XML schema (read here; then you can define sensitive information rule types (read here).
    • Create a custom policy from scratch: Exchange 2013 provides the granularity to define a DLP policy to match an organization’s requirements for monitoring certain types of data.
  • Sensitive Information Types: DLP now has the ability to perform deep content analysis via keyword matches, dictionary matches, regular expression evaluation, and other content examination to detect content that violates organizational DLP policies. Sensitive information rule types augment the existing transport rules framework and allow you to apply messaging policies to email messages that flow through the transport pipeline in the Transport service on Mailbox servers and on Edge Transport servers. Read my article on Exchange Transport architecture.
  • Policy Detection and Reporting: Exchange 2013 provides availability and access to information that identifies policy violations occurring within the DLP environment. This information is made available via the Message Tracking Logs. The AgentInfo Event is used to add DLP related entries in the message tracking log. A single AgentInfo event will be logged per message describing the DLP processing applied to the message. An incident report can be created for each DLP policy rule set via the Generate Incident Report feature in the EAC.
  • Policy Tips: enable you to notify email senders that they are about to violate one of the  DLP policies before they send the offending message. Click here for more information.

Common Administrative Tasks

  1. Create a DLP policy from a Template: To use existing templates, the DLP must be configured via the EAC. Read this article.
  2. Import a DLP policy from a File: Via EAC or PowerShell
    Import-DlpPolicyCollection -FileData ([Byte[]]$(Get-Content -Path ” C:\Doc\DLP Backup.xml ” -Encoding Byte -ReadCount 0))
  3. Create a custom DLP policy without any rules: This must be configured via EAC
  4. Export a DLP policy:  Via EAC or PowerShell
    Export-DlpPolicyCollection
  5. Create a custom DLP policy: Via EAC or PowerShell
    New-DlpPolicy “Employee IDs”
  6. View details of an existing DLP policy: Via EAC or PowerShell
    Get-DlpPolicy “Employee IDs” | Format-List
  7. Change a DLP policy: Via EAC or PowerShell
    Set-DlpPolicy “Employee IDs” -Mode (Audit|AuditAndNotify|Enforce)
  8. Delete a DLP policy: Via EAC or PowerShell
    Remove-DlpPolicy “Employee IDs”
  9. Import/Export a DLP policy: Via EAC or PowerShell
  10. Manage Policy Tips: Via EAC, for more information click here.
  11. Create a New Classification Rule Collection: via PowerShell
    New-ClassificationRuleCollection -FileData ([Byte[]]$(Get-Content -Path “C:\Doc\External Classification Rule Collection.xml” -Encoding Byte -ReadCount 0))
    † This action overwrites all pre-existing DLP policies that were defined in your organization, so make sure you backup your current DLP policy information first.

Top PowerShell Commands/Tools:

– Set|Get|New|Remove -DlpPolicy
– Set|Get|New|Remove -ClassificationRuleCollection
– Export|Import -DlpPolicyCollection

References/Links

Command Reference for DLP
Microsoft Technet page on DLP in Exchange 2013

Advertisements

8 thoughts on “Exchange 2013 Brief – Data Loss Prevention (DLP)

  1. This is very important for folks who are undergoing such a task for the first time.
    dentistryis able to do full justice and brings about a transformation in the teeth
    appearance. Below are some guidelines compiled from patients for successfully choosing a cosmetic dentist.

  2. The mover doesn’t offer or agree to an on-site inspection of your household
    goods and gives an estimate over the phone or Internet.

    Portfolios – Google Finance also lets you build your personal finance portfolio of stocks and mutual funds.
    Make sure that is a professional parkour instructional video.

  3. Very helpful article.

    In practice, however, we found that the “DLP sensitive information types” (aka “Classification Definitions” when using the Exchange cmdlets) aren’t very accurate. These are the rules that detect things like social security numbers, credit card numbers, tax IDs, etc.

    Nearly every one that we experimented with worked on the surface, but failed in practice with high False Positives (ie. falsely detected things that are not actually there) and False Negatives (ie. failed to detect detected things).

    Once deployed in small-scale production, the poor accuracy of these types caused frustration and required significant time from admins to investigate. If the DLP solution is not finding the right things, what’s the point!?

    We’ve opted into using a solution from Nucleuz (http://www.nucleuz.com/) which so far (knock on wood) is performing much better and makes Microsoft’s built-in DLP solution worthwhile.

  4. Fantastic blog! Do you have any tips for aspiring writers?
    I’m hoping to start my own website soon but I’m a little lost on everything.
    Would you recommend starting with a free platform like WordPress or go for a
    paid option? There are so many options out there that I’m completely overwhelmed .. Any recommendations? Many thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s