Data loss protection should no longer be an afterthought

One of the most interesting security enhancements in Office 2016 is that of data loss protection (DLP).

It extends and complements Microsoft’s current portfolio of enterprise products containing a DLP capability to include Exchange, Outlook, OneDrive for Business, SharePoint, Word, Excel and PowerPoint.

The introduction of DLP into Office 2016 means security administrators can apply the same classification and policy control they apply in email and document management to the desktop productivity suite, making this a powerful and unique offering for more ubiquitous protection.

Such technologies have been a component of enterprise security architectures for the last decade.

However, DLP is often seen as an afterthought or add-on to more traditional security technologies, such as IPSs, firewalls, SIEMs and endpoint protection suites, because its focus is on preventing data leakage rather than keeping attackers out.

Some security engineers – and vendors – argue that if you keep the attackers out, there’s no need to invest in these softer security measures, given they are still relatively expensive point solutions.

DLP tech is usually deployed as a standalone appliance in the corporate demilitarised zone (DMZ), often without tight integration into the enterprise policy management system. It quickly becomes an expensive pain in the neck for users and security administrators as it doesn’t cover all the threat vectors it needs to, but still takes up valuable support and management cycles.

It’s clear that these technologies don’t work in the modern security threat environment, especially given the variety of places data is stored and processed.

The ubiquitous adoption of cloud technologies, BYOD and a mobile workforce means that security solutions need to be strategic and enterprise-wide, otherwise they are a waste of money and don’t actually provide any true risk reduction.

To be truly successful with DLP, it’s imperative that the business is engaged to capture all of the most valuable data types and technical solutions are pervasive and enforce policy everywhere the data is.

This is why I’m excited about Office 2016. The inclusion of DLP technology is a move towards the holistic enterprise-side DLP panacea that is needed for this kind of protection to be successful.

It allows security administrators to take the enterprise’s security requirements and build technical countermeasures that enforce content authoring and document sharing policies across the entire ICT environment.

Policies can be customised to meet a variety of compliance and legislative requirements, such as PCI-DSS or the federal government’s PSPF, and control is granular enough to apply to different users or groups so that different parts of your workforce can be as free or as restricted as you need to maintain control.

The policy can be configured to prompt users with helpful tips if the DLP function detects a policy violation, or it can be set to simply alert a security administrator that the violation has occurred, such as your company’s compliance officer.

Administrators have the ability to extend the restrictions they apply in Outlook, Exchange and SharePoint to the Office applications, such as where they provide the user notification of the violation, allowing them to override the rules with a justification.

In this case the justification is recorded as evidence as to why the policy violation happened, so that if it turns out to be for nefarious purposes, there is a fully audited activity that can be used in disciplinary or criminal proceedings. Policies can also be used to fully block the dissemination of content.

Security managers, architects and engineers should be taking a long hard look at DLP now that Microsoft has upped the ante.

This is a technical countermeasure that is no longer an afterthought and last line of defence in the DMZ: it could well become the best line of defence in our modern cloudy threat environment.