How to Prevent Data Leakage in Microsoft Teams with Data Loss Prevention
As more employees shift to working remotely, it is more important than ever that organizations prioritize protecting their business-critical and sensitive data across apps, endpoints, and cloud services. Employees will be accessing, sharing, creating, and storing data in new ways than before, meaning the need to make sure this is protected and compliant is more imperative.
And with this massive growth of corporate data exacerbated by increasing remote work and complex regulatory requirements to protect and govern this data, managing risk is essential to digital transformation.
What is Data Loss Prevention?
Data loss prevention (DLP) is the process of preventing sensitive data from being lost, misused, or accessed by unauthorized users. Typically, DLP software identifies violations of policies defined by organizations or driven by regulatory compliance such as HIPAA, NIST Cybersecurity Framework, or GDPR.
In addition, DLP enforces remediation immediately upon detection of violations via alerts, encryption, and other protective measures to ensure end-users do not accidentally or maliciously share data with others that could compromise the organization.
Furthermore, the DLP can provide compliance and audit requirements reporting and identify weaknesses and anomalies in forensic analysis and incident response.
Does Microsoft have a DLP solution?
Microsoft’s DLP solution provides a broad range of capabilities to address the modern workplace and the unique challenges of these very different environments.
One of the key investment areas is providing a unified and comprehensive solution across the many different devices and services where sensitive data is stored and used, including environments native to Microsoft and non-Microsoft services and apps. Microsoft’s DLP solution enables organizations to create policies to prevent or disable sharing of sensitive data, prevent printing notify admins when someone tries to share sensitive data, and the ability to customize policy tips to educate users about sharing sensitive data.
As part of Microsoft’s Office 365 Enterprise license, the E3 version provides DLP capabilities for Exchange Online and SharePoint/OneDrive. Customers who have upgraded to Microsoft 365 E5 can utilize DLP capabilities for Microsoft Teams, Devices, and even on-premises environments.
Can DLP policies be applied to Microsoft Teams?
DLP provides controls to prevent sensitive information (such as credit card numbers or health records) from being leaked unintentionally. For those customers on Office 365 E5 or Microsoft 365 E5, DLP policies are available to Microsoft Teams Chat and Channel messages to prevent sharing sensitive information.
There are already DLP policies available for documents saved in Teams, stored in a SharePoint library; these are now available to chats and channel messages.
Plan and design your Microsoft Teams DLP policy
Since every organization has different requirements, goals, and resources, every organization will implement data loss prevention (DLP) differently. Despite these differences, successful DLP implementations share similar elements.
Sensitive data types
Microsoft Information Protection tools use sensitive data types to locate data in messages and documents. Sensitive data types make it easier to detect sensitive data, which helps organizations apply appropriate policies.
Defining sensitive data types is the first step in planning and designing your Microsoft Teams DLP policy. Microsoft provides templated sensitive data types based on compliance regulations around the world. For example, financial information like credit/debit card numbers, personal information and more. These are in the Microsoft 365 Compliance admin center under Data classification:
Figure 1: Sensitive info types in the Microsoft 365 Compliance center
Suppose the pre-configured sensitive data types don’t meet your needs. In that case, you can create your own custom sensitive information types to define your sensitive data elements, such as regex or keywords.
Prevent data leakage
To prevent data leakage in Microsoft Teams, you first need to create a DLP policy and apply it to Teams Chat and Channel messages. Open the Microsoft 365 Admin Compliance center and go to Data Loss Prevention under Solutions.
Create a new policy and choose your Sensitive Data Type. It can be the pre-configured templated ones or a previously created custom one.
Figure 2: New DLP Policy in Microsoft 365 Compliance Centre
Choose the locations to apply the policy. Make sure Teams chat and channel messages is selected. You can choose to use this policy for all accounts or select or exclude specific accounts/distribution groups. For example, you might want to apply a DLP policy to prevent the sharing of financial information but add the finance team as an exception as they require the ability to do this as part of their role.
Disable sharing
To disable sharing of sensitive data with external users, define custom advanced rules settings from the template. You can customize the DLP rules to disable sharing of the sensitive info type.
Figure 3: Customize DLP rules when creating a policy
When editing the rule, add an action to restrict access or encrypt. Here you can block peer-to-peer or external sharing of sensitive information (Figure 4).
Figure 4: Restricting access in DLP policy
You can enable alerts to notify you and admins when a policy match occurs. DLP can customize alerts to send a notification when a high volume of matched activities is reached (Figure 5).
Figure 5: Incident reports in DLP Policy
Implement a DLP policy in test mode
It’s difficult to predict where the risks of data leakage lie, making it even more challenging to implement data loss prevention. DLP policies can be run in “test mode”, letting you assess their effectiveness and accuracy before turning them on.
Before creating the policy, please test it out first and turn on policy tips when testing. Testing lets you see what your policy tips look like to your end-users.
Figure 6: Test policy option in DLP
If your policy is working, you will see that when users try to share a credit card number through a Teams Channel, it automatically blocks the message and provides a policy tip to the end-user.
Figure 7: Teams Channel message blocked by DLP
How to report on and monitor usage of data loss prevention in Microsoft Teams
Compliance Centre reporting includes reports and insights that help compliance and security administrators focus on high-priority issues, such as increased suspicious activity or where you need to amend a policy. DLP reporting is available in reports, activity explorer and the alerts dashboard in the Compliance admin center.
Reporting
View the reports page in your Compliance center to view DLP reports. The reports provide you with an overall view of DLP policy matches, incidents, and false positives across SharePoint Online, Exchange Online, Microsoft Teams and OneDrive for Business. View details to discover what sensitive content is shared and when (figure 8).
Figure 8: Reports in the Compliance admin center
The report also shows users with most shared files and what files are publicly shared – this is using Defender for Cloud Apps is an E5 feature.
Administrators can use these reports to view DLP policy effectiveness and make improvements based on the type of activity from their end-users.
Activity explorer
The activity explorer is another tool administrators can use to explore any activity where sensitivity labels or sensitive information are applied. Suppose you have sensitive information in your content. In that case, you can review activity for label-containing content, such as what labels are changed, modified files, and more, in the activity explorer.
Figure 9: Activity Explorer in DLP
It is essential to understand the actions with your sensitive labelled content, so you can determine how adequate your controls are, such as data loss prevention policies. You may also have to adjust your policies if something unexpected occurs, such as a large number of items marked highly confidential that users downgrade to general. You could change your policies and take new steps to curb the undesired behaviour in these cases.
Alerts dashboard
DLP configures alerts to notify you automatically when there is an action against sensitive information. You can view alerts, events, and associated metadata for DLP policy violations by accessing the DLP alert management dashboard in the Microsoft 365 compliance centre.
Figure 10: Alerts Dashboard in DLP
To view an alert in more detail, select it to view the card, which details the DLP policy, location, event count, and time detected.
Figure 11: Alert card in DLP
The alerts dashboard is a helpful reporting tool to see reports in real-time as soon as a policy breach, giving administrators the confidence that they know what is happening with the sensitive data.
Summary
In practice, configuring the DLP settings in the Compliance center is relatively easy to do. The critical part is the requirements gathering and discovery. It’s essential to understand what sensitive data you have in your environment, who needs to handle sensitive data, and define what protection actions you want to apply.
Once DLP is up and running, there is not much involved in keeping it on, just reviewing alerts and making changes to policy settings as things progress, so it’s low maintenance but a highly critical tool to turn on.