Microsoft has made much of the data loss prevention (DLP) features in Exchange 2013,
and not without reason. Inadvertent data breaches, when an authorized user accidentally
divulges sensitive data by sending it to someone who isn’t supposed to have it, are an
increasingly common and severe problem. In most jurisdictions, such breaches open up the
organization to civil and regulatory liability, and in some, a breach of medical, financial, or
personal information can even lead to criminal sanctions. Exchange 2013 DLP attempts to
prevent these breaches by allowing you to define and apply DLP policies.
There are three ways for you to define a policy. You can use one of the 40 templates that
ship with Exchange 2013, you can import a policy from an external source, or you can
define your own policy from scratch. Microsoft has detailed documentation on how
to construct your own policies (see http://technet.microsoft.com/en-us/library
/jj674310(v=exchg.150).aspx), and the EAC dialog box in which you select a template to
apply has a Learn More link that claims to point to a page of DLP templates supplied by
third parties. (There’s nothing there as of this writing.) The most likely means of applying
DLP in your organization is to use one of the built-in templates. If you create your own
policy from scratch, you have to define all the individual rules to recognize items you wish
to match, with the attendant risk of missing something, so most organizations will probably
stick with the Microsoft-defined template set to start with.
When you define a policy, you set it to operate in one of three modes:
● Test Without Policy Tips is the default for a newly applied policy. In this mode,
the policy’s rules operate normally, detecting entities or affinities defined by the policy. Whatever action the rule would have taken is reflected by an entry in the
server’s message tracking log. However, the actions specified by the policy won’t be
applied. This is similar to what happens when you run an EMS command with the
–WhatIf flag.
● Test With Policy Tips runs the content analysis process against messages as they are
processed, and it scans messages in compatible clients (Outlook 2013 only at present)
to see whether any of the defined Policy Tips should be displayed. However, actions
associated with the rules or with Policy Tips (such as preventing a user from sending a
message without overriding the Policy Tip) aren’t applied. ● Enforce activates the rules and Policy Tips associated with the policy. Depending on
the policy settings, this might cause noncompliant messages to be blocked, although
you can define exceptions that allow users to override the policy and send suspect
messages anyway.
In addition to setting the mode, you can also specify what Microsoft calls an incident management mailbox. This is an internal recipient that receives reports any time a user triggers a DLP rule. The idea behind this mailbox is that you can use it to maintain an audit log of
potential or actual breaches; with that in mind, you’ll want to think carefully about which
mailbox to use and who should have access to it.
and not without reason. Inadvertent data breaches, when an authorized user accidentally
divulges sensitive data by sending it to someone who isn’t supposed to have it, are an
increasingly common and severe problem. In most jurisdictions, such breaches open up the
organization to civil and regulatory liability, and in some, a breach of medical, financial, or
personal information can even lead to criminal sanctions. Exchange 2013 DLP attempts to
prevent these breaches by allowing you to define and apply DLP policies.
There are three ways for you to define a policy. You can use one of the 40 templates that
ship with Exchange 2013, you can import a policy from an external source, or you can
define your own policy from scratch. Microsoft has detailed documentation on how
to construct your own policies (see http://technet.microsoft.com/en-us/library
/jj674310(v=exchg.150).aspx), and the EAC dialog box in which you select a template to
apply has a Learn More link that claims to point to a page of DLP templates supplied by
third parties. (There’s nothing there as of this writing.) The most likely means of applying
DLP in your organization is to use one of the built-in templates. If you create your own
policy from scratch, you have to define all the individual rules to recognize items you wish
to match, with the attendant risk of missing something, so most organizations will probably
stick with the Microsoft-defined template set to start with.
When you define a policy, you set it to operate in one of three modes:
● Test Without Policy Tips is the default for a newly applied policy. In this mode,
the policy’s rules operate normally, detecting entities or affinities defined by the policy. Whatever action the rule would have taken is reflected by an entry in the
server’s message tracking log. However, the actions specified by the policy won’t be
applied. This is similar to what happens when you run an EMS command with the
–WhatIf flag.
● Test With Policy Tips runs the content analysis process against messages as they are
processed, and it scans messages in compatible clients (Outlook 2013 only at present)
to see whether any of the defined Policy Tips should be displayed. However, actions
associated with the rules or with Policy Tips (such as preventing a user from sending a
message without overriding the Policy Tip) aren’t applied. ● Enforce activates the rules and Policy Tips associated with the policy. Depending on
the policy settings, this might cause noncompliant messages to be blocked, although
you can define exceptions that allow users to override the policy and send suspect
messages anyway.
In addition to setting the mode, you can also specify what Microsoft calls an incident management mailbox. This is an internal recipient that receives reports any time a user triggers a DLP rule. The idea behind this mailbox is that you can use it to maintain an audit log of
potential or actual breaches; with that in mind, you’ll want to think carefully about which
mailbox to use and who should have access to it.
No comments:
Post a Comment