Table of Contents
Protecting Sensitive Email
Let’s assume that you want to make sure that outbound email containing sensitive data is always encrypted using the (relatively new) Encrypt rights management template. Office 365 includes a wide range of default sensitive data types created for data loss prevention (DLP) policies. You can define your own sensitive data types if necessary.
You could, of course, rely on users to know when they need to apply the Encrypt template to messages (via OWA and Outlook, but not mobile clients), but it’s usually better to make the process automatic. You can do this with a transport rule or a DLP policy. Both can be created through a GUI (the Exchange Administration Center for a transport rule and the Security and Compliance Center for a DLP policy), but where’s the fun in that?
Using a Transport Rule for Encryption
Any sensitive data type known to the tenant can be used in a transport rule to identify messages for protection by including it in the MessageContainsDataClassifications parameter. Here’s a simple PowerShell example that looks for six different sensitive data types. If any are found in a message, Exchange Online applies the Encrypt template.
New-TransportRule -Name "Encrypt external email with PII content" -SentToScope NotInOrganization -ApplyRightsProtectionTemplate "Encrypt" -MessageContainsDataClassifications @(@{Name="ABA Routing Number"; minCount="1"},@{Name="Credit Card Number"; minCount="1"},@{Name="U.S. / U.K. Passport Number"; minCount="1"},@{Name="U.S. Bank Account Number"; minCount="1"},@{Name="U.S. Individual Taxpayer Identification Number (ITIN)"; minCount="1"},@{Name="U.S. Social Security Number (SSN)"; minCount="1"}) -Mode Enforce
Using a DLP Policy for Encryption
Alternatively, you can create a DLP policy that applies a template when messages are shared outside the organization. Two steps are needed to do this in PowerShell. The first creates a DLP policy; the second creates the rule to encrypt email with the same set of sensitive data types specified for the transport rule and attaches the rule to the policy.
New-DlpCompliancePolicy -Name "Encrypt external sensitive mail" -ExchangeLocation "All"
New-DlpComplianceRule -Name "Encrypt external email with PII content" -Policy "Encrypt external sensitive mail" -AccessScope NotInOrganization -EncryptRMSTemplate "Encrypt" -NotifyUser "LastModifier" -NotifyPolicyTipCustomText "This email contains sensitive PII information and will be encrypted when sent." -NotifyEmailCustomText "This email contains sensitive PII information and will be encrypted when sent." -ContentContainsSensitiveInformation @(@{Name="ABA Routing Number"; minCount="1"},@{Name="Credit Card Number"; minCount="1"},@{Name="U.S. / U.K. Passport Number"; minCount="1"},@{Name="U.S. Bank Account Number"; minCount="1"},@{Name="U.S. Individual Taxpayer Identification Number (ITIN)"; minCount="1"},@{Name="U.S. Social Security Number (SSN)"; minCount="1"})
Choose How to Encrypt
As you can see, Office 365 offers several ways to apply encryption via policy to outbound email. It’s important that you choose either transport rules or DLP policies to protect sensitive data as it is easy to cause confusion if protection is applied for the same content using multiple methods.
We cover transport rules in Chapter 17 of the Office 365 for IT Pros eBook, DLP policies in Chapter 22, and rights management templates in Chapter 24. You might say that we have this topic covered…