Sensitive Information Types for Use with DLP
Data Loss Prevention (DLP) isn’t the most exciting topic, but it’s an important way to protect sensitive information stored in Exchange Online, SharePoint Online, OneDrive for Business, and Teams. Office 365 E3 licenses are needed to use DLP policies. The exception is Teams, which for some bizarre reason requires Office 365 E5.
Matching Sensitive Data
The foundation for DLP is the ability to find sensitive information within items. Microsoft 365 does this by scanning items for matches against definitions of sensitive information types as items are added to workloads, mostly when new or changed information is indexed.
The definition for a sensitive information type is a pattern identified by a regular expression or function. For instance, credit card numbers are matched if a fourteen or sixteen digit number is found which complies with Luhn’s algorithm (also used to check other sensitive information types like Canadian Social Security numbers). Additional confidence during the matching process is gained by the presence of other evidence close to the matched term. For instance, the word “Visa” or “MasterCard” close to a number which passes Luhn’s test increases the percentage chance that the number is a credit card.
Organizations can create their own sensitive information types to match information specific to their business, like customer numbers or project identifiers. These definitions join the set of common sensitive information types defined by Microsoft for use in DLP policies.
New Sensitive Information Types
Office 365 notification MC230755 published on 18 December brings the news that Microsoft has added 49 new sensitive information types to its set, which now includes 201 definitions. The new sensitive information types are now rolling out.
The definitions of sensitive information types created by Microsoft are described online, including the pattern and keywords used in the matching process. You can also get a quick count of the current set by running the Get-DlpSensitiveInformationType cmdlet. In this case, we see the 201 standard Microsoft definitions and 3 added by the organization:
$Dlp = Get-DlpSensitiveInformationType $Dlp | Group Publisher | Format-Table Name, Count Name Count ---- ----- Microsoft Corporation 201 Office 365 for IT Pros 3
Microsoft says that the new definitions “unbundle” European Union definitions for driver’s license, passport, and social security numbers. In other words, instead of using generic definitions for these types, country-specific definitions are available for individual European Union countries like Latvia, Hungary, and Luxembourg (Figure 1).
If you’ve been using the Euro definitions in DLP policies, Microsoft recommends that you consider upgrading to country-specific sensitive information types if available to increase the accuracy of matching.
We cover DLP in Chapter 22 of the Office 365 for IT Pros eBook. Subscribe now to stay up to date with changes across Office 365. Our monthly updates will surprise and delight you!