The Data Loss Prevention (DLP) feature in the new Exchange will help you identify, monitor, and protect sensitive information in your organization through deep content analysis. DLP is increasingly important for enterprise message systems because business critical email includes sensitive data that needs to be protected. It’s the financial information, personally identifiable information (PII) and intellectual property data that can be accidently sent to unauthorized users that keeps the CSO up all night. In order to protect sensitive data without affecting worker productivity, the new version of Microsoft Exchange Server 2013 integrates DLP features so you can manage sensitive data in email more easily than ever before.

You can be comfortable getting started with DLP in Exchange because Microsoft has included a simple management interface that allows you to:

  • Start with a pre-configured policy template that can help you detect specific types of sensitive information such as PCI-DSS data, Gramm-Leach-Bliley act data, or even locale-specific personally identifiable information (PII).
  • Use the full power of existing transport rule predicates and actions and add new transport rules
  • Test the effectiveness of your DLP policies before fully enforcing them
  • Incorporate your own custom DLP policy templates and sensitive information types
  • Detect sensitive information in message attachments, body text or subject lines and adjust the confidence level at which Exchange takes action
  • Add Policy Tips, which can help reduce data loss by displaying a notice to your Outlook users and can also improve the effectiveness of your policies by allowing false-positive reporting
  • Review incident data in message tracking logs or add reporting by using a new generate incident report action

Using the Microsoft-supplied DLP policy templates are an easy way to get started. DLP policies are packages of transport rules with new features that you can customize. These rules include classification types that define the type of content you are looking for in the DLP policy. You can use the Exchange management shell or the Exchange Administration Center (EAC) or even your own XML file editor to start incorporating DLP policies into your messaging environment. The image here shows the data loss prevention management interface.

Screenshot: Data loss prevention (DLP) in the Exchange Administration Center (EAC)
Figure 1: Managing Data loss prevention (DLP) using the EAC

A number of new transport rule conditions and actions have been created in Exchange Server 2013 in order to accomplish new DLP capability. One key feature of the new transport rules is a new approach to detecting sensitive information that can be incorporated into mail flow processing. This new DLP feature performs deep content analysis through keyword matches, dictionary matches, regular expression evaluation, internal functions such as validate checksum on credit card numbers, and other content examination to detect specific content types within the message body or attachments.

Policy Tips to inform your workers in real time

With the new DLP features, you can inform email senders that they may be about to pass along sensitive information that is detected by your policies—even before they click send. You can accomplish this by configuring Policy Tips. Policy Tips are similar to MailTips, and can be configured to present a brief note in the Microsoft Outlook 2013 client that provides information about your business policies to the person creating a message. You can configure Policy Tips that will merely warn workers or block their messages, or even allow them to override your block with a justification. Policy tips can also be useful for tuning your DLP policy effectiveness, as they allow end users to seamlessly report false positives. Here’s a screenshot that shows the Policy Tip in action.

Screenshot: Mail tip for data loss prevention
Figure 2: A Policy Tip informs email senders about sensitive information before they send the message

Begin by establishing policies that protect your sensitive data

Three different methods exist for you to begin using DLP:

  1. Apply an out-of-the-box template supplied by Microsoft The quickest way to start using DLP policies is to create and implement a new policy using a template. This saves you the effort of building a new set of rules from scratch.
  2. Import a pre-built policy file from outside your organization You can import policy templates that have already been created outside of your messaging environment by independent software vendors. In this way you can extend the DLP solution to suit your business requirements.
  3. Create a custom policy without any pre-existing conditions Your enterprise may have its own requirements for monitoring certain types of data known to exist within a messaging system. You can create a custom DLP policy entirely on your own in order to start checking and acting upon your own unique message data.

Sensitive Information Types in DLP Policies

When you create DLP policies, you can include rules that include checks for sensitive information. The conditions that you establish within a policy, such as how many times something has to be found before an action is taken or exactly what that action is can be customized within your new custom policies in order to meet your business requirements. Sensitive information rules are integrated with the transport rules framework by introduction of a condition that you can customize: If the message contains…Sensitive Information. This condition can be configured with one or more sensitive information types that are contained within the messages.

To make it easy for you to make use of the sensitive information-related rules, Microsoft has supplied policy templates that already include some of the sensitive information types. An inventory of the sensitive information types supplied out of the box is provided on the TechNet Library. A brief sample can be seen here:

Information typePrimary regionCategory
ABA Routing Number United States finance
Australia Bank Account Number Australia finance
Credit Card Number All finance
EU Debit Card Number European Union finance
France Social Security Number (INSEE) France PII
German Driver's License Number Germany PII
Japan Passport Number Japan PII
SWIFT Code All finance
U.K. National Health Service Number United Kingdom health

Data loss prevention in Exchange 2013 is one of several new features that are focused on helping to solve compliance issues in email. Check out In-Place eDiscovery, In-Place Archiving, Retention policies, and the new additions to transport rules, and information rights management too. We hope you become more productive and safe with the new DLP features that help you protect your organization’s sensitive data.

John Andrilla