Executive Overview
DLP capabilities help you protect your sensitive data and inform users of your policies and regulations. DLP can also help you prevent users from mistakenly sending sensitive information to unauthorized people. When you configure DLP polices, you can identify and protect sensitive data by analyzing the content of your messaging system, which includes numerous associated file types. The DLP policy templates supplied in Exchange 2013 are based on regulatory standards such as PII and payment card industry data security standards (PCI-DSS). DLP is extensible, which allows you to include other policies that important to your organization. Additionally, the new Policy Tips capability allows you to inform users about policy violations before sensitive data is sent.
Notable Features
- DLP Policies
- Sensitive Information Types
- Policy Detection and Reporting
- Policy Tips
Architecture/Components
The transport rule agent (TRA) is used in Exchange 2013 to invoke deep message content scanning and also to apply policies defined as part of Exchange Transport Rules.
- DLP Policies: These policies contain sets of conditions which comprise of Transport rules, actions and exceptions. Conditions can be configured from scratch or modified from pre-existing policy templates in Exchange 2013. There are three supported methods to create DLP policies:
- Create a DLP policy from an existing policy template: At the time of writing, Exchange 2013 supports over 40 policy templates to support a number of compliance requirements from various Countries and jurisdictions such as GLB and PCI-DSS.
- Import a pre-built policy file from outside your organization: Exchange 2013 allows organizations to use DLP policies created by independent software vendors by importing these policies directly into Exchange as XML files. To define your own DLP policy template files, you must first define an XML schema (read here; then you can define sensitive information rule types (read here).
- Create a custom policy from scratch: Exchange 2013 provides the granularity to define a DLP policy to match an organization’s requirements for monitoring certain types of data.
- Sensitive Information Types: DLP now has the ability to perform deep content analysis via keyword matches, dictionary matches, regular expression evaluation, and other content examination to detect content that violates organizational DLP policies. Sensitive information rule types augment the existing transport rules framework and allow you to apply messaging policies to email messages that flow through the transport pipeline in the Transport service on Mailbox servers and on Edge Transport servers. Read my article on Exchange Transport architecture.
- Policy Detection and Reporting: Exchange 2013 provides availability and access to information that identifies policy violations occurring within the DLP environment. This information is made available via the Message Tracking Logs. The AgentInfo Event is used to add DLP related entries in the message tracking log. A single AgentInfo event will be logged per message describing the DLP processing applied to the message. An incident report can be created for each DLP policy rule set via the Generate Incident Report feature in the EAC.
- Policy Tips: enable you to notify email senders that they are about to violate one of the DLP policies before they send the offending message. Click here for more information.
Common Administrative Tasks
- Create a DLP policy from a Template: To use existing templates, the DLP must be configured via the EAC. Read this article.
- Import a DLP policy from a File†: Via EAC or PowerShell
Import-DlpPolicyCollection -FileData ([Byte[]]$(Get-Content -Path ” C:DocDLP Backup.xml ” -Encoding Byte -ReadCount 0)) - Create a custom DLP policy without any rules: This must be configured via EAC
- Export a DLP policy: Via EAC or PowerShell
Export-DlpPolicyCollection - Create a custom DLP policy: Via EAC or PowerShell
New-DlpPolicy “Employee IDs” - View details of an existing DLP policy: Via EAC or PowerShell
Get-DlpPolicy “Employee IDs” | Format-List - Change a DLP policy: Via EAC or PowerShell
Set-DlpPolicy “Employee IDs” -Mode (Audit|AuditAndNotify|Enforce) - Delete a DLP policy: Via EAC or PowerShell
Remove-DlpPolicy “Employee IDs” - Import/Export a DLP policy: Via EAC or PowerShell
- Manage Policy Tips: Via EAC, for more information click here.
- Create a New Classification Rule Collection: via PowerShell
New-ClassificationRuleCollection -FileData ([Byte[]]$(Get-Content -Path “C:DocExternal Classification Rule Collection.xml” -Encoding Byte -ReadCount 0))
† This action overwrites all pre-existing DLP policies that were defined in your organization, so make sure you backup your current DLP policy information first.
Top PowerShell Commands/Tools:
– Set|Get|New|Remove -DlpPolicy
– Set|Get|New|Remove -ClassificationRuleCollection
– Export|Import -DlpPolicyCollection
References/Links
Command Reference for DLP
Microsoft Technet page on DLP in Exchange 2013
Fantastic blog! Do you have any tips for aspiring writers?
I’m hoping to start my own website soon but I’m a little lost on everything.
Would you recommend starting with a free platform like WordPress or go for a
paid option? There are so many options out there that I’m completely overwhelmed .. Any recommendations? Many thanks!
When someone writes an piece of writing he/she retains the plan of a user in his/her brain that how a user can be aware of it.
So that’s why this piece of writing is perfect. Thanks!
Very helpful article.
In practice, however, we found that the “DLP sensitive information types” (aka “Classification Definitions” when using the Exchange cmdlets) aren’t very accurate. These are the rules that detect things like social security numbers, credit card numbers, tax IDs, etc.
Nearly every one that we experimented with worked on the surface, but failed in practice with high False Positives (ie. falsely detected things that are not actually there) and False Negatives (ie. failed to detect detected things).
Once deployed in small-scale production, the poor accuracy of these types caused frustration and required significant time from admins to investigate. If the DLP solution is not finding the right things, what’s the point!?
We’ve opted into using a solution from Nucleuz (http://www.nucleuz.com/) which so far (knock on wood) is performing much better and makes Microsoft’s built-in DLP solution worthwhile.
I am really thankful to the owner of this website who has shared this great article at at this time.
Quality content is the main to be a focus for the viewers to
go to see the web site, that’s what this site is providing.
Greate article. Keep posting such kind of info on your site.
Im really impressed by your site.
Hello there, You’ve done an excellent job. I will certainly digg it and individually recommend to my friends.
I’m sure they’ll be benefited from this site.
The mover doesn’t offer or agree to an on-site inspection of your household
goods and gives an estimate over the phone or Internet.
Portfolios – Google Finance also lets you build your personal finance portfolio of stocks and mutual funds.
Make sure that is a professional parkour instructional video.
This is very important for folks who are undergoing such a task for the first time.
dentistryis able to do full justice and brings about a transformation in the teeth
appearance. Below are some guidelines compiled from patients for successfully choosing a cosmetic dentist.