Documents are the heart of any Organization, large or small. The core expertise of the Company lies in the documents that are created on daily basis. As a part of Digital Transformation, many of our customers have adopted SharePoint based Document Management System.
One major concern of the Customers is how to ensure that the Documents are not leaked out (Data Loss Prevention – DLP). So let us examine some of the methods here.
First, we shall examine the DLP capabilities that can be enabled using the native SharePoint Online available within Microsoft 365.
Setup basic MFA
Restrict user from deleting file
Restrict user from uploading file
Restrict user from creating new files & Folder
Restrict user from downloading file.
Permission can be assigned/restricted to the users and groups to create, upload and delete files and folders in SharePoint. (If only read permission is assigned to any user, edit and download will be restricted)
Share files internally or externally with specific permissions
Hide specific file and folder from any user
Audit Logs
Declare Record – (block edit and delete)
Hide sync button so that Document folders cannot be synced offline.
Restrict external Sharing
Allow or block Domain level sharing
Restrict access from different location besides office
Alert Policy – modified, delete, and download. Email Notification occurs whenever any of the specified alert policy is matched.
Assign different permission (Read, Write and Full control) while sharing file to different users? If No, then how do you handle it?
DLP using SharePoint Plan 2:
Legal Hold. When a hold is placed on a SharePoint site, a preservation hold library is created, if one doesn’t already exist. The preservation hold library is only visible to site collection administrators so most users can’t view it.
eDiscovery
SharePoint DLP using Intune and Azure AD Premium:
Note that the features given here are deployed using the above Service packs.
Unmanaged devices. Restrict access from devices that are not compliant or joined to a domain.
Idle session out. Automatically sign out users from inactive browser sessions
Network location. Allow access only from specific IP addresses.
Block access from Office 2010 and other apps that cannot enforce device-based restrictions.
Remote Wipe. Wipe Corporate Data from system if it gets lost leaving personal data intact
Protect data through restricting the copy/ paste of corporate data within Office 365 apps only in Mobile and PCs
Restrict setup of Corporate apps like Outlook only.
Block printing organization data
Block screen capture
Conditional Access
If you download file from Sharepoint and Onedrive it will be downloaded as corporate file
Restrict copy-paste only between managed apps. Adding an app to the protected apps list will make it a managed app
when corporate file is copied to USB drive it will copy as work document only and can accessed by corporate people. If USB drive lost still, we don’t worry about our data
And more..
