A Walkthrough – Data Loss Prevention in Microsoft Exchange Server 2013

Introducing Data Loss Prevention – Microsoft Exchange Server 2013

Let me start with the objective of Data Loss Prevention in Microsoft Exchange Server 2013(also called The New Exchange – a cloud centric messaging version) is to prevent accidental data loss sent by an email. It educates both end-users (using policy tips alert so that the confidential data isn’t leaked by accident) and Exchange administrator (make understand what risk organization carrying and how to mitigate)

I’ve scanned/read through the TechNet, TechEd (Videos), and also some Expert’s blog, to my experience it’s a wonderful feature that is gradually meeting the business needs to protect accidental leak of data via email (alone).

Who should plan or think of implementing DLP? –  Ask yourselves and let me help you too.

IMHO organization banking sector, financial institutes, any other firms which are strict towards following, implement regulatory and compliance with regards to email security.

Do you suspect there might be a leak in your email transaction with regards to any financial data like SSN, Credit card details, IP Address, your permutation and combination what comes to your mind which contains in the email body as text?

Also there might be a chance of accidental confidential data loss when a user sending email to internal or external recipients when he/she didn’t intended to do so – LOL,  whatever the user justification is.

No worries – we’ll see how it can be prevented & protected.

What are the prerequisites?

  • Microsoft Exchange Server 2013 On-Premise / Office 365 / Hybrid supported, lower versions mailboxes the DLP policies aren’t applied.
  • It requires Enterprise CAL license
  • Its goanna work with Outlook 2013 alone as a whole functionality depends (policy tips in particular as compared to lower versions of outlook which is not available).
  • The DLP rules although will work via Outlook 2007 but will lack the policy tips as feature.

Any Advantages?

  • Of course users will not be able to send out confidential data accidently via email
  • Exchange Folks can now analyze/track the no. of emails transaction and can build a report what are the confidential email transacted as per the company compliant policies. This is in turn knowledge and to make themselves aware how users are meeting the compliance of the organization.
  • Users are educated with the help of policy tips if they were accidently trying to leak confidential data and based on the rules to allow user to override or completely block.
  • You can double secure by implementing ADRMS and integrate with DLP transport rule as used in the legacy (talking about simple transport rule) version.
  • Even if the Outlook 2013 is in cached mode or offline the policy tips are still applied as the templates gets downloaded from the server once in a day (24 hours) to outlook as they are reachable. We can control whether to push the policy to clients or not from the server side once in a day which is scheduled by default & hard-coded (can’t be alerted).

And Disadvantages if any?

  • The policy tips only works with Outlook 2013 and not even in OWA 2013
  • The policy templates are limited as per the region/local countries and need to make one customizing as per the business needs.
  • Need to check with Third party vendors for policy templates if any vendor meets their org’s business requirement – you can make your own if you know how to.
  • Implemented DLP on Exchange online the reports are not exported in CSV

Can I compare DLP with other vendors in the market – Oh please don’t do so – IMO.

I tried initially to check with other vendors just to research as they got the same feature so called “Data Loss Protection” but you know what they will WIN-WIN. They not only have the feature alone but as whole suite like ENDPOINT / GATEWAY / NETWORK / STORAGE protection what IMO sounds good and involves great investment & add s complexity (Meaning additional stuffs to manage) to your environment.

There are vendor who are specializing individual product and in no means you should be surprised or attracted towards feature like the content detection engine/functionality one of the areas where I got impressed. MS has just began using DLP in Microsoft Exchange 2013 and has a long way to go. Also FYI the other vendors too have drawbacks when it comes to comparison with Exchange DLP the one alone which has a direct integration of Outlook 2013 with Exchange 2013 and managing under the hood using common EAC console.

Why DLP and not Transport rule? – Here is a bit more of technical and might be of an interest to Exchange Folks.

If I start writing it won’t end & TechNet is the right source to deep dive more precisely and consulting MCS or people who are Exchange Experts. I will highlight some of the important points which makes sense to know at this moment.

Although it is built on Transport rule which is also very similar to Outlook rules as well, DLP is more intelligent which not only detects the keywords but also reads the attachments which might contain the confidential data. It works with Transport rule initially and then starts its intelligence by detecting contents and attachment to match the policy templates used of in-built/custom or imported by third party vendor as per the business compliance. It not only helps in protecting the data but also helps administrators understand the level of risk the organization is carrying.

By implementing DLP administrator not only can alert end-users with policy tips in Outlook 2013 and prevent(sure you can also configure override setting) data leak accidently but also capture no. of incidents happened, track who sent the emails and how many times it was based on the policy template settings. You then have auditing which is nothing but sending the incident report to the configured user/group to check exactly who it matched the policy templates for example detecting the credit card numbers mentioned in the message body/attachments, the matched policy name, the values it found like 5432 XXXX XXXX XXXX (now X equals to some number). Now here is the great deal what if the user entered 1111 XXXX XXXX XXXX, the DLP is so smart that it knows the credit card numbers will never start with 1 and hence it will not prevent the user to send email. You can develop your own template to make such intelligence to search and detect.

You can simply implement DLP rules to some users in test mode doing which users are not aware of the tracking and auditing done at the transport level and later can enforce the same. You could also export the statistics in to csv to create reports and dashboards.

May I know how it works now?

It works again as mentioned above on the transport rule with additional detection mechanism based on the policy template which are classified, the available rules and configured with.

The templates are nothing but the xml files which can be also encrypted, there will be some if you got from some vendor or make your own.

There are already lot of information available on the TechNet, EHLO, Exchange Online & by the Experts how to configure step by step and it’s working with description of which I cannot see much better than those for your reference.

I would recommend you all to go through & read the links as it contains valuable information on DLP with Microsoft Exchange 2013

Hope it was informative.

This entry was posted in Exchange Servers. Bookmark the permalink.

1 Response to A Walkthrough – Data Loss Prevention in Microsoft Exchange Server 2013

  1. Pravin says:

    This information is helpful to me…Thnx..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s