ASD's Blueprint for Secure Cloud

Data Loss Prevention

This section describes the design decisions associated with Data Loss Prevention Microsoft 365 security features for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 7 minutes

Data Loss Prevention (DLP) policies enable organisations to identify, monitor, and automatically protect sensitive information across Office 365 and endpoint devices. DLP policies can be targeted to one or more products within the Office 365 suite.

A DLP policy can be configured to:

  • Identify sensitive information (Sensitive information types), documents in a specific site (for SharePoint only) or specific labels (sensitivity labels) contained in Exchange Online, SharePoint Online, locally on devices (endpoint DLP), and OneDrive for Business.
  • Prevent end-users from accidentally sharing sensitive information.
  • Prevent end-users from accidentally deleting a document.
  • Update documents or emails based on sensitivity labels or data matching, used in conjunction with auto-labelling feature can assist with PSPF compliance
  • Educate end-users by presenting messages them on how to stay compliant when relevant. This is done without interrupting their workflow.

Office 365 has over 200 prebuilt sensitive information types (Australian Passport Numbers etc.). In addition to the prebuilt sensitive information types custom types can be created. These custom types look for strings, patterns, or key words.

Note, endpoint DLP requires onboarding of those devices into Microsoft Defender for Endpoint. organisations should consider the use of Endpoint DLP as part of a unified DLP strategy.

Data Loss Prevention Configuration applicable to all organisations and implementation types.

ConfigurationValueDescription
Name: Australian Privacy Act
LocationsProtect content in Exchange email, Teams chats, channel messages, OneDrive and SharePoint documents.The locations where the policy will apply.
Content typeAustralian Driver’s Licence number
Australian Passport number
The types of sensitive information being detected.
Sharing detectionWith people outside my organisationWhen the policy is applied.
Notify usersEnabledUsers are notified when the policy is triggered. They are also provided policy tips for managing sensitive information.
Amount of instances5The amount of sensitive information required to trigger the policy (10 is the default).
Send incident reportsEnabledUser and nominated administrator are notified when the policy is triggered.
Restrict access or encrypt the contentDisabledAccess to the content that triggers the policy can be encrypted or and access limited.
Name: Australian Personally Identifiable Information (PII) data
LocationsProtect content in Exchange email, Teams chats, channel messages, OneDrive and SharePoint documents.The locations where the policy will apply.
Content typeAustralia Tax File Number
Australia Driver’s Licence Number
The types of sensitive information being detected.
Sharing detectionWith people outside my organisationWhen the policy is applied.
Notify usersEnabledUsers are notified when the policy is triggered. They are also provided policy tips for managing sensitive information.
Amount of instances5The amount of sensitive information required to trigger the policy (10 is the default).
Send incident reportsEnabledUser and nominated administrator are notified when the policy is triggered.
Restrict access or encrypt the contentDisabledAccess to the content that triggers the policy can be encrypted or and access limited.
Name: Australian Health Records Act (HRIP Act)
LocationsProtect content in Exchange email, Teams chats, channel messages, OneDrive and SharePoint documents.The locations where the policy will apply.
Content typeAustralia Tax File Number
Australia Medical Account Number
The types of sensitive information being detected.
Sharing detectionWith people outside my organisationWhen the policy is applied.
Notify usersEnabledUsers are notified when the policy is triggered. They are also provided policy tips for managing sensitive information.
Amount of instances5The amount of sensitive information required to trigger the policy (10 is the default).
Send incident reportsEnabledUser and nominated administrator are notified when the policy is triggered.
Restrict access or encrypt the contentDisabledAccess to the content that triggers the policy can be encrypted or and access limited.
Name: Australian Financial Data
LocationsProtect content in Exchange email, Teams chats, channel messages, OneDrive and SharePoint documents.The locations where the policy will apply.
Content typeSWIFT Code
Australia Tax File Number
Australia Bank Account Number
Credit Card Number
The types of sensitive information being detected.
Sharing detectionWith people outside my organisationWhen the policy is applied.
Notify usersEnabledUsers are notified when the policy is triggered. They are also provided policy tips for managing sensitive information.
Number of instances10The amount of sensitive information required to trigger the policy (10 is the default).
Send incident reportsEnabledUser and nominated administrator are notified when the policy is triggered.
Restrict access or encrypt the contentDisabledAccess to the content that triggers the policy can be encrypted or and access limited.
Name: PROTECTED Data*
LocationsProtect content in OneDrive and SharePoint documents.The locations where the policy will apply.
Content typeAll published PROTECTED sensitivity labels (Any of these)The types of sensitive information being detected.
Sharing detectionWith people outside my organisationWhen the policy is applied.
Notify usersEnabledUsers are notified when the policy is triggered. They are also provided policy tips for managing sensitive information.
Amount of instances1The amount of sensitive information required to trigger the policy (10 is the default).
Send incident reportsEnabledUser and nominated administrator are notified when the policy is triggered.
Restrict access or encrypt the contentDisabledAccess to the content that triggers the policy can be encrypted or and access limited.
Name: Classification Append SubjectNote: each sensitivity label published requires a separate ‘Append Subject’ policy
Content typeClassification sensitivity labels (Any of these)The types of sensitive information being detected.
Advanced DLP RulesContent Contains: Sensitivity labels (select classification for policy)
Action: Modify subject
Remove text that matches this patten \[SEC=.*?\]
Insert this replacement text: [SEC=Classification and DLM]
Classification the policy is target for Subject line modification, e.g. [SEC=OFFICIAL:Sensitive]
Notify usersDisabledUsers are not notified when the policy is triggered.

The Microsoft 365 Compliance Center provides the ability to monitor and review user and administrator activities across the Microsoft 365 applications from the past 90 days.

Audit logs are kept by default for 90 days but are configurable up to 10 years using an Audit retention policy with Microsoft Purview Audit (Premium).

When an event occurs for the respective application it will take anywhere from 30 minutes up to 24 hours before it can be viewed in the audit log search.

The Microsoft 365 Management Activity API enables third-party applications to consume audit logs from Microsoft 365. If audit logging is disabled, third-party applications can still consume audit logs from the Microsoft 365 Management Activity API.

A list of Office 365 applications, their auditing capabilities and duration wait time once an event occurs.

ApplicationUser ActivityAdmin ActivityDuration wait time
Exchange Onlinexx30 minutes
OneDrive for Businessx30 minutes
SharePoint Onlinexx30 minutes
Swayxx24 hours
Power Bixx30 minutes
Workplace Analyticsx30 minutes
Dynamics 365xx24 hours
Yammerxx24 hours
Microsoft Power Appsxx24 hours
Microsoft Power Automatexx24 hours
Microsoft Steamxx30 minutes
Microsoft Teamsxx30 minutes
Microsoft Formsxx30 minutes
Entra IDx24 hours
eDiscovery activities in Office 365 Security & Compliance Centerxx30 minutes

Audit logging is not enabled by default and must be turned on first in Microsoft Purview (formerly Microsoft 365 Compliance Center) before user or administrator activities can be audited.

Security & Governance

  • None identified

Design

  • None identified

References

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra