How Does Data Loss Prevention (DLP) Evaluate Policy Compliance in Office 365?
When working with clients with Office 365 Data Loss Prevention (‘DLP’) I’m often asked how Office 365 determines if content in OneDrive for Business or SharePoint Online is compliant or in conflict with a given DLP policy.
If we ignore the heavy horsepower that is running behind the scenes to make this work, it’s actually surprisingly simple.
Microsoft have developed a process they call ‘Asynchronous DLP Policy Evaluation’ which is hooked onto to the search indexing processes of Office 365 to provide a relatively inexpensive way for (even high) volume policy evaluation to take place seamlessly.
If we looked at this Microsoft (yay PowerPoint) graphic, we can see how the process works:
In essence, once content is created or edited it will be indexed, at the next opportunity, by Search thus placing the content into the Search index. This index is then periodically queried by the DLP policy evaluation engine which can then, in turn, take action against content.
Action may be marking conflict (and taking action appropriate to the policy) or marking compliance, for something previously in conflict, thus enabling the release of content that may have been previously restricted in some way.
There are a couple of key points of note:
- There isn’t (that I am aware of) a published cadence of when this policy evaluation takes place; common sense tells us that update can’t occur at a greater frequency than indexing – but there isn’t a stated rhythm
- As DLP evaluation is dependent on indexing, only content that can be indexed can be evaluated within DLP policies
Check out my other posts tagged as ‘The GDPR’ for more information about Office 365 compliance.
more to follow…