Office 365 Sensitive Information Types for #DLP

by | Jul 11, 2017 | Governance, Microsoft, Office 365, The GDPR

With the increase in interest in privacy driven, in part, by initiatives and regulations such as the GDPR, Cloud providers are being pushed harder than ever before to introduce robust solutions to increasingly unique privacy problems.

The broad feature set of services such as Office 365 is great for businesses great and small but alas, brings a new kind of problem to the fore – splatter.

Splatter is a term I use to describe the proliferation of information that can be easily and readily created and held regardless of its purpose, classification or sensitivity. In short, Office 365 (and the Office Suite) make it easier than ever before for users to create and store content of any type.

In the context of (for instance) the GDPR, this can represent significant risk to organisations – personally identifiable information (‘PII’) held without consent or purpose will be a no-no from May 2018 and organisations need to be acting now to prevent fines.

Microsoft offers some interesting functionality within Office 365 to assist organisations in their GDPR compliance journey with one key element being Sensitive Information Types (‘SIT’).

A backend function of the Data Loss Prevention (‘DLP’) features of Office 365 (available in a number of licence plans) SIT provides a glossary of patterns that Office 365 DLP can use (via Search) to identify PII within SharePoint Online sites and OneDrive locations.

Image source: Microsoft

As can be seen from the example above, the pattern (in this case for a US/UK Passport information) can be expressed algorithmically thus making it available for analysis by the DLP policy engine.

When DLP (or other search types for that matter) hits a pattern that matches, it can be highlighted and brought to the attention of information governance specialists.

Of course, there will be many scenarios where holding (in this case a Passport number) such PII will be perfectly legitimate and compliant with regulations (such as the GDPR) but by providing a number of these usable patterns (at the time of writing 81) Microsoft are making it simpler for organisations to seek out information that shouldn’t be there or is simply not known about.

For me, the best aspect of the SIT tooling? It’s native and just available for use. Awesome.

more to follow.