Data Loss Prevention

How to Implement People-Centric DLP for Office 365

Share with your network!

Microsoft Office 365 is a cloud platform that features powerful tools for office applications, online messaging, file sharing and cloud storage. So, it’s not surprising that 69% of cloud security professionals house their sensitive data within Microsoft SharePoint Online or Microsoft OneDrive, according to research from the Cloud Security Alliance.

But organisations that use the Office 365 platform also have legitimate concerns around data security and compliance. IT managers can address these concerns by implementing and maintaining a comprehensive cloud Data Loss Prevention (DLP) solution.

Proofpoint assists our Cloud Access Security Broker (CASB) customers with securing Office 365 and implementing cloud DLP. Through this work, we encounter three primary data loss scenarios that are unique to the cloud:

  • Excessive or unauthorised sharing of regulated or sensitive data
  • Inappropriate uploads and downloads of regulated or sensitive data
  • Data exfiltration and/or manipulation following Office 365 account takeover

Based on our experience, we can suggest several best practices that organisations will want to apply as they address data security for the Office 365 platform and implement cloud DLP. These practices for data loss prevention (DLP) for Office 365 are detailed in the five key steps outlined below:

Step 1: Define Office 365 policies based on content, context and control

Content, context and control should inform and guide your organisation’s approach to Office 365 DLP. First, let’s cover the content aspect:


Take stock of your existing DLP policies for email, endpoint and on-premises file shares to understand what type and level of sensitive data you could allow to reside in the Microsoft Office 365 platform. As you make this assessment and define your Office 365 DLP policies, you’ll want to consider the following:

  • Data security and privacy regulations your business must comply with. Examples include the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and the California Consumer Privacy Act.
  • Personal Identifiable Information (PII), including credentials and passwords. PII is a prime target for malicious actors; in fact, a recent Ponemon Institute study found that 80% of breaches involve customer PII.
  • Intellectual property, such as formulas, source code and product designs. Nearly one-third (32%) of breaches involve intellectual property, according to the 2020 Cost of Insider Threats: Global study from the Ponemon Institute.
  • Other sensitive data that relates to your business, such as financial information or details about company strategy and major transactions — such as mergers and acquisitions (M&A).


Next up is context. When you’re creating data loss prevention policies related to your organisation’s use of Office 365, you need to define how data can be accessed, and by whom, based on the sensitivity level of that information. Some key questions to ask when determining context include:

  • Who can have access to sensitive data? For example, U.S. members of your company’s human resources (HR) team may not be permitted to view the employee files of individuals working for your business in Europe.)
  • Who should we watch closely? These individuals may include VIPs in your organisation, admins with high privileges (such as IT, HR and finance admins and executive admins), Very Attacked People™ (VAPs), workers whose accounts have been compromised before, and individuals on the corporate watch list.
  • What networks and devices are allowed to connect to the platform? Some best practices include isolating access for unmanaged devices and read-only viewing for sensitive data.
  • What types of data should not reside in Microsoft Office 365? Data that should be segmented at the application level to meet PCI DSS compliance is an example.


Finally, you need to define remediation and access controls when creating your Office 365 DLP policies. Some best practices include:

  • Remediating and bringing data back to a safe state when addressing historical data at rest. For example, you’ll want to remove sensitive files that aren’t permitted in Office 365 and also reduce sharing permissions for sensitive files to “private”.
  • Applying preventive measures when data is in motion or in use. You could, for instance:
    • Block the uploading of PCI data to SharePoint Online
    • Allow read-only views to files from unmanaged devices
    • Quarantine files shared with anonymous (public) links
    • Remove Microsoft Teams messages with DLP violations and replace them with notifications to coach the senders and tombstones to inform the recipients

Step 2: Use out-of-box tools to audit and fine-tune DLP policies

Setting up cloud DLP policies for the Microsoft Office 365 platform takes work, but the good news is that there are plenty of tools in leading DLP solutions to help you confirm that your policies are working and determine whether you need to adjust them. There are several methods you can use to improve your ability to detect DLP violations, such as:

  • Pattern matching (Social Security numbers, credit card numbers)
  • Keyword matching (“highly confidential”, “passwords”)
  • Predefined dictionaries (credit card terms, date-of-birth terms)
  • Document fingerprinting (tax forms, medical forms, patent forms)
  • Exact data matching (to match against a database of patient PII, for example)
  • Optical character recognition (sensitive information in images)

Use the out-of-box tools in your Cloud Access Security Broker solution to refine detectors and the process for discovery, monitoring and reporting, as needed. Also, consider creating auditable rule sets so you can cast a wide net to detect sensitive file activity in Office 365 while identifying false negatives. As you tune your policies, monitor and review the results of rule sets to identify false positives.

Step 3: Discover sensitive data in Office 365

When implementing a data security solution for Microsoft Office 365, you’ll want to scan historical files in the platform that may contain sensitive data. This process should include detecting sharing permissions (public, external and tenant-wide sharing).

Another tip: As you’re scanning files, apply sensitivity labels, such as Microsoft Information Protection labels, to sensitive files so you can track them more easily.

By discovering sensitive data in Office 365, you’ll gain a deeper understanding of how your data is handled and used for collaboration. You’ll also be better positioned to keep a close eye on high-risk users (such as VAPs, contractors and admins with high privileges) and personal cloud accounts.

Ultimately, you want to create a heat map of your data so you can prevent data exposure and ensure compliance. You also need to make sure that your data is in the correct location, has the appropriate sharing permissions and is accessed by the right people.

Step 4: Remediate automatically when prevention isn’t feasible

Once you know where your organisation’s sensitive data is located and how it should be handled, you can remediate DLP violations to return your data to a safe state. You can also prevent sensitive data from being uploaded and downloaded per contextual policies such as:

  • Reducing public sharing permissions for sensitive files at rest to internal only
  • Quarantining and moving the data back to approved applications
  • Restricting sensitive data downloads to managed devices, approved domains, and so on
  • Removing files shared or revoking OAuth apps enabled by threat actors after taking over a compromised user’s account

Step 5: Reassess business processes and educate end users

Data loss prevention programmes aren’t “set it and forget it” security initiatives. You’ll need to keep reassessing them to ensure they remain effective, especially when your organisation must respond to changing business conditions or sees major changes to its processes. For example, with the massive shift to remote work during the COVID-19 pandemic, more data left the corporate perimeter and the visibility into that data has been significantly reduced.

So, consider reevaluating your programme practices and processes, including approval processes, regularly. Make sure that DLP classification and policy enforcement remains consistent across cloud services and the rest of the enterprise. Also, ensure admins are notified of DLP incidents timely so they can investigate them. And, as needed, re-prioritise security incidents based on risk factors such as compromised accounts and VAPs.

We also recommend that you notify end users of DLP violations and coach them, so they don’t repeat the same mistakes. It can be valuable to enrol negligent users in security awareness training that focuses on data privacy or DLP so they can learn how to protect your organisation’s data better.

How can Proofpoint help you improve DLP?

Proofpoint can help you get started on your cloud Office 365 DLP journey with our Information Protection programme design services. The Proofpoint Information and Cloud Security Platform also enables you to implement consistent data loss prevention policies across email, cloud, web and endpoints.

For Office 365 DLP, you can use out-of-box detectors and rules templates in the Proofpoint CASB solution to define flexible policies and get actionable results in just four weeks with our API-first deployment model. And you can apply versatile remediation and proxy-based access controls with Proofpoint CASB and SaaS Isolation for real-time data protection, whether your users are on or off the network

Proofpoint can also help empower your people — your last line of defence — to combat cloud account compromise and data loss with Proofpoint Security Awareness Training.

And finally, if you’re facing an IT security skills shortage or you just want to keep your core team focused on other projects, Proofpoint can also help you manage your Microsoft Office 365 DLP programme.

We recently acquired InteliSecure, a leader in managed services and programme design partner for DLP, with expertise in managed information protection services to complement our Information and Cloud Security Platform and Premium Security Services and deliver people-centric DLP solutions.

More resources to jump-start your cloud DLP programme

If you want to use a CASB (cloud access security broker) solution to help secure data shared across cloud apps, protect your organisation from cloud account compromise and stay compliant, but you’re not sure how to get started, read this white paper.

For a deep dive into best practices for cloud DLP, check out our webinar, “5 Steps to Building a Successful Cloud DLP Solution”, available on-demand.