News

Microsoft Endpoint Data Loss Protection Now Commercially Released

• By Kurt Mackie
• 11/12/2020

The Microsoft Endpoint Data Loss Prevention service, used to protect data accessed on devices, reached "general availability" commercial-release status, Microsoft announced this week.

Microsoft Endpoint Data Loss Prevention, which was at the preview stage back in July, is the latest addition to the Microsoft Information Protection family of products that are available with E5/A5 subscriptions. It specially adds data loss protection capabilities to devices, and is integrated with the Windows 10 operating system, the Microsoft Edge browser and Microsoft 365 applications.

Microsoft Information Protection
"Microsoft Information Protection" is a sort of umbrella term covering four broad-category data security products, which are available with E5/A5 subscriptions, although Microsoft Information Protection is also one of those products. Here they are, as listed at this Microsoft promo page:

• Azure Information Protection
• Microsoft Information Protection
• Microsoft Cloud App Security, and
• Windows Information Protection

Microsoft Endpoint Data Loss Prevention specifically falls under the Microsoft Information Protection product line, a Microsoft spokesperson clarified via e-mail. Typically, organizations pay for an E5/A5 subscription and get the whole Microsoft Information Protection bundle of products, rather than buying ala carte.

That's really it in a nutshell. It can seem a little confusing because Microsoft has various data loss protection offerings, too, which appear to do the same thing. Here's how the spokesperson characterized the Microsoft Information Protection (MIP) product line and those data loss protection capabilities:

Microsoft Information Protection (MIP) is a built-in, intelligent, unified, and extensible solution to protect sensitive data across an enterprise -- in Microsoft 365 cloud services, on-premises, third-party SaaS applications, and more. MIP provides a unified set of capabilities to know your data, protect your data, and prevent data loss across Microsoft 365 Apps (e.g., Word, PowerPoint, Excel, Outlook) and services (e.g., Microsoft Teams, SharePoint, and Exchange). MIP provides a common classification mechanism that is already used to prevent data loss in multiple workloads -- e.g., via Teams Data Loss Prevention (DLP). In addition to MIP, Microsoft has long offered DLP solutions in Office 365, Exchange, SharePoint, OneDrive, and more recently, in Microsoft Teams. We are now extending MIP and our DLP capabilities to the endpoint with Endpoint Data Loss Prevention.

The data loss protection aspect entails using a service to check if sensitive information, such as credit card numbers or Social Security numbers, are included in employee communications. The service lets IT pros set policies on what actions to take in such instances. Actions might include blocking the sharing of information, or a copy process may get blocked. End users can get warned as part of policy, if wanted.

Microsoft uses the same data classification approach across all Microsoft Information Protection solutions, a Microsoft Tech Community post explained:

Endpoint DLP uses the same classification technology as our other MIP solutions, providing consistent discovery of sensitive content across Microsoft 365 Apps (Office 365), Exchange, OneDrive, SharePoint, and Microsoft Teams. With over 100 sensitive information types and built-in policy templates, it's easy to turn on Endpoint DLP to identify sensitive data across common industry regulations and compliance-related data types.

IT pros would access the new Microsoft Endpoint Data Loss Prevention service via the Microsoft 365 Compliance Center portal.

What About Azure Information Protection?
The Azure Information Protection product in the Microsoft Information Protection product line is kind of a holdover. It's there to support organizations that haven't yet made the shift to "Microsoft 365 Apps for Enterprise (formerly Office 365 ProPlus)," the spokesperson explained. Azure Information Protection, despite its Azure name, protects Office 365 apps, but only on the Windows platform.

"Microsoft Information Protection is the more comprehensive solution, bringing together parts of the Enterprise Mobility & Security suite, Office 365, and Windows 10 as a part of Microsoft 365," the spokesperson explained.

Data Loss Prevention Previews
On top of the Microsoft Endpoint Data Loss Prevention product reaching general availability release status, Microsoft announced a few previews. One of those previews is a new dashboard within the Microsoft 365 Compliance Center portal that shows alerts based on policies set with the Microsoft Endpoint Data Loss Prevention service.

In addition, Microsoft is previewing the ability to use sensitivity labels as a condition when setting up Microsoft Endpoint Data Loss Prevention policies. These labels get applied to files, with descriptors such as "public" or "confidential," for instance. IT pros can set up the actions to take when sharing such labeled content. Actions might be specified when people try to share files with people located outside an organization, for example.

"DLP policies using sensitivity labels apply to Exchange Online email messages, SharePoint Online, OneDrive for Business, Teams and Windows 10 devices," the Microsoft Tech Community post clarified.

In a bit of ancillary news, Microsoft also announced the ability to use Exchange Transfer Rules controls "directly in Unified DLP for Exchange," which is at the preview stage. The "Unified" term seems to just mean that these capabilities are available through the common management portal.