under the hood

Microsoft's launch of the SharePoint 2016 Release Candidate on Jan. 20 brought us one step closer to the much-anticipated final product. 

And as we get closer, companies are taking a serious look at what new features SharePoint 2016 includes which can improve their SharePoint Return on Investment or make their work lives easier.

Getting Sensitive About Data Loss Prevention

One of the new features catching the interest of enterprises contemplating an upgrade to SharePoint 2016 is the new Data Loss Prevention feature. 

Data Loss Prevention (DLP) is a strategy to prevent end users from finding or sharing sensitive data such as credit card numbers, Social Security numbers or passport numbers for example. Data Loss Prevention techniques are based in three categories: data in-use (endpoint actions), in motion (network traffic) and at-rest (data storage). 

SharePoint 2016’s new DLP system applies to at-rest, since it allows you to find the sensitive information in your SharePoint documents.  

The four main goals of DLP in SharePoint 2016 are: Identify, Monitor, Protect and End User Education

Identify

DLP uses the advanced SharePoint search engine to find 51 types of sensitive information in SharePoint. Microsoft hardcoded a series of tests to detect if a certain information type is included in a document for each of the 51 types. Let's use the example of a credit card number to see how this works.

The format of a credit card number is 16 digits which can be formatted (dddd-dddd-dddd-dddd) or unformatted (dddddddddddddddd). However, having 16 digits in a row is not necessarily a credit card, so Microsoft also checks for other keywords in a proximity of 300 characters. Here is a screenshot of only a few of the keywords Microsoft searches for:

SharePoint Search Engine results

After all the document and information is parsed, Microsoft will assign a different confidence level based on how much information is found. For example, for a credit card number, SharePoint is 85 percent confident that what it found is a credit card if:

  1. It finds content that matches the 16 digit pattern
  2. Finds one of the following:
    • A keyword from Keyword_cc_verification is found
    • A keyword from Keyword_cc_name is found
    • Finds a date in the right date format.

If it only finds the pattern of 16 digits, SharePoint reduces the confidence level to 65 percent.

Keep in mind that as the DLP engine relies on search to analyze content from the documents, if the search engine doesn't crawl a document library, DLP will not work on the documents located in that library.

Monitor

DLP brings us two sites templates that aid in monitoring the data in our environment. The first is the eDiscovery Center.

SharePoint eDiscovery Center

The eDiscovery Center is used for reactive reports. This allows us to create reports of the type of content in SharePoint, however, no automatic action is taken. We can create reports to find different types of information, and save them to Excel for easy reporting and sharing with the compliance team.

eDiscovery Center Screenshot

The second type of site template is the Compliance Policy Center.

SharePoint Compliance Policy Center

True to its name, the Compliance Policy Center allows us to set up policies about data usage. In this case, improper data use triggers a notification for the data parameters we set. Policies can be further narrowed down to the number of policy violations required before a notification is triggered, and who should receive the notification. Policies should be assigned to specific site collections.

New DLP Policy

Further refinements include if the system notifies users about sensitive information in a document or documents, and whether or not to block that document(s).

DLP Policy Notify user of sensitive information

This brings us to our next topic, which is Block.

Block

When policy makers click the “Block access to the content” checkbox, the document will feature a red “Stop” sign on its icon. This blocks access to that item for everyone except its owner, last modifier and the site owner. Other users will not even see the document.

SharePoint Block content

End User Education

End User Education rounds out the DLP goals. Letting users know that there is something wrong with their document, as well as telling them what is wrong, will help prevent the same mistake from happening again. When a document is flagged by a DLP Policy, and that DLP policy notifies the user, the user will receive an email about their document.

end user education

The email gives clear reasons for what triggered the notification — in this case, the document “New Information From Clients.dox” contained a credit card number. Furthermore, when going in the document library and clicking on the stop sign, a Policy Tip is shown to the user.

Policy Tip

The policy tip contains information that the document is blocked, as well as information about the blocked permissions. The user has the choice to click Resolve and override the policy by giving a business justification.

Further Information

Data Loss Prevention is one of the great new features in SharePoint 2016 that might push businesses to migrate from SharePoint 2013 or 2010. For those looking for a more technical article on how to set DLP up and make it work, you can find more information here: Configure DLP in SharePoint 2016 Step by Step Tutorial.