Secure SharePoint Online data – Part 2

In my previous blog post, which you will find here, I showed how to start with securing SharePoint Online data with just a few simple steps. In this blog post I will go further with securing SharePoint Online by using Office 365 Labels and Data Loss Prevention (DLP) policies. By using those labels and policies, you are able to show your users a policy tip when they share confidential data with people outside the organization or even block sharing SharePoint documents with people outside your organization.
To use this features you need to assign your users at least an Office 365 E3 license.

Create an Office 365 Label

Office 365 labels and DLP policies are managed using the Security & Compliance Admin center. Open the admin center and navigate to Data governance, Dashboard. Click Create a label.

Give your Office 365 label a name and description for admins and users and click Next.

On the next page you can choose to turn on retention for this label, I left retention turned off. Click Next.

Review your settings and click Create this label.

Publish an Office 365 label

After creating the Office 365 label, we need to publish the label to SharePoint Online. From the properties of the label click Publish label.

On the Choose labels to publish tab click Next.

At this moment I`m not using this label in Exchange, so I switched Exchange email off. But if preferred you can choose the default option All Locations as long as it contains SharePoint sites its fine for this setup.

Give your policy a Name and description and click Next.

Review your settings and click Publish labels.
NB: It can take up to 1 day before the label is published and visible in SharePoint. Fortunately most of the times it`s visible in half an hour till a few hours.

After clicking Publish, the status is shown as On (pending). If successfully published the status will be On (Succes).

Apply a label to your SharePoint Online site

Now we need to apply the Office 365 label to the SharePoint Online site to automatically label all items in the preferred document library, in my case a library under the Legal Department site.
Open the SharePoint Online site and navigate to the documents library. On the right top click the Settings icon and click Library settings.

Under Permissions and Management click Apply label to items in this list or library.

Choose the label you previously created, in my case Highly confidential, and check Apply label to existing items in the library. Click Save.

After some time you see the items are labeled with the label you chose in the previous step.

Create and apply a DLP policy

Now your SharePoint Online documents are automatically labeled with an Office 365 label it`s time to apply a DLP policy to our High Confidential documents.
Switch back to the Compliance & Security center. Navigate to Data loss prevention, Policy and click Create a policy.

We need to create a Custom policy.

Enter a name and description for the DLP policy and click Next.

Check Let me choose specific locations and click Next.

Switch off Exchange email and OneDrive accounts. If you click Choose sites, you are able to search for your SharePoint site to only apply the policy to that specific site.
Click Next.

On the next page make sure Detect when this content is shared is set to with people outside my organization.
Above that option click Edit to select the High Confidential label we already applied to the SharePoint site.

As type of content we need to select Labels.

Select the High Confidential label.
Back on the Policy settings tab click Next to get some more options.

Now it`s time to set the actions which need to be taken when sensitive info is detected. By default a policy tip is shown. Also by default the option to detect when a specific amount of sensitive data is shared is turned on and an incident report is send by email. This option will send an incident report to the Global admin and the account which setup the policy.

A more restrictive option you can set on this tab is to check Restrict access or encrypt the content and check Block people from sharing and restrict access to shared content. This will not only show a policy tip and send en email, but will prevent accidental sharing of confidential files. 
After setting the preferred options click Next.

On the next page check Only people outside your organization.
If you want your users to be able to override the policy, switch that option on. It is a good option if you allow override, you check Require a business justification to override. All policy overrides are recorded, with this option you as an admin get information on all policy overrides and the reason why the users did share the item.
Click Next.

Check Yes, turn it on right away and click Next.
In the next screen, review your settings and click Create.

With all the previous steps we have applied an Office 365 label (High Confidential) to a document library in a SharePoint Online site (Legal department). By applying a DLP policy your users will see a policy tip when they try to share a High Confidential document with people outside the organization.
Depending on the options set, the user is able to override the policy and share the document. But the override will be recorded (if also turned on).

End-user experience

Let`s have a look at the user-experience. Logon to the SharePoint Online site and navigate to the documents library. Try to share one of the labeled documents with an external users. A policy tip will be shown. Click View policy tip.

The policy tip is shown. You are able to Report an issue or Override the policy. Click Override to see how that looks like.

You need to enter a business justification to override the policy and click Submit. The override is recorded and the user is able to share the document with an external user.

The next step in securing your SharePoint Online data is encrypting the documents with Azure Information Protection. In a future blog post I will have a look these options.