It's generally accepted that the primary source of data leaks within an organization are employees, not outside attackers.
In the past, Exchange administrators relied on third-party add-ons to ensure that sensitive internal information was not forwarded from corporate email accounts. New in Exchange Server 2013 is the data loss prevention (DLP) feature, which enables admins to enforce message content rules within their organization.
DLP's premise is simple enough: allow administrators to set policies for messages, which filter email as it flows through Exchange Server 2013. Admins can create policies from scratch or build new ones on top of existing templates. Many of the pre-packaged templates were created to help block or filter common types of sensitive information often found in enterprises. If there’s a rule violation, you can set DLP so that an incident report gets automatically sent to one or more people in the organization.
DLP comes with a slew of canned templates that cover most common compliance scenarios, but configuring it so that it’s effective in your specific organization can prove tricky.
Exchange 2013 DLP templates and data types
The DLP templates included in Exchange 2013 are primarily designed to help organizations comply with common bits of legislation or industry standardization that mandate information security within an organization; think PCI-DSS, the Gramm-Leach-Bliley Act, common pieces of personally identifiable information (PII) and so on.
Most of the information captured by these templates involves things like financial data -- think credit card numbers -- as well as driver’s license numbers, passport numbers, social security numbers, etc. Exchange 2013 lumps this information together under DLP sensitive information types.
There are a few key aspects to keep in mind regarding the DLP templates:
1. Use the existing Exchange 2013 DLP templates as appropriately as possible. There should be as many separate polices as needed for different types of information to allow for better granularity. For example, you may want to block project- or department-specific information, which can change between months or quarters.
2. The existing Exchange 2013 DLP templates will not be the only templates available for the life of the product. Microsoft plans to add future templates from certified partners. This will allow organizations to add templates created in the wake of future legislation or industry standards. Therefore, you won’t have to build templates from scratch and risk having data leak through them because they're untested.
3. The templates are not the only ways to create DLP policies. They’re a good starting point -- as they save a lot of trouble when constructing policies that might otherwise require a lot of manual work -- but should always be considered starting points, not endpoints.
4. Rule enforcement is flexible, as it should be. For example, employees who are part of a user group can freely exchange certain types of sensitive information without being penalized.
This is particularly useful if you have a subdivision of your company -- customer relations, for example -- that routinely deals in such things and needs to be exempt (if only provisionally) from screening. This doesn’t mean they have no oversight, only that DLP can be used here as an auditing or oversight mechanism, rather than one to simply block message traffic.
DLP-aware features in Outlook 2013
A key reason to consider upgrading to Outlook 2013 -- in conjunction with Exchange 2013 -- is that Outlook 2013 is DLP-aware. DLP policies set within your organization may be used locally with Outlook 2013. Outlook 2013 makes a lot sense if you envision scenarios if there is potential for interaction between users and enforcement staff.
For example, if a user composes an email to a coworker which includes a piece of sensitive information that is flagged by DLP, he receives a pop-up. The user then has the option to notify an administrator about this particular instance, even in the case that he is doing something completely legit. This way, instead of having the message bounce back, the warning is presented interactively.
Final thoughts on Exchange 2013 DLP
DLP can be a useful mechanism that ensures sensitive data is securely kept within an organization. But it isn't automatic; it requires proper configuration, as well as an understanding of which data types are detected through the native templates.
Therefore, admins must set up a close partnership between those who access Exchange 2013 and those responsible for oversight and compliance within your organization. Not only will it help for proper DLP configuration, but also ensures that it is well maintained and kept current across multiple levels and between various projects.
ABOUT THE AUTHOR:
Serdar Yegulalp has been writing about personal computing and IT for more than 15 years for a variety of publications, including (among others) Windows Magazine, InformationWeek and the TechTarget family of sites.
This was first published in August 2012