Skip to main content

011: Monitor sharing with customers

Overview

Based on the scenarios of sharing data with customers (external users), design the DLP policies to block external sharing scenarios not matching these patterns. Use both sensitive information types as conditions and sensitivity labels as conditions and DLP rule exceptions to address those scenarios. Select different combinations of evidence with varying levels of certainty to implement controls at different levels of assertiveness. For example: Single match and low or medium confidence matches: warn the user. Single match and high confidence matches: block with override. Multiple matches with low or medium confidence: block with override. Multiple matches with high confidence: block. Large number of matches with medium confidence: block.

Configure these policies across different sharing scenarios, including SharePoint, OneDrive, Teams, Endpoint and Exchange. Use Exact Data Matching as a high confidence classifier. Use regular SITs with validators and keywords as medium or high confidence classifiers. Use regular SITs with no keywords as low confidence matches. You can also use trainable classifiers together with regular SITs as conditions representing high confidence situations.

Do not deploy the DLP rules at this stage, configure them but keep them in simulation mode in order to assess potential impact, and after a few weeks assess if critical business scenarios could have been impacted by these rules if they had been enforced. Adjust the logic of the rules and their enforcement actions (e.g. usage of policy tips, overrides and exceptions) as needed.

Reference