Photo by Alvaro Reyes on Unsplash
Microsoft Features: Microsoft Purview Data Loss Prevention
Estimated Reading Time: 6 minutes
In my previous blog, I gave An Introduction to Microsoft Purview Data Loss Prevention. I provided an overview of Purview DLP, DLP policies, and the importance behind deploying this solution.
In this blog, we’ll be discussing the approach that organizations should be taking to support a successful deployment of Purview DLP.
For those interested, here are the links to the other blogs in my Data Loss Prevention blog series (links will become available as blogs are published):
- An Introduction to Microsoft Purview Data Loss Prevention
- Deploying Microsoft Purview Data Loss Prevention
The Importance of an Iterative Deployment Approach
When planning for data loss prevention, organizations will often begin by identifying the desired future state of their DLP policies and describe them using policy intent statements (e.g., block users from sharing sensitive data externally via SharePoint Online). However, immediately configuring and deploying these policies across the organization will often lead to negative consequences such as users unaware of the incoming changes, blocked business workflows, and a large volume of alerts. For this reason, I strongly believe that a successful deployment of Purview DLP should follow an iterative approach.
The sections below outline a high-level iterative deployment approach based on real-world experience that helps both users and administrators to prepare for changes, learn from collected insights, and continuously improve DLP policies.
Although there are many different naming conventions that can be used to describe this phased approach, I will describe the concept using a simple “Phase X” naming convention.
Disclaimer: The phase descriptions and activities described below are meant to introduce the concept of phased DLP deployment and provide a starting point for organizations deploying Purview DLP. The exact approach taken will often be unique to a given organization.
Phase 1: Monitor
In this phase, DLP policies should be deployed with no end user impact (i.e., avoid policy tips and blocks). The goal of this phase is for administrators to collect insights to gain a better understanding of the current state of user activities and sensitive data flows across the organization. It is possible that there will be a high rate of false positive policy matches during this phase. For this reason, fine-tuning of conditions is an important process before progressing to Phase 2. To avoid overwhelming administrators with a high volume of policy alerts, DLP policies can be deployed in groups starting from the highest priority users and gradually expanded to include the remainder of the organization.
At the end of Phase 1, administrators should have a good understanding of user activities and data flows. A first pass at fine tuning policy conditions to minimize false positive matches will often fit into this deployment phase. It is possible that the need for additional DLP policies is identified based on the insights collected in this phase.
Phase 2: Educate Users
In this phase, DLP policies are deployed to warn users of unapproved information flows. The policies will begin educating users how to properly handle sensitive data. It is possible that the need for additional policy condition fine tuning is identified during this phase as users across different business units, departments, and teams are completing their day-to-day business activities. To ensure that end users are prepared for this change and are aware of the potential for false positives, organizational change management is crucial.
At the end of Phase 2, end users should have a good understanding of unapproved flows of information and be aware that DLP policies are being put in place to help protect data. It is possible that the need for exceptions and new policies are identified as different users begin to interact with DLP.
Phase 3: Protect Data
In this phase, DLP policies are modified to block unapproved information flows, often providing users with the option to override the block. As the core deployment team continues to work with different groups in the organization, it is possible that the need for additional policy exceptions are identified. To ensure that business activities are not blocked throughout this process, DLP policies should allow users to override the block and provide a justification for doing so. Similar to Phase 2, organizational change management activities are crucial to ensure that users are prepared for this change.
Phase 3 involves an ongoing process of policy refinement, alert review, and remediation. It is important to continuously improve policies and communicate with end users across the organization to ensure that the DLP policies remain aligned with ever-evolving business needs.
Depending on the complexity and risk tolerance of the organization, DLP policies can remain in the “block with override” state, or the ability for users to override may be removed. Moving from block with override to block only can be a challenging step, especially when it comes to balancing user productivity and security.
Closing Thoughts
A successful deployment of Microsoft Purview DLP relies heavily on a thoughtful, phased approach that emphasizes learning, adoption, and collaboration between administrators and end users. By gradually progressing from monitoring to warning and ultimately to blocking, organizations can fine-tune policies to reduce false positives as well as build user awareness and trust. Taking an iterative deployment approach not only strengthens data protection but also ensures that security controls evolve in alignment with business needs.
In my next blog, I will talk about deploying Purview DLP to protect data across Microsoft 365 locations. Stay tuned!
Anna Bordioug 