Executive Overview

DLP capabilities help you protect your sensitive data and inform users of your policies and regulations. DLP can also help you prevent users from mistakenly sending sensitive information to unauthorized people. When you configure DLP polices, you can identify and protect sensitive data by analyzing the content of your messaging system, which includes numerous associated file types. The DLP policy templates supplied in Exchange 2013 are based on regulatory standards such as PII and payment card industry data security standards (PCI-DSS). DLP is extensible, which allows you to include other policies that important to your organization. Additionally, the new Policy Tips capability allows you to inform users about policy violations before sensitive data is sent.

Notable Features

  • DLP Policies
  • Sensitive Information Types
  • Policy Detection and Reporting
  • Policy Tips

Architecture/Components

The transport rule agent (TRA) is used in Exchange 2013 to invoke deep message content scanning and also to apply policies defined as part of Exchange Transport Rules.

  • DLP Policies: These policies contain sets of conditions which comprise of Transport rules, actions and exceptions. Conditions can be configured from scratch or modified from pre-existing policy templates in Exchange 2013. There are three supported methods to create DLP policies:
    • Create a DLP policy from an existing policy template: At the time of writing, Exchange 2013 supports over 40 policy templates to support a number of compliance requirements from various Countries and jurisdictions such as GLB and PCI-DSS.
    • Import a pre-built policy file from outside your organization: Exchange 2013 allows organizations to use DLP policies created by independent software vendors by importing these policies directly into Exchange as XML files. To define your own DLP policy template files, you must first define an XML schema (read here; then you can define sensitive information rule types (read here).
    • Create a custom policy from scratch: Exchange 2013 provides the granularity to define a DLP policy to match an organization’s requirements for monitoring certain types of data.
  • Sensitive Information Types: DLP now has the ability to perform deep content analysis via keyword matches, dictionary matches, regular expression evaluation, and other content examination to detect content that violates organizational DLP policies. Sensitive information rule types augment the existing transport rules framework and allow you to apply messaging policies to email messages that flow through the transport pipeline in the Transport service on Mailbox servers and on Edge Transport servers. Read my article on Exchange Transport architecture.
  • Policy Detection and Reporting: Exchange 2013 provides availability and access to information that identifies policy violations occurring within the DLP environment. This information is made available via the Message Tracking Logs. The AgentInfo Event is used to add DLP related entries in the message tracking log. A single AgentInfo event will be logged per message describing the DLP processing applied to the message. An incident report can be created for each DLP policy rule set via the Generate Incident Report feature in the EAC.
  • Policy Tips: enable you to notify email senders that they are about to violate one of the  DLP policies before they send the offending message. Click here for more information.

Common Administrative Tasks

  1. Create a DLP policy from a Template: To use existing templates, the DLP must be configured via the EAC. Read this article.
  2. Import a DLP policy from a File: Via EAC or PowerShell
    Import-DlpPolicyCollection -FileData ([Byte[]]$(Get-Content -Path ” C:DocDLP Backup.xml ” -Encoding Byte -ReadCount 0))
  3. Create a custom DLP policy without any rules: This must be configured via EAC
  4. Export a DLP policy:  Via EAC or PowerShell
    Export-DlpPolicyCollection
  5. Create a custom DLP policy: Via EAC or PowerShell
    New-DlpPolicy “Employee IDs”
  6. View details of an existing DLP policy: Via EAC or PowerShell
    Get-DlpPolicy “Employee IDs” | Format-List
  7. Change a DLP policy: Via EAC or PowerShell
    Set-DlpPolicy “Employee IDs” -Mode (Audit|AuditAndNotify|Enforce)
  8. Delete a DLP policy: Via EAC or PowerShell
    Remove-DlpPolicy “Employee IDs”
  9. Import/Export a DLP policy: Via EAC or PowerShell
  10. Manage Policy Tips: Via EAC, for more information click here.
  11. Create a New Classification Rule Collection: via PowerShell
    New-ClassificationRuleCollection -FileData ([Byte[]]$(Get-Content -Path “C:DocExternal Classification Rule Collection.xml” -Encoding Byte -ReadCount 0))
    † This action overwrites all pre-existing DLP policies that were defined in your organization, so make sure you backup your current DLP policy information first.

Top PowerShell Commands/Tools:

– Set|Get|New|Remove -DlpPolicy
– Set|Get|New|Remove -ClassificationRuleCollection
– Export|Import -DlpPolicyCollection

References/Links

Command Reference for DLP
Microsoft Technet page on DLP in Exchange 2013