Security "Bits"

Limitations of Office 365 Data Loss Prevention (DLP)

By Rich Campagna | December 21, 2016 at 6:30 AM
office365-dlp-limitations.pngAs we quickly approach a majority of enterprises using Microsoft Office 365, data leakage prevention (DLP) continues to be a very hot topic. A top question many enterprises have is whether Microsoft's built-in DLP capabilities will suffice or whether they should look to a third party solution, such as a cloud access security broker (CASB). 
This blog post will cover the pros and cons of Office 365 DLP. There are two levels of DLP support in Microsoft's enterprise licensing, provided via the E3 license and via the top-of-the-line E5 license. The DLP offering in both levels is limited to Office 365 support only, a tough limitation if you're part of the overwhelming majority of enterprises where Office 365 is one of several cloud apps you have or will deployed. 
E3 licenses include "Information Protection including Rights Management and Data Loss Prevention for emails." The license includes very basic DLP detection capabilities like keyword/regex matching. It does not include exact match policies, image analysis, or advanced data fingerprinting/watermarking. Advanced remediation policies such as encryption, redaction, and device-type access control are not offered. According to Brian, "Microsoft's focus initially has been to address simple policy and regulatory compliance violations." He cautions that, "many of these capabilities may be promoted by Microsoft, but might only have limited availability or be in public preview."
E5 licenses step-up to "Advanced Security Management," or ASM, which is a basic subset of Microsoft's "Cloud App Security", or CAS. CAS is an API-only solution, which means no real-time data protection via proxy, immediately eliminating the solution as an option for security conscious and/or regulated companies. The solution provides monitoring, but provides no blocking or other remediation, no access control for attributes like managed vs unmanaged devices, no encryption capabilities, and no ability to protect data sync'd/downloaded to mobile devices (customers have the InTune MDM option, but that has all the shortcomings of any traditional MDM).  The cost? A $15/user/month bump from E3's $20 pricetag to a steep $35/user/month
All of these shortcomings can be addressed, within Office 365 and across a broad range of SaaS, IaaS, and custom applications with a comprehensive cloud access security broker offering from Bitglass. The perfect holiday gift for you and your colleagues.


see all