What Are OneDrive DLP Policies?

Data loss prevention (DLP) functionalities are on the front lines of protecting your organization’s content, and ensuring that users don’t mismanage that content and–intentionally or unintentionally–jeopardize your compliance and content integrity. As sharing and collaboration become easier and more fluid in the cloud, DLP tools must evolve and adjust to these realities. Cloud storage solutions, thus far, have done a fantastic job of growing with the expanding needs of the businesses that rely on them, and OneDrive, specifically, has taken it upon itself to offer one of the most robust sets of DLP features on the market today.

OneDrive offers its users a comprehensive set of options for storage and collaboration, allowing individuals to easily manage their content while interacting with a larger enterprise cloud environment. However, as many organizations will provide each user with their own OneDrive, it’s essential that these companies also have options to craft DLP policies that can govern how each user’s OneDrive content is maintained, and what those users can store in or share from their OneDrive.

Consider this example: your organization has recently acquired another company. The news is not yet public–as paperwork is still being finalized–but it’s fair to suggest that, when the news breaks, it will have a substantial effect on stock prices. A user who is working with the legal team on that paperwork has copies of relevant contracts saved in his OneDrive. He chooses to share those contracts with a friend, urging him to either buy or sell stock because of this as of yet unknown deal, and, in so doing, puts your whole business in legal jeopardy.

The best way to prevent this would be to restrict what users such as the one in this example are able to store in or send from their OneDrive. With those capabilities, your organization would be able to avoid the aforementioned scenario, and the upsetting ramifications of it.

Luckily, OneDrive provides administrators with just such tools. OneDrive accounts, within the context of your cloud environment, operate like islands in an archipelago–part of the whole, but potentially independently controlled. Admins must be able to oversee the behavior of each user’s OneDrive in order to maintain the integrity of that whole architecture, and OneDrive understands that.

With OneDrive’s DLP tools, admins are able to craft and automate detailed and unique policies that take into account all of the concerns they might have about user behavior. When they select policy creation, admins are immediately offered a series of templates: Financial, Medical and Health, Privacy, or Custom. Upon selecting one of these options, they are offered further sub-categories based around the regulations of their region. For instance, a user who chooses to create a DLP policy for a financial organization will be asked if they’d like to do so based off Australian, Canadian, French, German or other sub-templates.

Short clip of Onedrive security rules

After this, the admin will name their policy and proceed to a page where they will be asked if they would like the policy to apply to all aspects of their Office 365 environment, or just specific designated locations, such as OneDrive or Exchange. If admins opt to specify locations—in this case OneDrive—they will then have the option to apply the policy to all accounts, or include or exclude certain accounts as their needs require. Following this selection, they will get to choose 1) what sort of content they would like the policy to apply to, and 2) what sort of actions should trigger the policy (be it sharing that content within the organization or only triggering a notification when the content is shared outside of the organization).  Individual documents or folders can be tagged as having sensitive information, and the policy–as designed in advance–can then restrict the sharing, downloading, or storage of those files into an individual user’s OneDrive account.

Onedrive interface for finding content that is shared outside of organization

If these options seem insufficient, the advanced settings on the page allow users to create individual rules for their policy. These highly specific regulations are more or less limited by little other than the admin’s creativity, and each can be set to have specific exceptions, and specific actions taken or notifications sent upon violation.

Creating a new security rule for Onedrive

Often times issues arise because users simply don’t understand their business’ DLP policy or the risks inherent to how they’re handling data, so in cases where sharing or the like is prevented, OneDrive offers admins the chance to draft up emails and content explaining these issues that will immediately be sent to the user whose actions were curbed. This feature goes a long way to prevent accidents, which are often as responsible for data breaches as bad actors are.

Of course, like most things, DLP is not exclusively black and white, which is why OneDrive allows admins and IT to make amendments or exceptions when it comes to their DLP policy. While many will opt to apply blanket restrictions to all OneDrive accounts within their ecosystem, it is possible to exclude certain user accounts and devise unique DLP regulations for those outliers. It’s also possible to make exceptions based on user location or other conditions.

This flexibility also applies to the aforementioned policies applied to specific pieces of content. While documents containing PII (personally identifiable information) are the most obviously vulnerable items in a given ecosystem, admins can restrict or block access to and sharing of content based on a wide range of properties, including specific metadata conventions.

Just as these DLP tools work to inform users about the sort of behavior that is appropriate around OneDrive storage and sharing, OneDrive also seeks to inform administrators of issues as soon as they arise. With comprehensive, admin-facing reporting, OneDrive ensures that your administrators can act quickly in the event of violations or hacking, and regularly check up on the success of their pre-designed policy, even in the best of times.

Because of the flexibility that OneDrive provides users within an organization, as well as the perceived autonomy some users have with their OneDrive accounts, DLP policies that specifically focus on these accounts’ relationships to your ecosystem and content as a whole are essential. OneDrive–if not managed properly–can insulate users and give them unparalleled and inappropriate control over the content stored therein. Without a robust set of tools to manage, if not limit, how those users are taking advantage of their individual OneDrives, organizations can find themselves in hot water, especially with increasingly stiff penalties for compliance violations.

Helping you build the best and strongest DLP policy as well as keeping your users aware of the responsibilities and restrictions that come with the content they handle is at the core of OneDrive’s DLP features. These tools empower your admins, defend your content, and guide your users, making sure that–no matter the task and no matter the solution–every single document, spreadsheet, contract, or folder is protected, and–in so doing–set your organization up for continued success and ongoing safety.