Understanding Office 365 DLP (aka Microsoft Purview DLP) Limitations

TL;DR:

• Microsoft's Office 365 suite has limitations in its built-in Data Loss Prevention (DLP) capabilities.
• Office 365 Email DLP (aka Microsoft Purview DLP) limitations include no email redaction, limited control, attachment scanning issues, false positives, and limited OCR capabilities.
• OneDrive DLP limitations include no approval workflows, real-time enforcement delays, limited file type support, and collaboration hiccups.
• SharePoint DLP limitations include complexity in large environments, versioning issues, custom content type challenges, and workflow interruptions.
• Strac addresses these limitations by automatically detecting and redacting sensitive email content, providing instant monitoring and data categorization for OneDrive and SharePoint, offering data obfuscation tools, implementing a smart alert mechanism, and streamlining compliance with regulatory oversight.

Understanding the Office 365 DLP (aka Microsoft Purview DLP) Limitations

Microsoft's Office 365 suite, encompassing Email, OneDrive, and SharePoint, offers built-in Data Loss Prevention (DLP) capabilities. While these features provide a foundational layer of data protection, it's essential to understand their limitations to manage and protect sensitive information effectively.

Office 365 Email DLP Limitations

The biggest limitation with Office 365 Email DLP is that it does not prevent data loss. It is an irony!

No Email Redaction

Office 365 DLP or Microsoft Purview DLP can't redact sensitive emails - neither email bodies nor email attachments

No Image or Zip file support

‍Microsoft Purview DLP which does DLP for Office 365, One Drive Security and Sharepoint does not have support for JPEG, JPG, PNG (all images and screenshots) and ZIP files. So, if you upload a screenshot containing a drivers license, bank checks, credit cards, PHI/Patient data, or any confidential data, Microsoft Purview DLP will NOT detect that. For reference, please see File Types Supported by Microsoft Purview DLP

No Deep Content Inspection for PDF, Images, Word Docs, SpreadSheets 

‍Microsoft Purview DLP will only scan documents based on extension and file schema (metadata, file name, size). It does not look into any of the documents like PDF, JPEG, JPG, PNG, DOC, DOCX, XLSX. For reference, please see Sampling Data Microsoft Purview Classifies

No Granular Control

‍While Office 365 offers predefined templates for DLP policies, organizations with unique or specific requirements might find it challenging to fine-tune these policies to their exact needs. If you want best in class DLP, you want granular control that actually understands clients and its data‍

High False Positives

The built-in DLP generates high amount of false positives, leading to unnecessary administrative work and potential disruptions in communication. There is no closed feedback loop to make Microsoft Purview DLP understand better so that it does not make the same mistakes again!‍

Complicate to Establish DLP Policy

‍Because it is cumbersome to setup a solid Office 365 DLP policy, most organizations default to Block mode OR pass-through mode (with justification). Block mode has never been practical and incurs a huge productive tax on employees and IT admins.

OneDrive & Sharepoint DLP Limitations

• No Approval Workflows: When a sensitive file is shared, one can only either block or allow the file to be shared. Blocking the file sharing causes productivity issues and employees don't like it. To be productive, an employee needs a way to share externally. An approval workflow solves that problem.
• Real-time and Historical Scanning of Sensitive Data: Microsoft Purview DLP does not do a historical scanning of sensitive data on both OneDrive and Sharepoint
• No Image or Zip File Support AND No thorough document support: Microsoft Purview DLP, which provides data loss prevention services for Office 365, OneDrive, and SharePoint, lacks the ability to process JPEG, JPG, PNG (including all images and screenshots), and ZIP file formats. Consequently, should you upload images containing sensitive information such as driver's licenses, bank checks, credit cards, PHI/Patient data, or any other confidential information, Microsoft Purview DLP will not be able to detect it. For more information, refer to the documentation on File Types Supported by Microsoft Purview DLP. Additionally, Microsoft Purview DLP does not perform in-depth content analysis across all document types. It merely examines documents for their extension and schema (such as metadata, file names, and size), without delving into the contents of files including PDF, JPEG, JPG, PNG, DOC, DOCX, and XLSX formats. For further details, see the documentation on Data Microsoft Purview Classifies.
• No Inline Redaction: If you want to redact sensitive parts in a document hosted on OneDrive, Microsoft Purview DLP does not have that capability.

Office 365 DLP (Purview) only covers Microsoft Products

In addition to above limitations, the major gap with Microsoft Purview is that it is restricted ONLY to Microsoft products - O365 Email, Teams, One Drive, Sharepoint. No organization only uses those SaaS/Cloud apps. Organizations use a combination of other vendors like Salesforce, Atlassian (Jira/Confluence), Mac machines, AWS/GCP cloud, AI vendors like Open AI, Anthropic, Chrome browsers, and a lot more. Sensitive data is all over the place. Checkout https://strac.io/integrations for all integrations

How Strac Addresses Office 365 DLP Limitations?

Strac Office 365 Email DLP

Strac automatically detects and redacts sensitive email body and attachments. Strac is the only SaaS DLP on the market that replaces sensitive parts within email with a link to the vault. While the Strac Office 365 App redacts or masks sensitive email content, authorized individuals can still view these emails through the dedicated Strac UI Vault.

Organizations can also define a list of confidential data elements—ranging from Social Security Numbers and Passport details to API Keys and Credit Card information—for the app to shield. Detailed access reports, showcasing who accessed which messages, can be provided to teams overseeing Compliance, Risk, and Security.

Strac's Machine Learning model is highly trained on a variety of data inputs. It has very low false-positive and false-negative rate.

Strac One Drive and Sharepoint DLP

1. Instant Monitoring: Keep Data Breaches at Bay on OneDrive and Sharepoint. Strac's DLP for OneDrive offers instantaneous surveillance of platform data. It vigilantly observes data access patterns, noting who interacts with the data, when, and in what manner, swiftly spotting any unauthorized or dubious actions.
2. Sensitive Data Classification: Enhancing OneDrive Data Handling. With its automated categorization, Strac's DLP effortlessly sorts data based on its sensitivity and compliance prerequisites, adding tags and efficiently managing information to ensure protection. Checkout https://www.strac.io/sensitive-data-discovery-and-classification
3. Data Obfuscation Tools: Boosting Confidentiality on OneDrive. Employing sophisticated data obfuscation methods, Strac ensures heightened data confidentiality. It facilitates masking or removing confidential details in files before sharing or downloading.
4. Smart Alert Mechanism: Stay Ahead with OneDrive Notifications. Should there be a looming data leak or breach, Strac's OneDrive DLP quickly notify the concerned individuals. Using cutting-edge machine learning techniques, Strac minimizes false alarms, preventing alert overloads.
5. Regulatory Oversight: Streamlining Compliance on OneDrive. Navigating regulatory waters becomes easier with Strac's OneDrive DLP. It pinpoints data falling under regulations and brings forth tools to uphold such standards. Additionally, it presents detailed audit logs and reports, aiding in compliance verification.
6. Intuitive and Adaptable Interface: Molding Strac to Fit Your OneDrive Operations. Strac's UI Vault, while packed with features, is designed for ease of use. It offers insightful reports and analytics detailing the volume of sensitive data on OneDrive, sharing patterns, data distribution timelines, and more.