back to article Microsoft unwraps new auto data-protection in Office 365 tools

Microsoft is expanding its Data Loss Prevention (DLP) tools. DLP is a way of tagging content to mark it as sensitive data and subject to policy, such as a rule that states “data must be encrypted” or “may not be shared outside the organisation”. DLP is already available for email in Exchange, Outlook and Office 365, and is now …

  1. Lusty

    Ahh clippy...

    http://m.youtube.com/watch?v=gS0vZFPnksk

  2. Anonymous Coward
    Anonymous Coward

    Hahahaha

    So it's not a way of stopping office from crashing and bu**ering up your files?!!

    1. Anonymous Coward
      Big Brother

      Re: Hahahaha

      No, it's a way of tagging specific files for the NSA, FBI etc. to take an extra good look at them...

    2. Trevor_Pott Gold badge

      Re: Hahahaha

      Hi, Office files can generally be recovered after a crash in a manner similar to that discussed here. Hope that helps.

  3. Trevor_Pott Gold badge

    DLP stuff is nice, but I still don't trust my data residing in the American cloud. When will Microsoft offer complete and total zero knowledge encryption such that they - but especially the NSA - cannot get at any of the data stored in Azure, Office 365, etc? And when will this be enabled as a standard option, available to everyone?

    Will they encrypt my user data that's being streamed to them from Windows 8/8.1/10 as part of their integration into the OS? What about Onedrive? How do we lock down all that search data sent to Bing such that nobody I don't want can see it? When will that be the default option?

    DLP is a great tool, and kudos to Microsoft for doing shedloads of excellent and very difficult work to advance the state of the art in this area. But what's needed is a true "security first, privacy first" approach that goes far - far - beyond what DLP can ever offer.

    1. dan1980

      @Trevor_Pott

      Of course, that's not what DLP is aimed at - as you know. DLP is essentially an expansion of Exchange Transport Rules, which is already a really handy tool that allows you to do all kinds of things that you previously needed third-party software for (though some of the features do require an Enterprise license).

      I suspect that, should US companies like MS and Google, etc... really start working on this - providing systems where they can't provide the data to law enforcement - the US government, at the urging of the three-letter monsters they have created, will simply make such systems illegal.

      This is what they asked for a few years ago - they wanted to make it a legal requirement that US companies that offer communications services must be able to comply with wiretap orders. That would mean that any service that fell within the US's reach - which seems to be anything that has even the slightest US attack surface - could not, legally, provide the type of service you and many others are asking for.

      The 'reforms' didn't go through last time but if companies start offering these services can you imagine the clamour and push that will come?

      The answer, of course, is that such a service must be provided from a non-US company. Even then, it can't be in the UK either. They have laws now which allow you to be jailed for not providing your encryption keys so imagine what they would say to a company that said they didn't even HAVE any keys to hand over!

      1. Trevor_Pott Gold badge

        Yes and no. DLP is technologically an expansion of Exchange transport rules...but ties into stuff baked into Windows Server 2012, InTune and EMM as well.

        More to the point, the purpose is to allow enterprises to control who views their data, and under what circumstances. It has aimed to become far more than just "exchange transport rules". As such, we must look to solutions beyond exchange transport rules to solve the goal of DLP:

        allowing companies (and ultimately, individuals) to control who can see their data, and under what circumstances. And that goes back to needing a "security first, privacy first" approach to things, from the start. No band-aids.

        As for "US.gov will make it illegal not to have back doors"...oh well. If they want to footbullet themselves, go right ahead. Microsoft has the choice to keep their HQ in the US. As do all these other companies. They aren't standing up for our rights by rolling over and complying. Why should I trust my business to them, or hand them my money?

        Oh, because "America, fuck yeah?" America: fuck off.

  4. dan1980

    @Trevor_Pott

    I think you are talking about what you want DLP to be about rather than what it is about. The purpose is to prevent employees deliberately or accidentally exposing sensitive data outside of your organisation.

    I do appreciate that, on the whole, the term DLP could indeed cover ANY type of loss, but this would surely mean that firewalls and AV/anti-malware and IDS also come under that umbrella, which is not helpful in terms of defining a given technology or feature set.

    DLP has been around well before its appearance in Exchange 2013 and the focus before and since has always been on preventing sensitive data being exposed by the carelessness or malice of employees.

    DLP solutions have always worked to identify sensitive data - through templates and rules and so on. This shows what the focus is - to protect sensitive data from exposure, not as a general 'encrypt everything so the government can't wiretap us'. It's to avoid losing business or falling foul of regulations, such as HIPAA.

    What you are talking about is a grander idea but not really one that I think should be termed 'DLP'. The reason is that even with your data encrypted so the government or vendor can't access it, you still need to actually use it. It will, at some point, be in the hands of an employee. Whatever your encryption at the vendor, that won't prevent an employee accidentally forwarding sensitive data to an external contact or leaving a laptop at a cafe, which are exactly the sort of events that DLP is there to protect against.

    In other words, leave DLP to focus on that aspect and have a new type of protection for what you are espousing. (And I am agreeing with as an increasingly pressing need.)

    Or, more simply, as a purely semantic issue, DLP as a term is already established so it's better to create a new term rather than redefine the existing one to extend the scope beyond what it currently refers to.

    1. Trevor_Pott Gold badge

      No, I'm talking about DLP as it is being talked to me. DLP in conjunction with tagging at the OS level, mobile security, endpoint security etc. Whatever the term may have been used for, it is being expanded by Microsoft's own marketing droids to cover a more generic "who can access your data, and how".

      This seems to be including new proposed offerings like "only allowing certain forms of content to be viewed inside DRMed, tracked online applications" etc. The thing is, if you are going to from "tagging and alerting things as they leave exchange" to "access monitoring and control across the entire data life cycle" (which is absolutely what I am being told is what this term is supposed to now encompass) then I don't think that you can simple "wish away" the threat of malicious actors MITMing (or PATRIOT acting) your data whilst on it's way to, or stored in, the cloud.

      So: DLP is either very narrowly "transport rules in exchange" or it is "data lifecycle management" in it's totality. You don't get to pick an choose which aspects of data security and access control you cover just because some of them make you uncomfortable, or you find them inconvenient.

      Since Microsoft seem to pushing "DLP" as "more than just exchange transport rules" then I say they've failed until they've addressed all aspects of data lifecycle management.

      1. dan1980

        I suspect, as usual, that we are more-or-less agreeing.

        DLP absolutely IS more than Exchange Transport rules - that was just Microsoft's first attempt at it and it was confined, obviously, to e-mail.

        They are now looking at expanding their solution to cover more of the things that other, better established DLP solutions already cover. in some cases, covering new things specific to their cloud-offerings.

        The point I am making is not that DLP only covers certain types of data - like only e-mails - but that it is designed around protecting data from a certain set of risks and the risk that the type of protection you are describing is not necessarily within that scope.

        For example, protecting against employees losing USB sticks or laptops is part of DLP as a whole, but obviously not included in Microsoft's offering.

        What I see is Microsoft expanding their DLP to cover more data against the existing risks addressed by competing solutions but not necessarily protecting against different risks.

        I definitely see what you are getting at and I agree - what we need is a complete, ground-up redesign of computing with privacy at its core, similar to how Unix was built with multi-user at its core, which then had a hand in defining how everything from there up worked and was designed.

        However, that is just not DLP as it exists. The point of DLP is evident in the fact that vendors still refer to it as Data Leak/Leakage Prevention, alongside Data Loss Prevention, as is the case with Symantec (Vontu) and GFI.

        I don't think anyone is "wish[ing] away" the problem of government (or other) agencies accessing company data in the cloud, though some might be ignoring it or putting it in the "too hard" basket for the moment.

        1. Trevor_Pott Gold badge

          Whereas I think that trying to do this piecemeal is worse than not doing it at all. Address the whole of the issue or don't bother. Make people go elsewhere to other vendors that will address the whole of the issue.

          But Microsoft's half-assed approach gives a false sense of security, especially when combined with aggressive marketing that is making their DLP seem like it far more than it is. If you have a half-assed solution, be up front about it. But they aren't, really. Not unless you're an uber-nerd and prepared to pour over every least bloody stitch of information on the topic.

          So I accuse Microsoft - and others - of shoddy half measures, whilst trying to market as being adequate. It's not. Not by a long shot. And, like shitty antivirus vendors (oh, wait, Microsoft again!) that do things half-assedly, they do far more harm than good by giving a false sense of security.

          Shit or get off the pot. But I'm sick of gigacorps half-assing this. It's too important to let them get away with it.

  5. dan1980

    It seems you have developed your position, which started with:

    "DLP is a great tool, and kudos to Microsoft for doing shedloads of excellent and very difficult work to advance the state of the art in this area. But what's needed is a true "security first, privacy first" approach that goes far - far - beyond what DLP can ever offer."

    And this was something I agreed with: DLP is good but we need more than DLP; something different that addresses the other concerns that come with governments being able to access our data at a whim

    From there, you went to acknowledging, essentially, that Microsoft may not actually be able to provide what you are asking for as their company stands now, saying:

    "Microsoft has the choice to keep their HQ in the US."

    From there, you hardened your position, declaring that Microsoft had "failed until they've addressed all aspects of data lifecycle management."

    Still not sufficient a judgement, you went to extend this failure to being "half-assed" and "worse than not doing it at all" because it gave people a "false sense of security"

    So, to summarise, your position appears to be:

    Kudos to Microsoft for working hard to expand and enhance the state of this technology with their new offering, which is a half-assed half-measure that they shouldn't have bothered with as it is worse than nothing, seeing as their DLP solution doesn't address concerns that go beyond (far, far beyond) what DLP can offer. And, until it pulls-up shop and dismantles its US operation (legally) to implement a ground-up redesign of its platforms that is unlikely to be possible whilst still based based there, its services will remain inadequate and they shouldn't be able to get away with such a failure.

    That about capture it?

    I jest, of course - I enjoy your posts and I take your points; it was just amusing to see the foam building and the steam rising : )

    On that note, what are these uber-nerds pouring over the information? Custard? Sriracha? HP sauce? Maple syrup? (Sorry.)

    1. Trevor_Pott Gold badge

      No, my position is slightly more nuanced.

      What Microsoft have built is good, provided it is very carefully marketed and positioned and what it can and can't do spelled out clearly at multiple points so that nobody is given false hope, intentionally or not. I'd go so far as to say that the word "prevention" probably shouldn't be used here. Maybe "data leak/loss resistance." Think "fire proof" versus "fire resistant".

      This will mean lost sales as people who might have been bamboozled don't buy. It will also mean some others will buy anyways, and combine solutions.

      None of that takes away from the solid technical work done. The problem to hand is a hard problem to solve. And, quite frankly, I honestly believe that Microsoft have done the hardest part of this in the creation of their existing technologies.

      What remains is more political than technological. Zero-knowledge encryption of Azure + Office 365 can be implemented without too much fuss. They choose not to, nor to even discuss why. And if their government did turn around and tell them "you can't do that", then yes, I would say they should serious consider packing up and leaving.

      I don't have a problem with the technology Microsoft is offering. I think it is good technology. But I absolutely have a problem with how it is generally marketed, how the PRs present it to journos, and how every bit of training information focuses on "look at all these features, wow!" but spend little (if any) time being clear about what it can't and won't do.

      The issue here is highly political. The tech is a good start, but it is resistance-class, not prevention class. Overselling is likely to do way more harm than good.

      And ultimately, it is half assed. The endgame solution required involves making some tough choices to stick up for the customer in the face of massive political pressure to do otherwise. Microsoft is out there putting hundreds of millions into trying to convince us that they're "the good guy", and that technologies like DLP "demonstrate their commitment to privacy and security".

      If people start to believe that tripe - and judging by the commenters in this forum, more than a few do - then that is dangerous. And that's where the half-assedness of this whole thing absolutely becomes a real concern.

      The code can be respect-worthy while the corporate positioning of the product - and for that matter, the company's overall stance across a line of products - is dangerous. And thus we have a very typical Microsoft situation in which the technology is praiseworthy but the solution (notably, how it is ultimately presented in virtually all official content on the subject) is half-assed.

      I don't see any of the above as "steam rising". If anything, it fills me with a sens of...I don't know...defeat. Tired acceptance. Depression. A loss of faith in humanity, even. The sort of feeling of abject impotence and helplessness one feels when they learn that another umpteen billion dollars was squandered by politicians.

      I don't have the zeal to be passionate about anything any more, sir. I have the outrage fatigue, and it's largely why I confine my thoughts on the matter to forums nobody cares about and nobody reads.

      Donning the armour, saddling Rocinante and making another pass at the damned windmill just isn't in me anymore. I report what I see. I vent my thoughts into the feckless void of El Reg's forums where noone of consequence will see. That's all there is.

      Crusades and causes are a game for the young.

      1. dan1980

        "No, my position is slightly more nuanced."

        Yes, but that nuance does not admit of quite as much humour and so I dealt with it in the way that seemed best for my purpose, which was to ignore it.

        "But I absolutely have a problem with how it is generally marketed, how the PRs present it to journos, and how every bit of training information focuses on "look at all these features, wow!" but spend little (if any) time being clear about what it can't and won't do."

        I must admit that I feel I understood exactly (or near enough) what this new feature set/extension can and can't do, though perhaps that is because I have been looking at their (and other vendors') DLP in the past. Hang on . . . Does that then make me an "uber-nerd"? Compliment accepted.

        "Donning the armour, saddling Rocinante and making another pass at the damned windmill just isn't in me anymore."

        The difference being, of course, that in this case the Sanchos of the world are wrong and these really are giants pretending to be windmills. (Though in practice, they appear to be just as pointless to assault.)

        "I vent my thoughts into the feckless void of El Reg's forums where no one of consequence will see."

        Well fuck you too : )

        1. dan1980

          Do you realise that our combined thoughts and vents constitute 98% of the words consigned to this particular void? (Excluding your response to our cowardly friend but including post titles and this comment, of course.)

          1. Trevor_Pott Gold badge

            ...why did you do the math on that? I mean, just...you have too much time on your hands.

            1. dan1980

              I'm in Australia so that was posted ~8:30pm while I was waiting for a couple of VHDs to replicate from one site to another.

              1. Trevor_Pott Gold badge

                HA! Well, I've done weirder things while waiting for servers myself. Can't complain with that logic. :)

  6. spacecadet66

    I look forward to this being not at all riddled with serious problems to the point where most sites disable it as being far more trouble than it's worth.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like