Microsoft unveils new DLP, 'Double Key Encryption' offerings

Endpoint DLP

Endpoint Data Loss Prevention (DLP) builds off of existing DLP capabilities for Microsoft 365 cloud services like SharePoint, Teams and OneDrive and extends them to users' devices. Organizations can onboard devices and apply security policies to them without the need for an additional agent on the device, Microsoft said in a blog post. Policies could, for example, restrict the transfer of data to USB devices, and those policies can be managed and enforced by security teams through the Microsoft 365 Compliance Center.

John Marcum, a senior consultant for Microsoft partner company New Signature, told SearchSecurity that while he's just starting to test the new DLP functionalities, this is "long overdue" from Microsoft.

"Historically Microsoft only solved half of the DLP problem; they could stop traffic that passed through their services. However, this is not enough. Therefore, we've had to rely upon third-party tools that required additional agents on workstations, additional admin overhead, and additional costs when working in any regulated environment," Marcum said. "From what I've seen so far, Microsoft has solved this issue with a very easy-to-configure solution that requires no additional agent installation. Of course, we all know that [Microsoft has] finally taken security seriously after so many years of ignoring it and depending upon third-party vendors to plug all of the holes. This advancement in DLP is just another step in the right direction."

Garrett Bekker, principal analyst at 451 Research, said enterprises are currently looking to invest in DLP, "particularly as data is increasingly migrating to new environments such as cloud."

"More specifically, 451 Research's Voice of the Enterprise (VotE) survey data shows that DLP is a top use case for enterprises looking to secure SaaS applications," he said via email. "And I think this demand will only be underscored by the COVID-19 pandemic and related work-from-home (WFH) phenomenon. WFH can present considerable security risks and DLP, particularly on the endpoint, can help to ensure that employees are handling sensitive data properly."

Enterprise Strategy Group senior cybersecurity analyst Dave Gruber told SearchSecurity he was most excited about DLP of all the Microsoft announcements.

"The addition of Endpoint DLP (adding device-level DLP to Microsoft's broader DLP offering), is actually pretty interesting. Enabled natively with Windows 10 deployments, Endpoint DLP requires no additional agent and captures endpoint telemetry that is of course used to increment support for Microsoft's broader DLP offering, but the telemetry also gets rolled into Microsoft security offerings," Gruber said in an email. "This is helpful because it enables things like detecting when unknown third-party apps try to access sensitive data -- something security and risk teams would like to know about.  Endpoint DLP is bundled along with E5 Information Protection and Governance, further strengthening the premium offering."

Double Key Encryption

Double Key Encryption for Microsoft 365 is a new feature for organizations that have concerns about data privacy, regulatory compliance and intellectual property that supplements existing data protections within Microsoft 365. The offering is designed to protect an organization's mission critical data by generating two keys for the encrypted data.

Chris Steffen, research director at Enterprise Management Associates, explained how Double Key Encryption works. "Microsoft has made encrypting and protecting Microsoft 365 information just that much easier for the end user with Double Key Encryption," Steffen said via email. "The concept is simple -- for someone to view the data, they must have access to both sets of keys -- one controlled by Microsoft and the second in control of the user or enterprise. This ensures the security and integrity of the user's data and addressing a significant compliance/security concern."

Microsoft's Endpoint Data Loss Prevention, Insider Risk Management, Communication Compliance, and Double Key Encryption are available now in public preview to Microsoft 365 E5 users.