Protecting your sensitive data on remote endpoints
- Posted on January 5, 2021
- Estimated reading time 3 minutes
Working remotely has become a new normal for many employers. Originally considered as a temporary measure, more and more businesses are embracing it and encouraging it on a more permanent basis. However, it adds new challenges and complexity for IT – not least ensuring security and compliance of corporate data on end-user devices to enable end users work from anywhere.
Microsoft has these addressed security concerns
In response, Microsoft recently announced the general availability of Microsoft 365 Endpoint Data Loss Protection (DLP). It extends Microsoft 365 DLP functionality to identify and protect sensitive data on user endpoints running Windows 10. It serves a number of important functions and provides security professionals the ability to audit and restrict:
- The transfer of files to external USB drives or file shares
- Printing and copying to disallowed cloud applications using an Edge Chromium browser
- Access of those files using prohibited browsers and/or applications.
- As well as monitor files being created and renamed
When an end-user attempts to perform any of the restricted actions (for example, copying file to a USB drive), the user will be alerted with a warning that this action is prohibited and will then provide additional policy tips on how the corporate data should be handled.
Endpoint DLP is easy to implement
Endpoint DLP uses the native protection of Windows 10 and Edge Chromium browser and does not require installation of additional client software. It’s easy to get started:
- Onboard Windows 10 devices to the Microsoft 365 Compliance Management using an onboarding package. It’s even easier for customers using Microsoft Defender for Endpoint (formerly Microsoft Defender ATP). All the devices that are already onboarded for Microsoft Defender for Endpoint will be automatically onboarded to Endpoint DLP.
- Endpoint DLP does not require any additional management interface. Security administrators can use Microsoft 365 Compliance Manager to configure DLP policies that allow consistency in the cloud and on the devices. They have at their disposal more than 100 sensitive data types and 40 DLP templates to create policies. In addition to this, the current DLP policies can be extended to devices by enabling the appropriate option.
- The Activity Explorer interface in Compliance Manager gives visibility into the corporate data usage and handles any violations committed by the end users. To achieve compliance with industry and regulatory requirements Endpoint DLP can be integrated with the other Microsoft security and compliance produces (Microsoft Information protection, Microsoft Deventer, Insider Risk Management). This will add more visibility into user actions and device state and provide more comprehensive data protection.
- Customers who have Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance or Microsoft 365 E5/A5 Information Protection and Governance license can start exploring or using Endpoint DLP immediately with no additional purchase of licenses.
Essential to your workplace security strategy
Avanade recommends that organizations that embrace a remote working model or are in the middle of a digital transformation should consider Microsoft Endpoint DLP as part of their workplace security strategy. For organizations that already have implemented Microsoft 365 DLP for their data in the cloud, Avanade recommends that they extend it to endpoints to ensure consistent protection of data in both cloud and end user endpoints.
As the first step, customers can deploy Microsoft Endpoint DLP policies in “audit mode”. This will help to avoid end-user experience disruptions while gaining visibility into data usage and policy violations. Once an organization is ready to enforce Endpoint DLP policies, block or block and override modes can be selected.