Top 5 Best Practices For Office 365 DPL

Debasish Pramanik Cloud Security Expert - CloudCodes Software
  • May 7th, 2021

Lots of enterprises are tilting towards using Office 365 for storing their data. There is no doubt that the data store consists of sensitive information that needs protection. Time and again, we have considered the gap in the security obtainable from Office 365. This means there’s a need for Data Loss Prevention best practices to secure data stored in office 365. In the resource, we shall talk about five best practices for Office 365 DLP.

If you do not think that office 365 security is insufficient, it’s absolutely fine. Nevertheless, there’s still a shared responsibility for the contents of your cloud. This means you have a path to play in protecting sensitive data. Practices are routines and processes we must implement in data loss prevention to ensure we’re playing our part in the security of data correctly.

Microsoft in its policy and conditions for service reiterates the failure of organizations and individuals to play their part in data security. They state that; “As part of our commitment to protect customers, we’re taking steps to help those who may have inadvertently published documents with sensitive information”. Organizations must be able to set up Data Loss Prevention (DLP) and improve the security of sensitive data. Sensitive data contains payment info, medical records, financial records, and other information that can expose an individual/organization to threats and security breaches.

The Nature of DLP in Office 365

Microsoft would keep to its part of the bargain by providing a cloud void of vulnerabilities. An organization’s part in data security would necessitate that you implement a DLP system. Integrating a DLP In office 365 means you get to play your part in data security correctly and maximally. With DLP organizations can prevent sharing files with unauthorized third parties as well as prevent the upload of high-valued data against internal and external policy/regulations to office 365.

You’d need to implement healthy practices to guarantee the security of data you upload to office 365. Also bear in mind that office 365 consists of several unique cloud applications with specific security needs.

Best Practices for Office 365 DLP

1. Setup Policies that Work!

An organization’s first step in setting policies that work starts with an inventory. Inventory existing policies to find gaps and create cloud policies that guarantee data security. Truth is, the odds are high that before you implement best practices office 365 DLP there are some existing policies for endpoint devices and emails.  Your inventory should note these policies and see what applies to your office 365 and what needs remediation. One of the advantages of doing this is that your office 365 is on the same protection level as the previous systems using DLP.

To effectively create new policies organizations must determine what sensitive data gets uploaded to office 365. Also, they must decide what data can be shared with third parties. Conclusively on setting up policies that work. Organizations must be able to map out the route for sensitive data against internal policies and external regulations.

2. Determine what data gets uploaded

 You can’t approach office 365 DLP correctly if you do not understand the nature of sensitive data in your cloud. All you have to do is scan data at rest, in transit, and in motion to know what’s sensitive in your office 365 cloud. When you understand the nature of sensitive data in the cloud you’d be able to determine security measures to implement. Sensitive data include but are not limited to; credit card numbers, source codes, salaries, personal health information, account numbers, social security numbers, files that contain user passwords, spreadsheets with IP addresses, etc.

3. Take a look at Collaboration

Office 365 makes collaboration easy. Staff could share data amongst themselves easily even to external sources or personal mails. To ensure that data security and data loss prevention are guaranteed. Ensure that you look into collaboration amongst staff and external sources. This would help your organization determine what sensitive data are constantly being shared and to whom. Having knowledge of collaborations would help you set up policies that beef up security, control permission/access, and educate the employee on secure collaborations. Examining collaborations would also help you to figure anonymous links accessing sensitive data.

4. Implement measures to Protect Data

Microsoft has an in-built system to guarantee policy enforcement for all users and devices. It only makes sense that you prevent sensitive data from being shared with unauthorized persons from your end. Measures you can put in place to ensure sensitive data only gets accessed by authorized person’s includes;

  • Coach users/employees on what’s reputable in your  collaboration policy
  • Always request an administrator to further investigate any breach in data security.
  • Automatically/manually put in measures to revoke a shared link. These shared links could become anonymously shared with other people if you don’t revoke access.
  • Curtail sharing permissions (e.g. change from edit to view)
  • Restrict sharing to whitelisted email domains only.

5. High-Valued Data should never be Uploaded

Irrespective of how many security measures you have put in place. High valued data should never be stored in your office 365. I wouldn’t expect a contractor to store details of military equipment the organization is building in an office 365 cloud. While you sort sensitive data, sort high-valued data that shouldn’t be uploaded on the drive.  A blend of classification and sorting tech can help you figure high-valued data in your data store. These tech use pattern matching, keyword matching, structured data exact match, predefined set of dictionary terms, and document fingerprinting to sort high-valued data.

If high-valued data has already been uploaded to O365 you should consider remediation. You can; block, quarantine or, permanently delete the file. You can also notify the admin to investigate and notify users about the nature of the high-valued data so they act appropriately.


Alongside all these practices there would be a need to consistently deploy DLP policies and practices. Using a Unified  DLP policy engine for all your IT information can make work, and remediation more effective and easy. This means that you have the same policy across the board, and it becomes easy to understand reports and assess risks.