Security and Compliance

Unified eDiscovery and Data Loss Prevention in Office 365 Recap and Updates

Unified eDiscovery and Data Loss Prevention in Office 365 allows Tenant Administrators to create, manage, and secure content from a unified console (Office 365 Security and Compliance Center).

To date, Tenant Administrators have had to manage Data Loss Prevention for SharePoint, OneDrive for Business, and Exchange in two separate locations, the Office 365 Security and Compliance Center and the Exchange Admin Center respectively.  In January 2017, Data Loss Prevention was centralized for SharePoint, OneDrive for Business and Exchange in the Office 365 Security and Compliance Center.  This unified Data Loss Prevention platform allows you to manage a variety of Office 365 scenarios through a single management layer – reducing time spent configuring and organizing policies across tools.

sc-all

On July 1st, 2017 eDiscovery will also be unified in the Office 365 Security and Compliance Center.  After July 1st, 2017 the ability to create new In-Place eDiscovery searches and In-Place Holds (*-MailboxSearch) in the Exchange Admin Center in Exchange Online and the creation of new cases in the eDiscovery Center in SharePoint Online will be disabled and new cases and searches should be created and managed through the Office 365 Security & Compliance Center to fulfill eDiscovery needs. In both cases, you will still be able to edit and run existing searches in the Exchange Admin Center and work with existing cases in the SharePoint eDiscovery Center.

sc-disc-all

These discrete solutions are being disabled due to their limited breadth across Office 365 services.  The Security & Compliance Center supports permissions, cases, holds and exports as well as Advanced eDiscovery features such as Themes, Email Threading, Near Duplicate Detections, and Predictive coding.  These changes only apply to the Exchange Admin Center in Exchange Online and the eDiscovery Center in SharePoint Online.

These changes do not impact any existing policies, searches or holds created via the EAC, and you will still be able to create new email DLP policies in the EAC (you will not be able to create new eDiscovery searches and In-Place Holds after July 1, 2017). However, it’s recommended to use the new DLP management experience in the Office 365 Security and Compliance Center, as this is where new capabilities will be delivered in the future.

Resources

Learn more about the Office 365 Security and Compliance Center at https://support.office.com/en-us/article/Office-365-Security-Compliance-Center-7e696a40-b86b-4a20-afcc-559218b7b1b8.

Learn more about eDiscovery in Office 365 at https://support.office.com/en-us/article/eDiscovery-in-Office-365-143b3ab8-8cb0-4036-a5fc-6536d837bfce?ui=en-US&rs=en-US&ad=US.

Learn more about Data Loss Prevention in Office 365 at https://support.office.com/en-us/article/Overview-of-data-loss-prevention-policies-1966b2a7-d1e2-4d92-ab61-42efbb137f5e.

FAQ

Where can I learn more about eDiscovery in the Office 365 Security & Compliance Center?
https://support.office.com/en-us/article/eDiscovery-in-Office-365-143b3ab8-8cb0-4036-a5fc-6536d837bf…

Where can I learn more about Advanced eDiscovery in Office 365?
https://support.office.com/en-us/article/eDiscovery-in-Office-365-143b3ab8-8cb0-4036-a5fc-6536d837bf…

Does this change my Office 365 pricing or plan?
Although Advanced eDiscovery requires E5 Licensing, the base eDiscovery offering is available for all enterprise plans.

When will this happen?
New cases in the eDiscovery Center in SharePoint Online and new In-Place eDiscovery searches and holds in the Exchange Admin Center will be disabled on July 1, 2017. This might vary slightly based on the actual deployment schedule.

Will I still have access to my existing cases in the SharePoint eDiscovery Center?
Yes, you can continue to interact will all existing cases, you can add searches, holds and export from these cases.  We are only removing the ability to add new cases.  All new cases should be created in the Security & Compliance Center. For more information, see Manage eDiscovery cases in the Office 365 Security & Compliance Center.

Will I still have access to my existing searches and holds in the Exchange Admin Center?
Yes, you can continue to interact with all existing searches and holds in the Exchange Admin Center.  We are only removing the capability to create new searches.  All new searches should be created in the Security & Compliance Center. For more information, see Run a Content Search in the Office 365 Security & Compliance Center.

I use the Exchange Admin Center or SharePoint eDiscovery Center for Retention and Preservation, how do I do this now?
The Security & Compliance Center has a full set of features for preserving content. For more information, see Overview of preservation policies.

Can I migrate searches in the Exchange Admin Center or cases in the SharePoint eDiscovery Center to the Security & Compliance Center?
No. eDiscovery cases in the Security & Compliance Center and cases in the eDiscovery Center in SharePoint Online are completely different objects, and their underlying architecture is also different. The same is true for In-Place eDiscovery searches in the Exchange Admin Center and Content Searches the Security & Compliance Center. Thus, existing cases and searches can’t be migrated to the Security & Compliance Center. If you have existing cases in the eDiscovery Center, we recommend that you continue to manage them in the eDiscovery Center until they are completed and you close them. If you need to support a new legal investigation in your organization, we recommend that you use eDiscovery cases in the Security & Compliance Center.

If you have existing searches in the Exchange Admin Center, you can create a corresponding Content Search in the Security & Compliance Center.

What about my existing holds, will they continue to preserve data?
Yes, all existing holds from the Exchange Admin Center and eDiscovery Center will continue to hold content. Only the creation of new In-Place Holds in the Exchange Admin Center and new cases in the SharePoint eDiscovery center are being disabled.

How do I get access to the Security & Compliance Center?
By default, global administrators have access to the Security & Compliance Center. Administrators can assign permissions to other users so they can the eDiscovery tools in the Security & Compliance Center.

How do I access the Security & Compliance Center?
You can navigate directly from https://protection.office.com/ or from the app launcher, choose the Security & Compliance tile.

Standard
SharePoint

Sensitive Information Types in SharePoint Server 2016 IT Preview

One of the key improvements to eDiscovery in SharePoint Server 2016 IT Preview is the introduction on Sensitive Information Types to eDiscovery.

In SharePoint Server 2016 IT Preview Data Loss Prevention is now built into Enterprise Search. It allows you to search for sensitive content in your existing eDiscovery Center, keeping content in place and enabling you to search in real time.  SharePoint Server 2016 IT Preview provides a wide range of sensitive information types from different industry segments and geographies, such as credit card numbers, Social Security numbers (SSNs), bank account numbers, and other types, many of which you may already be using to search for sensitive content in email. These sensitive information types are detected based on pattern matching and are easy to set up.

Sensitive Information Types are defined by patterns that can be identified by Regular Expressions or a Function and are available for use within Data Loss Prevention policies. Sensitive Information Types improve on simple pattern matching by supporting the use of corroborative evidence such as keywords and checksums to identify sensitive information stored in SharePoint Server 2016 IT Preview in addition to including native confidence level and proximity logic that is used in the evaluation process.

Using the US Social Security Number sensitive information type as an example:

Patterns are identified in one of two ways, Formatted and Unformatted as shown below:

Formatted:

  • Nine digits in the format ddd-dd-dddd OR ddd dd dddd

Unformatted:

  • Nine digits in the format ddddddddd

For proximity it can be 85, 75, 65, or 55 percent. Using 85% as an example:

A Data Loss Prevention policy is 85% confident that it's detected this type of sensitive information if, within a proximity of 300 characters:

  • The function Func_ssn finds content that matches the pattern.
  • At least one of the following is true:
  • A keyword from Keyword_ssn is found.
  • The function Func_us_date finds a date in the right date format.
  • The function Func_us_address finds an address in the right date format.

The specific native keywords based on this type include:

Social Security

Social Security#

Soc Sec

SSN

SSNS

SSN#

SS#

SSID

In this example we have a document that contains the following information in Microsoft Word .docx format with a document name of Candidate Profile for Garth Fort containing the unformatted text:

Candidate Profile for Garth Fort

Background check completed on 8/26/2015

Social Security Number: 123-45-6789

Expires: 8/26/2018

A new eDiscovery Case is created within the eDiscovery Center as Credit Cards and SSNs and a corresponding query mapped to those types:

SensitiveType=”Credit Card Number” OR SensitiveType=”U.S. Social Security Number (SSN)”

In this example the document, once crawled, is discovered as having met the conditions of the Sensitive Information Type and presented as a result in the eDiscovery Case where additional actions can be taken against the content such as Export.

clip_image002

To learn more about available Sensitive Information Types see also https://technet.microsoft.com/en-us/library/jj150541(v=exchg.160).aspx.

Standard