Microsoft and Google face data loss prevention head-on

The UK’s 2015 Information Security Breaches Survey resulted in two very noteworthy points. Firstly, the average data breach among small firms costs between £75,000 and £310,800. Secondly, despite the attention-grabbing headlines focused on ransomware and trojan viruses, 48% of breaches were attributed to human error. So, maybe it’s time to take a break from reviewing your external security protocols and budget some time for your internal data-sharing policies.

Personally identifiable information (PII) and intellectual property (IP) are blessings which are sometimes dichotomously disguised as curses. Whether it’s a fast-paced sales environment, or a regulated industry with heavy penalties for even a single slip up, Data Loss Prevention (DLP) training for employees is only marginally effective. Staff members will always be susceptible to human error and temptations to skirt policies altogether in an attempt to speed up their work. Both Microsoft and Google have recognised the demand for rule-based DLP and answered the call with separate but similar centralised frameworks. Let’s have a look at what they do, and how they differ from each other.

Content Detection

Google and Microsoft policy frameworks start by scanning and analysing email text for content flagged as risky by administrators and compliance officers. Out of the box, the two cloud platforms are capable of recognising UK driver’s license numbers, National Health Service numbers, National Insurance numbers, passport numbers, and taxpayer identification numbers. Microsoft also recognises UK Electoral Roll numbers, but both services continually add new data points to monitor.

Skeptics might wonder how valuable DLP functionalities truly are if they’re only scanning email text. In actuality, both services also scan “common” attachment types such as Office documents, PDFs, and anything text-based. Google boasts a “deep” analysis, which also includes optical character recognition (OCR) to detect risky data in scanned documents and image files. Although Microsoft doesn’t offer OCR yet, it has opted to push forward with “Document Fingerprinting.” This feature allows administrators to create templated documents for the service to monitor (e.g., patent, tax, and financial forms). By “fingerprinting” empty forms, your DLP policies can regulate how employees send completed versions across your network.

If your business or industry deals with data that is unrecognised by the out-of-the-box templates from either of the two services, custom templates can be created using keyword lists or regular expression sequences (a method for defining character patterns). However, Microsoft adds a third option for structuring DLP frameworks by allowing you to import pre-built policies from third-party partners.

Once you have decided on what types of data should be tracked, a decision will need to be made regarding exactly whom the new policies apply to. Although you may want to unequivocally block any emails containing intellectual property information, DLP rules can be specified by organisational department and/or message destination (internal vs. external messages).

[code-snippet name=”cta7″]

Quarantining and Responding

After the framework has been finalised, tested, and implemented, administrators must determine what to do about emails that breach the defined policies. Both Microsoft and Google offer three paths forward: blocking the email entirely, alerting the user of the infraction and requiring them to fix it, or quarantining the message and notifying an administrator or compliance officer. Microsoft also offers an option for encrypting content which has been deemed a violation of the organisation’s DLP policies.

Regardless of which vendor you choose, a finalised model looks something like this: administrators, compliance officers, and team leaders will create a comprehensive policy for all of the sensitive information moving through your business workflow. After a testing period, the finalised framework will be implemented within either a Google or Microsoft DLP jurisdiction. For example, a company that provides tenant checks may have several pieces of PII from external sources floating around internally. If a staff member tries to forward an internal email chain, and is unaware it contains restricted PII buried in a previous email, it will be captured and quarantined before the organisation finds itself facing a massive liability lawsuit.


Google’s DLP services are available to all subscribers of Google Apps Unlimited and can be accessed by opening the Admin Console, selecting Apps, then Google Apps, Gmail, and Advanced settings. Scroll down and select Content compliance. The search giant has promised these DLP policies will eventually be available in Google Drive, and hopefully other Apps for Work.

Microsoft’s DLP features can be utilised by any organisation with Exchange 2013 or Exchange Online that also has an Enterprise Client Access License. Open the Office 365 admin portal from within the Exchange Administration Center, select Security & Compliance, Security policies, and Data loss prevention. Additionally, Microsoft Azure users should keep an eye on Enterprise Data Protection, which will soon prohibit cutting, copying, and printing of flagged data based on predefined rules.

With deeper and darker cracks for sensitive data to seep into, most small and medium-sized business owners are finding it difficult to stay ahead of the curve. Google and Microsoft are well known for their reliable and user-friendly solutions, and we’re excited to see how they improve on these exceptional DLP frameworks.

Damson Cloud is here to make your transition to the cloud as smooth and secure as possible. If you are worried about the security of your data in a cloud environment, DLP policies are just one of the many ways we can help you assuage those concerns. With years of experience in the cloud computing field, and our client-centric approach, Damson is unquestionably the way to go — contact us today.