Microsoft Enables DLP on OneDrive for Business File Syncing

The new data loss prevention capability helps organizations keep better tabs on their cloud-hosted files, preventing damaging leaks of sensitive business information.


Microsoft has flipped the switch on a new feature for OneDrive for Business. Now, administrators can extend the company's data loss prevention (DLP) technology to their accounts on the enterprise file storage, sync and sharing platform.

"Many organizations want to ensure their users are only able to sync files to managed or domain-joined PC's thereby limiting data leakage possibilities on unmanaged home and personal computers," said Reuben Krippner, director of product management for Microsoft OneDrive, in a May 20 announcement.
"Today we're excited to announce that we're releasing this capability for OneDrive for Business administrators."

DLP has emerged as a major pillar of the company's efforts to balance the collaboration-enhancing benefits of mobile devices and the cloud services with a given organization's security and compliance requirements. For better or worse, online storage products like Microsoft's own OneDrive offering make it easier for mobile workers to access and share data anywhere and at any time.

To make certain employees don't intentionally or inadvertently paste, attach or email company information to unauthorized users, the company has begun implementing DLP across its Office 365 ecosystem.

"Starting in early 2015, we will enable DLP natively in Microsoft applications that your users are very familiar with," announced Shobhit Sahay, an Office 365 technical product manager, and Jack Kabat, an Office 365 principal program manager, in an Oct. 28 statement. "This will enable you to enforce policies for content creation and sharing rights at the time of content creation, and will provide users with policy tips, similar to the experience they already receive in Outlook and [Outlook Web App] when they try to share sensitive content."

Today, OneDrive for Business customers can take steps to ensure that their cloud files are similarly protected by restricting file sync operations.

"The IT administrator defines a list of domains that they will allow sync client requests from. Any OneDrive for Business sync client requests originating from PC's that aren't domain-joined or aren't members of the allowed domains will be blocked," Krippner explained. "To enable this feature and list the allowed domains administrators will run a cmdlet in the SharePoint Online Management Shell."

Although Microsoft is still working on new compliance center auditing and reporting features, the company already collects the data required for administrators to determine when sync client requests are allowed or blocked, and filter those results. Meanwhile, mixed Windows-Mac environments will want to remain vigilant as the feature is deployed.

OneDrive for Business DLP capability "will work with PC's that can be managed through Active Directory Group Policy, it will therefore automatically block all sync on Apple Macintosh machines which have no equivalent of Group Policy management," noted Krippner. "Today this feature will allow you to manage sync on the existing PC client and we'll continue this support with the new unified sync client when we ship that later this year," he pledged.

Pedro Hernandez

Pedro Hernandez

Pedro Hernandez is a contributor to eWEEK and the IT Business Edge Network, the network for technology professionals. Previously, he served as a managing editor for the network of...