This document explains eShare’s integration with Microsoft Purview Data Loss Prevention, allowing organizations to create document tags based on configured DLP Rules which provide additional controls when a rule is matched. This integration provides organizations more granularity with data protections while enabling their user base to share content with appropriate guard rails in place. At a high level, the steps are:
PREREQUISITE:
To proceed with using the integration with Purview Data Loss Prevention, you must complete the following steps to sync the Purview DLP Rules into eShare.
Configuring and Managing DLP Tags
To configure DLP Tags, from the eShare Web Portal administrators will navigate to ‘Admin Console’ > ‘Labels & Tags’ section. This menu will allow an administroator to create new tagsm, manage existing tags, and manage the priority order of configured Microsoft Sensitivity Labels and DLP Tags. To create a new tag, an administrator can select the ‘+ Add Tag’ button at the top of the page.
An ‘Add Tag’ configuration window will pop up, from this screen the following must be confiugred:
Name: Defines a name for the Tag that is only visible in the admin panel.
Display Name: Defines a name for the Tag that will be displayed to Users when the tag is applied to a file.
eShare Order: Select where the tag should be ordered in the Label and Tag hierarchy (0 = lowest priority). If sensitive content is detected, the order determines what the most restrictive Sharing Policy applies.
Rules: Administrators can define the set of DLP rules that will be applied to the DLP Tag created, multiple rules can be selected per tag. The rules are populated based on upon DLP rules defined in Microsoft Purview Data Loss Prevention.
Operator: The Operator defines the criteria that the DLP Tag will take effect. The ‘OR’ operator will apply the DLP Tag if any of the selected DLP Rules are matched, where the ‘AND’ Operator will only apply if all DLP rules apply. For DLP Tags that contain only one rule, the default state of the Operator is “OR”.
Once all of the fields are configured, selec the ‘Add’ button to save the tag and return to the ‘Labels & Tags’ admin page.
Assigning DLP Tags to Sharing Policies for Enforcement
With the DLP Tag rules created, they will now be available to assign to sharing policies. Navigate to ‘Admin Console’ > ‘Sharing Policies’ and select an a policy to edit.
In the Sharing Policy menu, an admin can select the ‘Label or Tag’ dropdown menu to assign the newly created DLP Tag. Additionally, sharing modules must be selected which will determine when the policy should be enforced when the corresponding tag is detected.
.png)
Once the remaining sharing policy options have been defined, select the ‘Save’ button to complete the configuration. This sharing policy will now be applied if a user attempts to share or access content that has this tag associated with it.
DLP Tag Configuraton for Emails
In cases where an organization wants to secure emails using Microsoft Data Loss Preventiation and the eShare Secure Collaboration Gateway, additional configuration is required. A Purview Administrator will need to add an action to the configured DLP rules that will set a header in the email. The header defined within the DLP Rule will be used to match an eShare Sharing Policy so the Secure Collaboration Gateway can enforce the necessary controls when the rule is matched.
After defining the header in the DLP Rule, an eShare administrator must navigate to admin console > Sharing Policies’ and edit the Sharing Policy which should be enforced. Ensure the Policy has the ‘Secure Mail Gateway’ module assigned or else it will not be enforced accordingly.
While editing the policy, locate the ‘Use policy for Secure Mail Gateway’ section, then add the defined Header Name and Keyword value.
Once the Sharing Policy is saved, whenever an email matches the selected DLP rule and the header is applied, a Trusted Share will be generated with the corresponding Sharing Policy being enforced.