What needs improvement with Microsoft Purview Data Loss Prevention?

We faced a performance issue with the tool when we didn't get alerts for file uploads.

Microsoft is younger than Forcepoint in the DLP game. All the security operations are better defined in Forcepoint, while in Microsoft Purview Data Loss Prevention, you will have to use a specific workflow and then an application to release blocked emails. Out-of-the-box security operations are more adopted by the organization where I am currently working.

My main concern was more about the endpoint side because you should have many different functionalities on the endpoint. Endpoints are not just about the USB or the network share. They deal with many things, and we should be able to understand them. We should have different settings available on the endpoints about what should be allowed, what should not be allowed, off the network, on the network, etc. The endpoint needs some improvement. A major improvement is required in the solution's incident handling and alerting. It is a mess, and it cannot handle anything. I don't know what Microsoft is doing. It is really sad. It is a very good endpoint product but does not work as expected. If an email is detected, I have email evidence because it is going through the exchange. I can download the image, and the operations team can look into the kind of email sent and so on. The evidence is there for forensic purposes. Microsoft has given functionality for endpoints where anything violating the content on the endpoint should be uploaded to some storage location in Azure Cloud for evidence purposes, which does not work at all. Microsoft has provided it, but their technical team does not know how these things work, which is really sad. The solution's incident handling is pathetic. They have the compliance portal and security portal. You get alerts on both the compliance portal and the security portal. Having two different alerts on the security and compliance portals does not make sense. Incidents are not categorized properly. All the incidents are put together, which is really sad. It's not about detecting the data; it's more about handling it once it is detected. I know the data has been detected, but it is useless if I cannot figure it out or work on the incidents. The tool does not make sense to me. You would face some difficulties on the endpoint side. It is really difficult when you're working on the endpoints. Microsoft is not clear on how they want to portray this product.

It could cover more solutions and technologies. One of the challenges that we're facing now is how we can identify our critical information storage level, for example, via scanning or some other method.

The Endpoint DLP engine has a lot of delays. The just-in-time protection feature does not always work as expected, mainly when working with network files in a more classic environment.

I currently work in the financial domain, and we have very strict regulations from national banks and the group side. Domain-related improvements could be really useful for organizations and banks. For example, sensitive information types are the basic level of information protection, similar to the Purview model. We start with creating or duplicating sensitive insights and editing them. I am talking about more sensitive information types that align with European regulations, especially in the financial sector. Having more variety would be beneficial. All of the EU considers sensitive information types in finance, but we need more variety, especially as a Ukrainian company. We face a lack of attention to our region, despite having the same strict regulations as EU companies. One point of improvement is related to organization and language issues. For instance, we use different sensitive information types for France, the UK, and other countries where we have offices. Unfortunately, Microsoft doesn't support the Ukrainian language, unlike Chinese and Japanese languages, which have deeper layers of understanding of information. It would be helpful to add support for Ukrainian. However, I understand that we are essentially bilingual, using both English and Ukrainian in our companies, and we are a minority in terms of languages. Other solutions, like ERP systems, offer localization for Ukraine and have partnerships with companies. Microsoft 365 also supports the Ukrainian language from a user perspective. However, unfortunately, Defender and Azure lack deeper settings. They do not provide language options beyond the ones already available, so our language option is missing. Purview includes sensitive info types covering a wide range of languages and country specifications. For instance, it includes passport numbers for Ukraine, but we also need a sensitive input type for our tax numbers. Currently, there is no option for our tax numbers, which forces us to duplicate the data. In contrast, they include all sorts of options such as driver's license numbers and insurance policy numbers for EU companies. It would be beneficial to have those presets available for us as well.

A site can have different containers where you store data. We have always wanted to apply compliance, labels, and policies at the container level, rather than to an outer shell or at the site level. That is something we have been looking forward to and I believe Microsoft is already planning something like that.

The solution should provide better integration with other systems.

There is no AIP for Linux systems. That's a setback. Another thing it's lacking is libraries to work with Python. It has libraries for C# and C++, for example, but not for Python and, these days, Python is very useful. Power Automate can be improved as well. You can do plenty of things with it but it still doesn't do everything that you have in a full development language. It doesn't have that flexibility. I would also like more integrations in Power Automate. Because so many things are a premium with Power Automate, you cannot do everything. There are a bunch of integrations that you have to pay more to use. That's not very good.

I would like Microsoft Purview Data Loss Prevention to be on the source code or SQL databases. It is difficult to do classification and labeling when you have a third-party source code or a third-party Oracle database. It is seamless when it comes to Microsoft documents but is not so with third-party source codes. Microsoft needs to work on it a little bit more. Everybody wants information protection, but not all of them can afford the M365 license. I would like Purview to be a standalone product or solution.

VM people say you cannot use just one product; you need multiple products across the network and you have to deploy to the backups. The DLP could always be better. Overall, they should make their Hyper-V and the clustering more stable. VMware offers very good clustering, for example. Microsoft needs to improve a lot in terms of stability. Technical support is awful.

There is a lot of ambiguity when you are setting up labels, such as sensitive information labels. It is a little daunting at first if you don't have prior knowledge, and there is a little bit of a learning curve for setting up the labels. Some of the setup wizards could be more helpful from an AI perspective. They can streamline the setup through more AI technologies so that you don't have to jump through so many hoops and different menus and dropdowns. It would be useful to have a setup wizard that is more hands-off and engaging for setting up the information type labels. If you tell them this is what we're trying to protect, it should basically start to lead you down that path of best practices. Such a feature would be great.