Introduction

Email is a common medium through which sensitive information is shared. Egnyte offers an Exchange Online connector to find sensitive content in emails and attachments.

You can add Exchange Online as a source to find sensitive data in emails and attachments. Customers will be able to see email threads with any sensitive emails or attachments based on built-in or custom classification policies they have enabled in Secure & Govern.

 

How to add Exchange Online as a source

To add Exchange Online as a source, follow the steps below:

  1. To start, you need to ensure the Exchange Online admin account you are using has impersonate rights. Follow the steps below (see screenshot for reference) to set this up:
    a. Open the Exchange Admin center and click on the permissions option.
    b. Go to the admin roles tab
    c. Choose the '+' option to add a new admin role (you may also edit an existing role).
    d. In the role details, add the ApplicationImpersonation role.
    e. Add the admin user you will use to authorize Exchange Online classification as a member and save. You are now ready to add Exchange Online as a source for content classification.

    admin.png

  2. In Egnyte Secure & Govern, go to Settings > Content Sources. If you haven't already added Microsoft/Office 365 as a source, go to step 3. Otherwise, go to step 4.

  3. Choose the option to add a new cloud content source and select the Microsoft option. You will see the option to add Exchange Online as an additional step during the setup process (use the account given ApplicationImpersonation privileges from step 1). You will be asked to assign privileges for our application to read email content from all users.

    Congratulations - you've successfully added Microsoft/Office 365 with Exchange Online as a source.

  4. Open the source details for your existing Microsoft source. You will see the option to Configure Exchange Online, which appears as a sub-source in addition to OneDrive and SharePoint Online. Ensure you use the account which was given ApplicationImpersonation privileges from step 1.

    configure.png

    Congratulations - you've successfully added Exchange Online as a source.

Sensitive Content in Emails

After adding Exchange Online as a Content source, you can see emails and matches that meet enabled classification criteria from the Sensitive Content tab in Secure & Govern.

Sensitive emails appear under a new source with the label you specified during setup. Sensitive matches are grouped by the thread they appear in and a folder denoting the month that the first message in the thread was sent. Threads incorporate all the messages, replies, and forwards that stem from a single email.

threads.png
Sensitive threads are grouped by the month in which they were started in the Sensitive Content view.

When you open a thread, you will see one or more emails that contain sensitive content in that thread. An email is considered sensitive if there is sensitive information within the body of the email or any attachments. When viewing sensitive matches for emails, results are split across an 'Email' and 'Attachments' tab.

results.png
Sensitive content is found within an email's content and attachments

 

Notable Behaviors and Limitations

  • Proactive whitelisting is not yet supported for email sources. However, you can whitelist policies for specific threads from the Sensitive Content View.
  • You cannot exclude a subset of email addresses from classification from Secure & Govern. All emails that can be read using the access level provided by the admin account are classified.
  • Only Secure & Govern admins may view Sensitive matches for emails - this will soon extend to non-admin users with the role-based privilege to see all sensitive content results.
  • For policies which detect email addresses (eg. GDPR), email addresses are not considered sensitive if they appear within an email body to avoid triggering every email as a policy match. However, email addresses within attachments are considered sensitive and will trigger a policy match.
  • When running a Subject Access Request and using email as an identifier, you may see email results in cases where the email address appears in from, to, cc, or bcc headers.