Rabobank balances the books: Optimal privacy and safety with Microsoft Purview Data Loss Prevention

Rabobank never forgets its deep agricultural roots. Ledgers and balance sheets aren’t its reason for existence—the cooperative bank is dedicated to creating a future-proof society. That means supporting the people who produce the world’s food with crucial sustainability data, research, and funds. Protecting data confidentiality for 8.9 million private and corporate customers around the world is no small feat, but Rabobank approaches its commitment proactively, safeguarding against data loss with Microsoft Purview Data Loss Prevention. The bank’s Office 365 security team works with Rabobank regional security officers to define and deploy data policies that help keep data safe while making it easy for employees to access everything they need.

Avoiding data loss for a workforce beyond the perimeter

Even before recent societal and workplace changes affected many organizations’ physical boundaries, Rabobank had a large and complex environment. The bank has around 40,000 employees, about 10,000 of whom work in 23 countries outside of the Netherlands where it’s based, so Rabobank must comply with a matrix of sometimes overlapping regulations, global and regional company policies, and business requirements. Jacob Kralt, Product Owner for Office 365 Compliance at Rabobank, faces the challenge of keeping everyone productive while safeguarding data. That challenge was tougher when the bank used an on-premises Symantec data loss prevention (DLP) solution for endpoint management.

The previous solution was oriented to siloed rule sets; it assessed data in terms of a given department, making it difficult for a multinational organization like Rabobank to maintain rules across multiple areas. ”One of our significant issues is how to stay current with policies that change frequently across multiple regions,” says Edo Immink, IT Lead for Office 365 at Rabobank. “Our previous solution was so specific to each region that it became very difficult to maintain.” Struggling against a restrictive system to roll out timely, relevant DLP policies became more than just an inconvenience. “Overcomplicating DLP rules is a risk in itself,” explains Kralt. “Without a clear view of the organization’s DLP policies and rules, confusion sets in and it’s easy to lose control of the global picture.” And without that global view, Kralt’s team was prone to unwelcome interruptions. “A complicated rule set in an aging infrastructure is subject to breaking at various points,” he adds. “That meant people would have to drop other priorities and rush in to fix things.”

The move to Microsoft Purview Data Loss Prevention helped the bank address the changing needs of its workforce, including an increasing reliance on mobile devices, which its Symantec solution didn’t cover. “In the Microsoft world, the scope of data protection is defined by the people using the data,” says Kralt.

Agility is key to employee productivity—and to data security for Rabobank. “We wanted to take the most agile approach possible,” says Immink. “That meant reducing our overall number of DLP policies while still giving regions the options they need to best protect their data.” The bank had already embarked on a cloud-first strategy, and in late 2020, it decided to make the most of its Microsoft 365 E5 license and roll out Microsoft Purview Data Loss Prevention, a DLP solution with built-in controls. Companies rely on Microsoft Purview Data Loss Prevention to better control sensitive information across endpoints and applications, including Office 365, SharePoint, OneDrive for Business, Exchange Online, and Microsoft Teams. This connection across Microsoft productivity apps, which the Symantec solution doesn’t address, makes it easy to manage data policies from one place: the Microsoft Purview compliance portal.

Rolling out to a global workforce systematically

Rabobank was concerned about the potential for data leaving internal security confines via any of three channels: USB drives, browsers, and printers. Newly available in 2020, Microsoft Purview Data Loss Prevention was the cloud-based solution Kralt and Immink had sought. And given the difficulty in finding qualified engineers and data security professionals for their five-person Office 365 Messaging, Security, and Compliance team, productivity is essential.

The team helps security officers define DLP policies in all the regions where Rabobank operates. The bank convened a Global DLP Use Case Board where security and compliance officers from each country define their business needs. In preparation for the deployment, the Office 365 Compliance team contacted stakeholders country by country, helping them refine DLP rules. Team members tested each rule to ensure that it worked as specified, then had stakeholders follow a more detailed test cycle to refine parameters as necessary.

Kralt describes the care taken to maintain employee privacy while preventing data loss. Local security officers conduct an impact analysis to make sure that policies aren’t so broad that they cause a large volume of harmless emails—like employees’ personal exchanges with a doctor’s office or other external service—to routinely undergo scrutiny. “Preserving employee privacy is as vital as minimizing interruption to the business,” states Kralt. “And although designing policies that perfectly balance privacy and security is challenging, we use the interface in Microsoft Purview Data Loss Prevention to make it easier to define and apply them.”

In the background, the team tracked and coordinated the rollback of Symantec DLP rules with the activation of Microsoft Purview Data Loss Prevention rules to ensure a smooth experience for employees. With a focused communication plan concentrating on employees who had sparked DLP alerts in the past, the team kept appropriate employees and stakeholders up to date about the rollout without sending a deluge of information. Now completely in the cloud, Rabobank has migrated completely from the Symantec solution to Microsoft Purview Data Loss Prevention.

The thoughtfully organized approach paid off. “When you deploy in a large global organization, you should be careful about how soon you celebrate,” says Kralt. “But after several weeks without incident, we knew that we’d accomplished a successful rollout.”

Harvesting the pluses of a connected environment

Kralt appreciates the connected nature of Microsoft solutions for many reasons. “Our employees get in-app DLP notifications within their Microsoft 365 applications, which helps reduce risk and improves their experience,” he says. And Rabobank IT and cybersecurity teams work more effectively and efficiently by taking advantage of Microsoft Security solutions built to work across the Microsoft environment, such as the Microsoft Sentinel security information and event management (SIEM) system, which makes detecting, investigating, and responding to threats faster and easier. “We’ve found that Microsoft gets closer to the data than any other vendor,” explains Kralt. “We benefit from getting our business apps, security, and DLP tooling from the same source because they all work together seamlessly. By combining Microsoft Sentinel with Microsoft Purview Data Loss Prevention and the Microsoft 365 platform, we have a holistic view of our ecosystem and can manage it more easily.”

He and Immink appreciate the productivity that their small team gained by adopting Microsoft Purview Data Loss Prevention and minimizing maintenance. “Now that we don’t have to expend time and effort on keeping an on-premises environment functioning and deploying agents to devices, we can focus on creating real value out of our configuration,” says Kralt. “We concentrate on process improvement and preventing data loss.”

Immink adds, “Moving from Symantec to Microsoft Purview Data Loss Prevention was an important step forward for us. Now we’re able to offer the tools that our business-side colleagues need to control the data that’s ultimately their responsibility. We’re making it easier for them.”

Rabobank is pleased with its increased agility. “We’re super glad to be in the cloud with Microsoft technologies,” concludes Kralt. “I think of it as cloud surfing—you wait for the right wave to come in, and when it does, you jump on it. That’s exactly what we’ve done with Microsoft Purview Data Loss Prevention, and it’s a good place to be.”

Find out more about Rabobank on YouTube, Twitter, Facebook, and LinkedIn.