Cloud App Security integration with Azure Information Protection
Last October I wrote a blog-post about Azure Information Protection and how to setup this. So we can use Azure Information Protection to secure documents. But if we have a document that is labeled with a secure or confidential label, it is possible that we do not want the user to share this outside the company. The question is can we detect this and possibly undo? The answer is YES we CAN.
In November there was an update of Azure Information Protection and Cloud App Security so that it has some integration. This two solutions are combined to “Extend control over your data to the cloud”. The announcement for this update was done by Dan Plastina in this blog. With the integration of Cloud App Security and Azure Information Protection it is now possible to secure your data when it leaves the company. In this blog post I will guide you through the configuration and show you the results of this integration.
The situation is as follow: A user creates a secure document, protected by Azure Information Protection, and shares this externally through a link. In this way there is no control over who has access to this document. Cloud App Security will disable this shared document, put it in quarantine and sends a message to the owner of the document.
Cloud App Security configuration
First we have to setup the Cloud App Security environment to get the information from Office365, OneDrive and SharePoint online. Go to the portal of Cloud App Security via https://portal.cloudappsecurity.com and logon with an user that has appropriate rights to configure the environment.After logon to the portal the following dashboard is shown.
Under the tab “Investigate” we can add another app. In the overview of all connected apps the current connected applications are showing up. You can see that OneDrive and SharePoint are connected. In this case we will use OneDrive to create and share a document.
We will now have to enable the integration of Azure Information Protection with Cloud App Security. This can be done by going to the settings menu and select General Settings.
In the Azure security connectors section we enable the option “Automatically scan new files for Azure Information Protection classifcation labels”. This will Cloud App Security scan all the files for classifcation labels of Information Protection.
After enabling the integration we can create policies. We have created a new policy that will check documents with an specific Azure Information Protection label. We’ve done this to go to “Control” and select “Policies”. After that we we’re able to create a new File Policy. We gave this policy the name “Files Shared – Block”. In this policy we create a filter based on two rules. First rule is “Access level” equals “Public, Public (Internet) and External”. Second rule is “Classification Label” equals “Secure Inovativ – Very Secure”.
When a file equals both rules what must Cloud App Security trigger as action? This is the second part of the policy. We configured for both OneDrive and SharePoint the same settings:
- Send policy match digest to file owner (a mail message will be send to the owner)
- Remove External Users (All shared members will be removed)
- Put in user quarantine (the document will be moved to a quarantine folder)
User in action
Let’s see this in action.
We’ve logged in with a user named “Donald Duck” and opened Microsoft Word 2016 to create a new document. This document will get the label “Secure Inovativ – Very Secure”. This label does only some visual markings and no Rights Management template is attached.
After the creation of the document we save it to OneDrive for Business with the name “This Secure Document”
The document is not shared so we share the document and create a link that we can distribute to any recipient.
After some time we received a mail message that say that there is a Security notification from Cloud App Security. There is a document called “This secure Document.docx” that is blocked by a policy called “Files Shared – Block”.
When we look in OneDrive there is created a placeholder for the document that says the document is in quarantine.
When opening the quarantine folder the document appears, but this document has an ID in front of the document name. Cloud App Security has placed the document in quarantine so the owner (me) can take action. Also the sharing link is removed from this document so any external user can’t access the document anymore.
Admin in Action
When logging in to the Cloud App Security Portal as an Admin we can see the status of the files we used in OneDrive. Therefore go to “Investigate” and select “Files”.
In this overview we see there are some markers at the file we created and shared publicly.
When clicking the document we can see that this document is labeled with an Azure Information Protection label and that the document matches with a policy (red marker) and that it is in quarantine (grey marker).
For further investigation we open the policy “Files Shared – Block”. When opening the policy, the first tab is showing us all files that are matching now. Here can we see that our document is matching with this rule and that it is put in quarantine.
When looking at the second tab called “History” we see that our document was matched with this policy and some minutes later it was unmatched. This is because Cloud App Security removes the public shared link and because of this the file does not matched anymore with the policy. This is only for the quarantined file.
In above picture we can see there where three actions taken. When clicking on the actions we can see that all actions defined in the policy are taken.
The three action where Send a mail to the owner, put the file in quarantine and remove the sharing options.
In this blogpost I’ve let you seen how the integration between Cloud App Security and Azure Information Protection can be used to secure your data when it is shared externally. There are many ways to use Cloud App Security with or without Azure Information Protection to secure your environment but this can help your organization to secure your data when it has been shared.
See you next time.