Browsed by
Tag: Azure IP

Cloud App Security integration with Azure Information Protection

Cloud App Security integration with Azure Information Protection

Cloud App Security integration with Azure Information Protection

Last October I wrote a blog-post about Azure Information Protection and how to setup this. So we can use Azure Information Protection to secure documents. But if we have a document that is labeled with a secure or confidential label, it is possible that we do not want the user to share this outside the company. The question is can we detect this and possibly undo? The answer is YES we CAN.

In November there was an update of Azure Information Protection and Cloud App Security so that it has some integration. This two solutions are combined to “Extend control over your data to the cloud”. The announcement for this update was done by Dan Plastina in this blog. With the integration of Cloud App Security and Azure Information Protection it is now possible to secure your data when it leaves the company. In this blog post I will guide you through the configuration and show you the results of this integration.

The situation is as follow: A user creates a secure document, protected by Azure Information Protection, and shares this externally through a link. In this way there is no control over who has access to this document. Cloud App Security will disable this shared document, put it in quarantine and sends a message to the owner of the document.

Cloud App Security configuration

First we have to setup the Cloud App Security environment to get the information from Office365, OneDrive and SharePoint online. Go to the portal of Cloud App Security via https://portal.cloudappsecurity.com and logon with an user that has appropriate rights to configure the environment.After logon to the portal the following dashboard is shown.

Under the tab “Investigate” we can add another app. In the overview of all connected apps the current connected applications are showing up. You can see that OneDrive and SharePoint are connected. In this case we will use OneDrive to create and share a document.

We will now have to enable the integration of Azure Information Protection with Cloud App Security. This can be done by going to the settings menu and select General Settings.

In the Azure security connectors section we enable the option “Automatically scan new files for Azure Information Protection classifcation labels”. This will Cloud App Security scan all the files for classifcation labels of Information Protection.

After enabling the integration we can create policies. We have created a new policy that will check documents with an specific Azure Information Protection label. We’ve done this to go to “Control” and select “Policies”. After that we we’re able to create a new File Policy. We gave this policy the name “Files Shared – Block”. In this policy we create a filter based on two rules. First rule is “Access level” equals “Public, Public (Internet) and External”. Second rule is “Classification Label” equals “Secure Inovativ – Very Secure”.

When a file equals both rules what must Cloud App Security trigger as action? This is the second part of the policy. We configured for both OneDrive and SharePoint the same settings:

  • Send policy match digest to file owner (a mail message will be send to the owner)
  • Remove External Users (All shared members will be removed)
  • Put in user quarantine (the document will be moved to a quarantine folder)

User in action

Let’s see this in action.

We’ve logged in with a user named “Donald Duck” and opened Microsoft Word 2016 to create a new document. This document will get the label “Secure Inovativ – Very Secure”. This label does only some visual markings and no Rights Management template is attached.

After the creation of the document we save it to OneDrive for Business with the name “This Secure Document”

The document is not shared so we share the document and create a link that we can distribute to any recipient.

 


The document is now marked as shared in OneDrive

After some time we received a mail message that say that there is a Security notification from Cloud App Security. There is a document called “This secure Document.docx” that is blocked by a policy called “Files Shared – Block”.

When we look in OneDrive there is created a placeholder for the document that says the document is in quarantine.

When opening the quarantine folder the document appears, but this document has an ID in front of the document name. Cloud App Security has placed the document in quarantine so the owner (me) can take action. Also the sharing link is removed from this document so any external user can’t access the document anymore.

Admin in Action

When logging in to the Cloud App Security Portal as an Admin we can see the status of the files we used in OneDrive. Therefore go to “Investigate” and select “Files”.

In this overview we see there are some markers at the file we created and shared publicly.

When clicking the document we can see that this document is labeled with an Azure Information Protection label and that the document matches with a policy (red marker) and that it is in quarantine (grey marker).

For further investigation we open the policy “Files Shared – Block”. When opening the policy, the first tab is showing us all files that are matching now. Here can we see that our document is matching with this rule and that it is put in quarantine.

When looking at the second tab called “History” we see that our document was matched with this policy and some minutes later it was unmatched. This is because Cloud App Security removes the public shared link and because of this the file does not matched anymore with the policy. This is only for the quarantined file.

In above picture we can see there where three actions taken. When clicking on the actions we can see that all actions defined in the policy are taken.

The three action where Send a mail to the owner, put the file in quarantine and remove the sharing options.

Conclusion

In this blogpost I’ve let you seen how the integration between Cloud App Security and Azure Information Protection can be used to secure your data when it is shared externally. There are many ways to use Cloud App Security with or without Azure Information Protection to secure your environment but this can help your organization to secure your data when it has been shared.

See you next time.

 

Sources

https://docs.microsoft.com/en-us/cloud-app-security/azip-integration

https://blogs.technet.microsoft.com/enterprisemobility/2016/11/07/azure-information-protection-and-cloud-app-security-integration-extend-control-over-your-data-to-the-cloud/

 

First Experience with Azure Information Protection

First Experience with Azure Information Protection

Last week I had the pleasure to do some experience with Azure Information Protection (Azure IP). Azure IP is now in Public Preview like Dan Plastina announced in his blog. Azure IP is based on two technologies. Azure Rights Management Service (Azure RMS) and the acquisition of Secure Islands. With the acquisition of Secure Islands it is now possible to work with classification labels. With these two technologies combined in Azure IP Microsoft is doing a great job because the user experience is much better. So how can we setup and use Azure Information Protection?

Requirements

Before we start configuring Azure Information Protection there are some requirements.

  • A cloud subscription that includes Azure RMS
  • Azure AD directory
  • Client devices (with minimum .NET Framework version 4.6.5)
    • Windows 10 (x86, x64)
    • Windows 8.1 (x86, x64)
    • Windows 8 (x86, x64)
    • Windows 7 Service Pack 1 (x86, x64)
  • Applications in the following Office Suites support labeling (Word, Excel, PowerPoint and Outlook)
    • Office 2016
    • Office 2013 with Service Pack 1
    • Office 2010

More information can be find on the Microsoft site.

Configuring Azure Rights Management

First we’ve to configure Azure RMS with the right templates. These templates can be used in Azure Information Protection. Go to the old Azure AD Portal and select Active Directory, then Rights Management can be opened to configure the right templates. I’ve created a few templates for different usage. These templates will be used later on.

RMS Templates

Configuring Azure Information Protection

In the Azure Portal the option for Azure Information Protection can be added. When this has been done it can be configured. In the first view there is an overview of all classification labels. These labels can be enabled, disabled, edited or deleted. On this page it is also possible to set that all documents must have a label, the default classification label and if a justification must be provided when lowering the classification label.

Azure IP Config

When creating or editing a classification label the label can be enabled. A name must be provided and a tooltip can be provided. On this page also a visual marking can be enabled. A header, footer or watermark can be configured.

Azure IP Templates 1

In the classification label an Azure RMS or AD RMS templates can be used. This RMS template will be applied when the Classification Label is selected.

Azure IP Templates 2

Automatic classification rules can be created.

Azure IP Templates 3

The classification label can be applied automatically or it can be recommended to the user.

Azure IP Templates 4

After this setup the Classification Labels in Azure Information Protection can be used on the clients. So let’s see how we can use this.

User Experience

First install the Azure Information Protection Software. This can be downloaded here. Download and start the installation. The installation is really straight forward. Install, next and finish.

Azure IP Software 1Azure IP Software 2 Azure IP Software 3

 

 

 

 

 

 

After this we can open Word for example. When we open this we see a new toolbar appearing under the Ribbon.

Azure IP Usage 1

In this toolbar it is possible to classify the document. By default the document is classified as “Personal” and can be shared with everyone.

Also Financial Information can be detected. When financial information is in the document and the document is saved a new classification label and so a watermark is applied.

Azure IP Usage 2

When lowering the classification label there will be a windows where a reason must be given. Azure IP Usage 3

Licensing

Azure Information Protection licenses will be available in Q4 of 2016. There will be a standalone license and en Azure IP will also be part of Enterprise Mobility Suite (EMS). Azure IP is available in two licenses, namely P1 and P2. The P1 is the Azure RMS license as we know it today with manual classification and labeling from the acquisition of Secure Islands and the P2 license is everything covered in the P1 license and automatic classification and labeling.

Azure IP license

The Enterprise Mobility Suite is also divided in two separate licenses. The EMS E3 license is the current EMS license as we know it today. The EMS E5 license will be the current EMS license with some new additions for security.

Conclusion

In this post I gave an overview of Azure Information Protection. Microsoft has done a great job by integrating Azure RMS and the technology of Secure Island with each other in Azure Ip. With this new product documents can be secured for unauthorized access. And that with a great user experience. It’s really easy to change the classification of documents. In the near future this technology will be more and more adopted so be prepared.