Azure Information Protection labels are designed to apply a classification, and (optionally) mark and encrypt the document based on the level of sensitive information it contains. Customers who mainly rely on cloud file repositories can leverage Azure Information Protection labels with Microsoft Cloud App Security integration in several major use cases:
In this article, we will cover the mentioned capabilities step by step with complete instructions on how to deploy them in your organization.
We recommend to review our blog “Cataloging your Sensitive Data with AIP, Even Before Configuring Labels!” in order to easily deploy AIP Scanner to be aware of the current Sensitive Data that is relevant for your company. Once you have this information, the same sensitive types should be configured in MCAS policy to detect and label documents that contains this sensitive data. We recommend that discovery for Sensitive Data should be the first step in taking control of your information.
Enable Azure Information Protection integration in Microsoft Cloud App Security.
AIP integration with MCAS should be enabled in advanced before configuring polices based on labels. In addition, MCAS can perform content inspection on AIP protected files. To enable this, we must grant MCAS permissions to do so. For this, please browse to: https://portal.cloudappsecurity.com/#/settings/?section=securityConnectors
File policies capabilities with Azure Information Protection labels
File Policies allow you to enforce a wide range of automated processes using the cloud provider’s APIs. Policies can be set to provide continuous compliance scans, legal eDiscovery tasks, DLP for sensitive content shared publicly, and many more use cases. Cloud App Security can monitor any file type based on more than 20 metadata filters (for example, access level or file type). The supported file types that support applying and inspecting Azure Information Protection labels are:
We will now review the options of what we can achieve by configuring file polices.
Session control capabilities with Azure Information Protection labels
MCAS session policies enable real-time session-level monitoring, affording you granular visibility into cloud apps and the ability to take different actions depending on the policy you set for a user session. With session control you can allow access while monitoring the session and/or limit specific session activities using the reverse proxy capabilities of Conditional Access App Control.
This capability come in one hand with the AIP integration which you can leverage for the following main use cases:
For example, you can decide that from unmanaged devices, or for sessions coming from specific locations, you want to allow the user to access the app but also limit the download of sensitive files or require that certain documents be protected upon download.
As mentioned at the beginning of this blog, please verify the mentioned prerequisites to use MCAS session control (Starting with license requirements and create an AAD Conditional Access policy to route the session to MCAS).
When a session policy is active, all traffic is routed through MCAS in order to be monitored, the end user is prompted when they are logged into the specific application so they will be aware.
We will now review the options of what we can achieve by configuring Session polices.
Investigate files stored connected apps with AIP labels.
To provide data protection, Microsoft Cloud App Security gives you visibility into all the files from your connected apps. After you connect Microsoft Cloud App Security to an app using the App connector, Microsoft Cloud App Security scans all the files, for example all the files stored in OneDrive and Salesforce. You can also use the Files page to filter files to investigate what kind of data is saved in your cloud apps. Files page can provide 2 main functionalities in relation to Azure Information protection:
We will start reviewing the files page with locating confidential files.
This will show a list of unlabeled files in your connected apps. But no worries, we can now apply label on one of them manually or perform bulk classification using a new created policy using this filter.
Azure Information Protection is completely integrated with Microsoft Cloud App Security in terms of viewing labels, applying them automatically and manually on connected applications from Office 365, and also non-Microsoft connected apps. This integration provides consistent control and visibility over your company owned sensitive documents also in the cloud.
The Information Protection Customer Experience Engineering Team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.