Protect your Power BI instance using Microsoft Cloud App Security
In the last couple of years, Microsoft has demonstrated its extraordinary ability to turn vision into reality, as witnessed by Microsoft’s repeatedly being named as a Leader in Gartner’s Magic Quadrant, in both the security and business intelligence landscapes.
In the Microsoft Cloud App Security and Power BI teams (two of the named leaders in the Cloud Access Security Broker (CASB), and Analytics and BI markets, respectively), we have identified an opportunity to provide an even more comprehensive solution. By bringing these two technologies together, we provide security administrators the tools they need to safely onboard business users to a large cloud workload such as Power BI (which has become an even greater key service for businesses in “work-from-home” mode during the COVID-19 crisis), while enjoying peace of mind with respect to the threats and risks inherent in using cloud services.
Using Cloud App Security, it is possible to detect and control risky Power BI sessions as they occur, thus reducing the threat that arises when malicious actors try to access content and data.
This partnership, first publicly announced at the end of 2019, has continued to evolve and deepen. We’d like to take the opportunity here to recap the capabilities that currently exist and are available to organizations that (or might be do so in the future). Some of these capabilities you may have already tried; others have been launched just recently.
The capabilities covered in this article are:
- Set real-time controls to enforce risky user sessions in Power BI
- Investigate Power BI user activity with Cloud App Security activity log
- Create custom policies to alert on suspicious user activity in Power BI
- Work with Cloud App Security built-in anomaly detections
- Power BI admin role in Cloud App Security portal
Real-time controls
With Cloud App Security, organizations can monitor and control, in real time, risky Power BI sessions such as user access from unmanaged devices or infrequent locations. Security administrators can define policies to control user actions, such as downloading reports with sensitive information.
For example, if a user connects to Power BI from outside of their country, the session can be monitored by Cloud App Security’s real-time controls, and risky actions, such as downloading data tagged with a “Highly Confidential” sensitivity label, can be blocked immediately.
Additional resources
- Cloud App Security documentation: Work with real-time controls
- Power BI documentation: Work with real-time controls
Investigate Power BI user activity with the Cloud App Security activity log
The Cloud App Security activity log includes a large portion of the Power BI activity as captured in the Office 365 audit log, which contains information about all user and admin activities, as well as sensitivity label information for relevant activities such as apply, change, and remove label.
Cloud App Security brings you the following added value:
- Advanced filters for improved search and exploration of activities. For example, activity log filters can be used to look for all user “remove” activities where the sensitivity label Confidential is removed from Power BI reports and/or datasets.
- Quick actions that can be carried out as part of the activity investigation process.
Additional resources
Create custom policies to alert on suspicious user activity in Power BI
After you’ve investigated user activity, be it in the Office 365 audit log or in the Cloud App Security activity log, you probably have a good understanding of which, how, and by whom content is being accessed and modified.
The next step is to leverage Cloud App Security’s activity policy feature to define your own custom rules, to help you detect user behavior that deviates from the norm, and even possibly act upon it automatically, if it seems too dangerous.
Some examples of scenarios that can be detected using activity policies:
- Massive sensitivity label removal. For example: alert me when sensitivity labels are removed by a single user from 20 different reports in a time window shorter than 5 minutes.
- Encrypting sensitivity label downgrade. For example: alert me when a report that was with the ‘Highly confidential’ sensitivity label is now classified as ‘Public’.
- Sensitivity label change by an unauthorized user. For example: alert me when a user who is not a dataset owner applies, changes, or removes a sensitivity label.
- Massive download of content. For example: alert me when a single user performs more than 20 export operations in a time window shorter than 5 minutes.
- Unauthorized users are accessing confidential datasets. For example: alert me when someone outside a predefined security group is viewing an executive report.
Notes:
- The unique identifiers of sensitivity labels can be found using the informationProtectionLabel endpoint provided by Microsoft Information Protection REST APIs.
- The unique identifiers of Power BI artifacts can be found using Power BI REST APIs. See Get datasets or Get reports for examples.
Additional resources
Built-in anomaly detections
Cloud App Security's anomaly detection policies provide out-of-the-box user behavioral analytics and machine learning so that you are ready from the outset to run advanced threat detection across your cloud environment. When an anomaly detection policy identifies a suspicious behavior, it triggers a security alert. For example:
- Multiple Power BI report sharing: Alerts you when a user performs an unusual number of Power BI report sharing activities, compared to the learned baseline.
- Suspicious Power BI sharing: Alerts you when a potentially sensitive Power BI report is suspiciously shared outside of your organization.
- Impossible travel: This detection identifies by the same user (in a single or multiple sessions) originating from geographically distant locations within a time window shorter than the time it takes to travel from the first location to the second. This indicates that a different user is using the same credentials.
Additional resources
Power BI admin role in Cloud App Security portal
Cloud App Security provides an app-specific admin role that can be used to grant Power BI admins only the permissions they need to access Power BI-relevant data in the portal, such as alerts, users at risk, activity logs, and other Power BI-related information.
However, it doesn’t stop there; this role not only provides access to the information listed above - it can also be used to create custom policies and detections such as those presented earlier in this article.
Cloud App Security admins, you are encouraged to let Power BI admins in your organization into the Cloud App Security portal, to start and help securing the next cloud workload on your list.
Additional resources
- Learn how to create the Power BI admin role in the Cloud App Security portal – Manage admin roles
Learn more
- Power BI data protection documentation
- Cloud App Security documentation
- Cloud App Security on-demand webinars
- Discover and manage cloud app usage with Microsoft Cloud App Security
- Protect and control information with Microsoft Cloud App Security
- Detect threats and manage alerts with Microsoft Cloud App Security
- Automate alerts management with Microsoft Power Automate and Cloud App Security
Feedback
Let us know if you have any feedback or relevant use cases and requirements for this portion of Cloud App Security by emailing CASFeedback@microsoft.com and mention the Power BI integration.
To experience the benefits of full-featured CASB, sign up for a free trial—Microsoft Cloud App Security.
Follow us on LinkedIn as #CloudAppSecurity. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity on Twitter, and Microsoft Security on LinkedIn for the latest news and updates on cybersecurity.