Protect your Power BI instance using Microsoft Cloud App Security
In the last couple of years, Microsoft has demonstrated its extraordinary ability to turn vision into reality, as witnessed by Microsoft’s repeatedly being named as a Leader in Gartner’s Magic Quadrant, in both the security and business intelligence landscapes.
In the Microsoft Cloud App Security and Power BI teams (two of the named leaders in the Cloud Access Security Broker (CASB), and Analytics and BI markets, respectively), we have identified an opportunity to provide an even more comprehensive solution. By bringing these two technologies together, we provide security administrators the tools they need to safely onboard business users to a large cloud workload such as Power BI (which has become an even greater key service for businesses in “work-from-home” mode during the COVID-19 crisis), while enjoying peace of mind with respect to the threats and risks inherent in using cloud services.
Using Cloud App Security, it is possible to detect and control risky Power BI sessions as they occur, thus reducing the threat that arises when malicious actors try to access content and data.
This partnership, first publicly announced at the end of 2019, has continued to evolve and deepen. We’d like to take the opportunity here to recap the capabilities that currently exist and are available to organizations that (or might be do so in the future). Some of these capabilities you may have already tried; others have been launched just recently.
With Cloud App Security, organizations can monitor and control, in real time, risky Power BI sessions such as user access from unmanaged devices or infrequent locations. Security administrators can define policies to control user actions, such as downloading reports with sensitive information.
For example, if a user connects to Power BI from outside of their country, the session can be monitored by Cloud App Security’s real-time controls, and risky actions, such as downloading data tagged with a “Highly Confidential” sensitivity label, can be blocked immediately.
Figure 1: Cloud App Security real-time controls in Power BI service
Investigate Power BI user activity with the Cloud App Security activity log
The Cloud App Security activity log includes a large portion of the Power BI activity as captured in the Office 365 audit log, which contains information about all user and admin activities, as well as sensitivity label information for relevant activities such as apply, change, and remove label.
Cloud App Security brings you the following added value:
Advanced filters for improved search and exploration of activities. For example, activity log filters can be used to look for all user “remove” activities where the sensitivity label Confidential is removed from Power BI reports and/or datasets.
Quick actions that can be carried out as part of the activity investigation process.
Figure 2.1: Power BI audit events in Cloud App Security activity log
Create custom policies to alert on suspicious user activity in Power BI
After you’ve investigated user activity, be it in the Office 365 audit log or in the Cloud App Security activity log, you probably have a good understanding of which, how, and by whom content is being accessed and modified.
The next step is to leverage Cloud App Security’s activity policy feature to define your own custom rules, to help you detect user behavior that deviates from the norm, and even possibly act upon it automatically, if it seems too dangerous.
Some examples of scenarios that can be detected using activity policies:
Massive sensitivity label removal. For example: alert me when sensitivity labels are removed by a single user from 20 different reports in a time window shorter than 5 minutes.
Encrypting sensitivity label downgrade. For example: alert me when a report that was with the ‘Highly confidential’ sensitivity label is now classified as ‘Public’.
Sensitivity label change by an unauthorized user. For example: alert me when a user who is not a dataset owner applies, changes, or removes a sensitivity label.
Massive download of content. For example: alert me when a single user performs more than 20 export operations in a time window shorter than 5 minutes.
Unauthorized users are accessing confidential datasets. For example: alert me when someone outside a predefined security group is viewing an executive report.
The unique identifiers of sensitivity labels can be found using the informationProtectionLabel endpoint provided by Microsoft Information Protection REST APIs.
Cloud App Security's anomaly detection policies provide out-of-the-box user behavioral analytics and machine learning so that you are ready from the outset to run advanced threat detection across your cloud environment. When an anomaly detection policy identifies a suspicious behavior, it triggers a security alert. For example:
Multiple Power BI report sharing: Alerts you when a user performs an unusual number of Power BI report sharing activities, compared to the learned baseline.
Suspicious Power BI sharing: Alerts you when a potentially sensitive Power BI report is suspiciously shared outside of your organization.
Impossible travel: This detection identifies by the same user (in a single or multiple sessions) originating from geographically distant locations within a time window shorter than the time it takes to travel from the first location to the second. This indicates that a different user is using the same credentials.
Cloud App Security provides an app-specific admin role that can be used to grant Power BI admins only the permissions they need to access Power BI-relevant data in the portal, such as alerts, users at risk, activity logs, and other Power BI-related information.
However, it doesn’t stop there; this role not only provides access to the information listed above - it can also be used to create custom policies and detections such as those presented earlier in this article.
Cloud App Security admins, you are encouraged to let Power BI admins in your organization into the Cloud App Security portal, to start and help securing the next cloud workload on your list.
Learn how to create the Power BI admin role in the Cloud App Security portal – Manage admin roles