The second blog in our series helps shed light on when to use Microsoft Defender for Cloud Apps and Microsoft Purview to protect your data. In the first blog, how to define a use case establishes important fundamentals for the rest of the series.
Today, we will review common scenarios and methods for protecting different data types. We will also provide context on the different data types because this is a key component in how Microsoft and the industry views compliance.
What type of data do you want to protect?
The type of data an organization wishes to protect is the next critical component of defining a use case. The data loss prevention (DLP) policies in Defender for Cloud Apps and Purview are designed to protect data in different stages. When you align the data type to the right use case you will generally see a better outcome.
Data in use
Data in use refers to data that is being actively worked on at a given point in time. For example, an end user having a document open in Microsoft Word or Microsoft Excel on their desktop. Data in use can also refer to files that are actively open in SaaS apps such as Word Online, Excel Online, or even non-Microsoft apps (Box, Dropbox, etc.…).
For Microsoft apps, it is common to protect data in use such as files or emails with a sensitivity label applied via an auto-labeling policy in Purview. These can be automatically applied, or a sensitivity label can be recommended based on the content contained in the file.
Defender for Cloud Apps can help protect data in use for non-Microsoft applications through the use of file policies and near real-time file scanning.
Common data in use scenarios
Use Case |
Data Type |
Solution |
Automatically apply a default label to all Microsoft Office documents |
Data in use |
|
Automatically apply a sensitivity label to all Microsoft Office documents containing sensitive information types |
Data in use |
Client side auto-labeling in Purview with a sensitive type defined in the label |
Automatically apply a label to Office documents stored in non-Microsoft SaaS apps with near real-time scan |
Data in use |
Defender for Cloud Apps file policy scoped to non-Microsoft SaaS app and office file extensions |
Automatically apply governance (quarantine, trash, remove links) actions to documents stored in Office or non-Microsoft SaaS apps with near real-time scan |
Data in use |
Data in motion
Data moving between different boundaries is considered, “in motion.” For instance, when a user has accessed a document library in SharePoint Online and downloads the file to their mobile device. The document now exists in multiple locations. This also applies when data moves in the opposite direction from an endpoint to SharePoint Online or between different SharePoint sites. For files that contain a sensitivity labels, keep in mind the label will travel with the file wherever it goes. Since the label travels with the file, any permissions that are defined as part of the label will also travel with the file.Session policies in Defender for Cloud Apps allow you to selectively decide which actions to take based on file content specific to web applications. If an organization is using a chromium-based browser, it is possible to install a site as an app as a workaround and block access to native client apps. Session policies can apply to both managed and unmanaged devices while Endpoint DLP can enforce strong controls on managed devices.
Site and group container labels with app enforced restrictions allow you to globally block downloading of files, sharing, and OneDrive client synchronization for all unmanaged devices.
Common data in motion scenarios
Use Case |
Data Type |
Solution |
Block downloads, copy, print to non-Microsoft SaaS applications in a browser |
Data in motion |
Defender for Cloud Apps session policy with download controls
|
|
Data in motion |
|
Block download, print, and sync to SharePoint and OneDrive on unmanaged devices
|
Data in motion |
|
Block uploads to Office or non-Microsoft SaaS applications |
Data in motion |
|
Apply a label on downloads from non-Microsoft SaaS apps in a browser session |
Data in motion |
Defender for Cloud Apps session policy with download and protect controls |
Data at rest
Once a file has been saved and closed, the file is stored at rest on a disk. This could be on an end users PC, within a network file share, or in a SaaS app in the cloud. Because data can exist for long periods at rest, it might be subject to retention requirements, which govern how long content is maintained or if it’s deleted in certain scenarios.
Auto-labeling policies for SharePoint, OneDrive and Exchange can be used to apply a sensitivity label to files containing sensitive content which already exist in Microsoft workloads. It’s important to note in this scenario that the files must contain sensitive content to match.
Purview DLP policies for SharePoint and OneDrive give the ability to remove external access to files containing sensitive content along with user notification of prohibited actions.
File policies in Defender for Cloud Apps can be used to in SharePoint Online, PDF files, or to 3rd party workloads. These policies can also remove shared links, quarantine, or delete files.
Common data at rest scenarios
Use Case |
Data Type |
Solution |
Automatically apply a label to Office documents containing sensitive information types in SharePoint Online and OneDrive |
Data at rest |
|
Automatically apply a label to PDF documents stored in SharePoint Online and OneDrive |
Data at rest |
|
Automatically apply a label only to specific folder within SharePoint Online |
Data at rest |
Defender for Cloud Apps file policy scoped to a folder using "apply to" filter |
Automatically apply a label to PDF files in Office 365 |
Data at rest |
Defender for Cloud Apps file policy scoped to a PDF extension |
Automatically apply a label to Office documents stored in non-Microsoft SaaS apps at rest scan |
Data at rest |
Defender for Cloud Apps file policy scoped to non-Microsoft SaaS app and office file extensions |
Automatically apply governance (quarantine, trash, remove links) actions to documents stored in Office or non-Microsoft SaaS apps with backlog scan |
Data at rest |
Conclusion
It’s important to understand which data types you want to protect to create the appropriate policy. Organizations often find that depending on the scenario it can be either be satisfied by Purview or Defender for Cloud Apps. Both services provide protection and help an organization to cover all their bases across different use cases.
Keep on the lookout for the final article in our series which will discuss best practices for creating policies in Defender for Cloud Apps.
As always, we would love to hear your feedback. Have questions on specific scenarios that aren’t mentioned here, or would you like to have them updated in the tables provided above? Please comment and let us know or ask your questions in the Tech Community!