A few years ago, the expression was “data is the new oil,” and that might be true, but when it comes to your organization’s documents stored in the cloud, I think a more apt description would be “data is radioactive.” Yes, you can do good things with it (generate electricity), but it’s dangerous stuff, and you shouldn’t keep it around for longer than you need to.
For most IT pros, data security is NTFS, share permissions, and SharePoint access levels. Turns out that doesn’t work so well anymore. Even when documents are stored in OneDrive for Business, SharePoint, and Exchange Online, they don’t stay there. They’re shared via Teams, third-party collaboration, and cloud storage services, via email, and even stored on USB sticks now and then. And when everyone is working from home or anywhere, you quickly lose what little control you used to have over where these documents are and who has access to them.
This is a serious problem for businesses, both big and small, and I think it is going to come much more into focus over the next few years. But there are actually technical solutions to this that you may already have paid to license for but are not using today, in the form of Microsoft Information Protection, sometimes called Azure Information Protection. This article will show you how it works, how to start using it, how to ensure the business is onboard, and what you can do at the different licensing levels.
Before discussing protection, let’s talk about labeling, the foundation of M365 Information Protection. A document is labeled with a classification, such as “Sensitive” or “Highly Confidential,” and this label follows it wherever it goes. Then you apply policies that say that “Public” documents aren’t protected at all, but “Highly Confidential” ones have a watermark applied on each page (or a footer or a header) and are encrypted and that a user has to designate the specific internal or external users that should have access to it.
The labeling names are up to you; with some suggestions, you can have different labels scoped to different groups and have nested labels such as “Highly Confidential/All employees” and “Highly Confidential/Executives.” Again, the protection follows the document, and the recipient must prove who they are at the time of access and either give a few days grace period after the initial authorization to access the document offline or have to authenticate every single time.
Access can be time-limited, and specific permissions can be assigned, such as read-only, or you can’t print it, etc. For emails, you can apply “Do not forward,” “no printing,” etc. Many file types are supported out of the box, including the Office ones and PDF, with third-party add-ins on offer to protect CAD engineering files for instance.
Microsoft 365 E3 and Business Premium offer manual labeling of documents, relying on staff training (more below) and judgment, whereas Microsoft 365 E5 can automatically identify sensitive information and label documents for you.
Rather than relying on where a document is stored (file share, cloud storage, USB stick, etc.) and trying to control access there, M365 Information Protection embeds the protection in the document itself. This means that if you try to open a protected/encrypted document in a third-party application instead of Microsoft Office or a compatible PDF reader (Adobe Reader works), it won’t open.
Note that this isn’t an anti-hacker technology; it’s a way to ensure control over documents and help good people do the right thing. If I have read access to a document and I’m determined to steal the content, I can take photos of it with my smartphone, pop my laptop on the photocopier and hit print, or simply memorize the information. None of those actions can be claimed to be accidental if you’re caught, though. In contrast, if you have no information protection in place, you don’t even know if a copy of the text is pasted into another file or forwarded to a personal email address.
A building block of M365 Information Protection is Sensitive Information Types (SITs), which are built-in ways to spot different types of data. At the time of writing, there are 264 types, including classics such as credit cards and SWIFT codes, and adding bank account numbers, passport, and identification card numbers for many countries worldwide. There are also more recent additions such as IP addresses, disease IDs, names and physical addresses, Azure Storage Account keys, and many, many others. You can also create your own SITs for organization-specific terms.
Data classification dashboard
For more complex document types, where a string of numbers and corroborating evidence words aren’t sufficient (16 numbers in groups of four, with the words CC, MasterCard, etc. next to it), you can use Trainable classifiers that rely on Machine Learning models to identify data. There are 19 built-in ones (for English, a total of 49 when Japanese, German, French, etc. are included) for Agreements, Finance, HR, Intellectual Property, Legal, Resume, Source Code, Profanity, Targeted Harassment, and Threats, plus several others.
If you have E5 licensing, you can also create your own by feeding it many documents of the type you’re seeking to classify (Australian Legal Contracts, for example) and then refine the model by feeding it the right kind of documents, as well as wrong ones, and manually marking each batch when it gets it right and wrong. When the model is accurate enough, you can publish it to your tenant and then use it in your policies.
If you have a database of terms or codes (say employee IDs or project numbers), you can use Exact Data Match (EDM) to spot these when they show up in documents or emails.
To see the SITs and other sensitive information types, go to compliance.microsoft.com, log in with an administrator account, and go to Data Classification in the menu on the left.
But how do you know what sensitive data you’ve already got in your tenant so you know where to start? That’s where Content Explorer comes in; as long as you’ve been assigned the extra roles (on top of Global Admin) of Content Explorer List Viewer and Content Explorer Content Viewer, you can browse and see what’s already stored in your tenant. Here’s my tenant:
Content Explorer in M365 Information Protection
As you can see, many names across email and OneDrive for Business make sense, as does Australian Business Number, while the disease identification is a false positive. I can then drill down to individual documents, and if I have the Content Viewer role, I can even preview the documents themselves (obviously, be careful with this permission). This should give you a good starting point for understanding what sensitive data you have stored.
Documents identified in Content Explorer
On the other hand, Activity Explorer shows you what users are doing with documents when you start using labels and protections and how they’re being used.
Activity Explorer in M365 Information Protection
Nowadays, it’s not just files and emails that can be labeled; you can also apply your classifications to SharePoint sites and M365 groups (this is in preview at the time of writing and requires manual steps to enable). Note that today, that doesn’t mean that the documents inside those containers are automatically labeled (they don’t work as NTFS permissions, in other words); it means that you can control the external sharing of documents from those locations.
Finally, you can also apply M365 Information Protection labels and policies to data other than documents using Microsoft Purview (up until very recently called Azure Purview). This extends the whole concept of labels to databases (SQL, Cosmos DB, Amazon RDS, Cassandra, DB2, Google BigQuery, and others), cloud storage, data lakes, etc.
Scoping a sensitivity label in M365 Information Protection
Applying the labels
OK, you have worked out what labels to use (see below), at least for your first pilot project. Now, you need to create your policies to actually apply them. Still, in the compliance portal, go down to Solutions – Information Protection. Here, you create your labels based on the SITs and other classification options covered above and then publish them using Label policies.
Pick the label(s) to publish and scope it to users and groups (you can select All for a companywide policy) and then select Policy Settings.
Policy settings for a Sensitivity label policy
Here you can make it so that users must provide a business justification when removing a label or lower it to a less sensitive one, requiring users to always apply a label (be very careful with this setting; see below), requiring labeling for PowerBI content and offer a link to a custom, inhouse help page. Make sure that you give your policy a descriptive name that fits neatly into the flyout under the button in the Office apps and a longer description as well. This might seem trivial, but it is actually crucial in helping users understand what label to use for each type of content.
Realistically, though, asking users to manually label documents and emails (hopefully without enforcing it) is only going to take you so far, and only with new documents. To really get a handle on and label all your data, you must use Auto-labeling policies. These are available in E5 licensing (for a good breakdown of what’s available in each licensing tier – see here).
These will scan through existing documents in OneDrive for Business and SharePoint online and label documents based on sensitive data found, optionally applying markings and encryption based on your label settings. When you first create one, you can run it in simulation mode to ensure that it’s going to work as you expected.
If you have documents on-premises, in file shares / SharePoint server, you can use the Azure Information Protection scanner to do the same for all that data. Managed from the cloud, once the agents are deployed on-premises, they will scan SMB or NFS (preview) shares and SharePoint 2013 to 2019 servers.
Another important step to take is to designate a group of highly trusted users as super users so that they can unencrypt documents that were protected by an end-user who’s no longer with the company, for instance.
I haven’t gone into it, but M365 Information Protection has had many names over the years, so if you see references to Azure Information Protection, Azure Rights Management Services, etc., they’re all talking about the same thing. The current product is also unified within Microsoft 365, and the client agent is built into Apps for Business / Apps for Enterprise, which the rest of the world calls Office – i.e., Word, Excel, and so forth on your desktop, on a smartphone or the web version in a browser.
Working with the business
This is the most important part of this article – the technology isn’t the crucial bit, even though it’s cool – it’s engaging with the rest of the business. Successfully implementing M365 Information Protection in your business relies on you being able to get executive sponsorship – it’s got to be something that the business leaders understand and see as aligned with business outcomes. If it’s something IT is trying to “enforce” for compliance reasons on their own, it’s unlikely to succeed.
After the executives are onboard and lead by example (as they often handle the most sensitive data in the business), you need to train your users. Start small, perhaps with a group of users in the legal, finance, or HR department who understand the need more than other staff. Gather feedback and really understand how adding extra steps to their daily workflow impacts productivity. Ensure that the labels are crystal clear and that there are as few as possible.
When you first start out, especially in a large business, you can end up with dozens of labels, with each department insisting that their Highly Confidential classification is different than in another department. Be ruthless – to have any chance of success. You must get everyone to agree on a small set of labels that are clear to everyone. If required, you can have different labels for different groups of users; just be aware of the potential management and maintenance overhead.
Just like file permissions can be straightforward on a new file server, over time, minor changes and exceptions can make maintenance hard, so plan for quarterly meetings to go back over labels and usage and impacts in the business to ensure that you can adjust as M365 Information Protection is more and more adopted by the organization (Activity Explorer really helps with this).
Also – make it fun! Have competitions to see who can label as many documents as possible or who used the most labels in a week.
To properly protect your Microsoft 365, use Office 365 backup by Altaro to securely backup and replicate your crucial Microsoft Office 365 data. We work hard perpetually to give our customers confidence in their Office 365 backup for MSPs strategy.
To keep up to date with the latest Microsoft best practices, become a member of the Altaro DOJO | Microsoft 365 now (it’s free).
M365 Information Protection ties in nicely with several other governance features such as Data Loss Prevention (DLP), which is now available on Windows and MacOS endpoints as well as in the cloud. It’s also related to Retention policies and Records management and is part of an overall strategy to secure your Microsoft 365 tenant.
As you can appreciate, Information Protection is a huge area of Microsoft 365 and one that is constantly evolving; a good place to catch the latest as well as ask questions is the Information Protection public Yammer community.
Out of the blue, and after the Build conference, Microsoft released a “new” service called Entra. In this article, we’ll look at what it is, why you should care, and how it will change how you do identity security.
Many security pundits have said many times over the last few years: “Identity is the new perimeter,” “Identity is the new firewall,” and strong identity authentication is a cornerstone of a Zero trust strategy. Certainly, Azure Active Directory (AAD), as Microsoft’s central identity directory, has been adapting more security features over the last few years, and indeed, AAD is one-third of Entra.
The second part is Microsoft Entra Permissions Management (MEPM? EPM?), based on the recent CloudKnox acquisition, and finally, there’s Microsoft Entra Verified ID for decentralized identities.
Let’s dig into what each of these offers and why you should consider using them.
Incidentally, if you’re wondering about the name, it’s an allusion to Entrance / gaining entry, and it ties in with two other name changes a little while ago – all the privacy-focused services in Microsoft 365 are now under the “Priva” name, and all the compliance features are under the Purview name.
Microsoft Entra Permissions Management
This cloud-based service is a Cloud Infrastructure Entitlement Management (CIEM) solution. It’s multi-cloud and can be connected to Azure’s, AWS’s, and GCP’s cloud identity and permissions systems. The basic premise is that there are so many permissions (40,000 across the three clouds, according to Microsoft) that tracking them manually is impossible to ensure that each assignment is privileged.
Instead, EPM (I’m going to stick with that) gives you a Permissions Creep Index (PCI), showing you the difference between assigned and used permissions for each user account, workload, or group. You can then easily right-size permissions to the required ones, lowering the gap between assigned and used permissions. There’s also an option to request permissions for those one-off situations where an administrator needs higher permissions for a particular task.
I set it up for one of my clients (who only uses Azure), and it’s fairly straightforward to start with. Obviously, it’ll appeal to larger businesses with many administrators, especially when they’re using two or three clouds. The problem EPM helps address is definitely an issue (ever heard of a breach of a cloud instance due to lax permissions?), and it’s nearly impossible to do manually. Having this automated tool gives you a visual way to see the gap between granted and used permissions, and that’s very helpful:
Permission Creep Index heatmap
EPM is free during the preview – note that it’s not GDPR compliant at the moment and hence is not available in the EU, something that Microsoft will fix before it becomes generally available.
Azure Active Directory
Take a deep breath; your cheese is about to be moved –the Azure AD portal will disappear (I suspect). It’ll be replaced with the new Entra portal:
Microsoft Entra portal
Currently, this portal is in preview, but eventually, it’ll be the home for all identity-based UI actions. On the left, we have the three pillars of Entra, starting with AAD. Predictably, there are a lot more blades under AAD, which mirror most of the options in the current portal (legacy? classic?).
Azure Active Directory Menu
Although it’ll take some time to re-learn where everything is, I do feel like this is a cleaner and more logical layout (although that’s often true when you make something new, and then as more features are added over time, more menu options shows up and it gets messy again).
If you’re used to the current Azure AD portal, there are no real surprises here. The External identities area, for instance, has links to the new Cross-tenant access settings and External collaboration settings. Once you open one of these blades, the menu layout is the same as in the AAD portal. Interestingly, Sign-in, Audit and Provisioning logs are now under Monitoring & health, and under Hybrid management, we find Azure AD Connect Health monitoring, including Active Directory DC monitoring.
Active Directory monitoring in the Entra portal
Another recent addition to Entra is protection for workload identities. Until now, there’s been a strong focus on user identity (MFA, passwordless) but less on application/automation/service, i.e., workload identity. This was brought into sharp focus in the SolarWinds hack, as the Russians used these types of identities to compromise their victims further. Sometimes, you’ll see these types of identities being referred to as non-human, which always makes me think of Klingons and Vulcans, but that’s probably just me.
For user identities, we have Identity Protection in Azure AD (Premium P2) which identifies anomalous behavior of user accounts and each sign-in (using Machine Learning). This is now extended to workload identities as well. Furthermore, we have Access Reviews where group owners or the users themselves regularly attest that they still need particular permission; again, this is now available for applications (by designated reviewers). Finally, Conditional Access is also available for workload identities.
Conditional Access Policy for workload identities
There’s another preview currently for Lifecycle workflow, which manages the whole lifecycle of joining an organization, changing roles, and then eventually leaving through entitlement management.
This is possibly the part of Entra that will have the most impact on your work as an IT Pro going forward (it’s also in preview at the moment). It’s the result of a technology that Microsoft has been discussing for a few years now – decentralized identity.
Today, our identity is “owned” to a large extent by tech giants Google, Microsoft, Apple, and Facebook. For example, many users simply use an FB account to sign in to sites and services. But you’re not in control of your identity and can’t control exactly what data about you is being shared with various sites and services.
On the business side (where verified ID as part of Entra sits), consider the challenges of new hires joining your organization. How do you identify them, what documents do they need to show your HR department (and how do you do that in a work-from-home setting where they’re not physically present), and how do you authenticate those documents?
Setting up Verified ID in the Entra portal
Imagine if they had a verifiable identity that they could share with you, with exactly the right information you need (and no more), and that you could trust that identity because it’s cryptographically secured. That, in a nutshell, is a verifiable identity. There are many other scenarios, such as access to high-value resources and self-service account recovery, where a strong identity would be beneficial.
Microsoft has a click-through site that steps through an employee onboarding scenario, demonstrating the power of verifiable credentials and showing how much easier it is than today’s manual processes.
The current preview allows you to both issue and verify identities. The setup is fairly straightforward: you need to create an Azure KeyVault to store signing keys, etc., and you need to register an app in Azure AD.
Create a key vault for verified ID
Several verifiable credential organizations are currently supported, such as Acuant, Clear, Jumio, and others, covering 192 countries and over 6000 identification documents.
The cynic in me looks at this new portal and wonders if it’s a subtle way of “selling” the new CIEM solution – although the final licensing cost hasn’t been announced yet, we know it’s not going to be part of Microsoft 365 E5 or Azure AD Premium P2 licensing.
By moving everyone to the Entra portal, more users will be exposed to Permissionless’s Management, be curious as to what it can do, and eventually become paying customers. But maybe that’s too cynical a view. Maybe having one portal for identity, one for security, and one for compliance makes sense.
No matter what, Entra is here (at least in the preview). It’ll change some of your processes around workload identities, permissions management across clouds, and how you onboard new hires, plus other areas where decentralized identities will make your life easier. It’s exciting, and I can’t wait to see these services come out of preview so we can get a clearer picture of the licensing cost, scope, etc.
To say the IT world is changing would be an understatement. On the contrary, it’s changing quicker than it used to, which is common knowledge. But the ramifications of those changes can be hard to perceive when we’re in the middle of the shifting sands.
A few years ago, good firewall systems with content filtering and malware inspection were considered state-of-the-art. Today, you have two problems: first, most of your users aren’t in the office, so they’re not behind that big “blinky light” protector, and second, most of the applications and services your users are accessing aren’t on-premises anymore, they’re cloud services that they access from any device with an internet connection.
No problem, says the older, “pry my servers from my cold, dead hands.” IT Pro, we’ll just force everyone’s traffic back to on-premises via VPN, and then we can inspect all the traffic. Sounds good? Quick question: when your VPN went from 10% of the workforce using it to 100% at the start of 2023 – how was the user experience? And even if that was mitigated, how’s their experience when they’re using Teams / Zoom? Not quite so “modern” anymore?
The point is that security firewalls and filtering need to move with the times, and in this article, we’re going to discuss Cloud Access Security Brokers (CASBs) and, specifically, Microsoft’s Defender for Cloud Apps (MDCA), up until recently known as Microsoft Cloud App Security (MCAS). We’ll also look at how you can use MDCA specifically with Microsoft 365. But first, what is a CASB?
What is a Cloud Access Security Broker (CASB)?
A Cloud Access Security Broker (CASB) emerges as a pivotal player in ensuring the security of cloud-based applications and services. CASBs act as a gatekeeper, mediating between users and cloud service providers to enforce security policies and maintain the integrity of data.
One of the primary roles of a CASB is to enforce security policies. As we migrate to cloud services, traditional on-premises security measures become less effective. CASBs step in to fill this gap by providing security at the cloud level. They ensure that organizational policies regarding data access, sharing, and storage are uniformly applied across all cloud services.
These security solutions offer unparalleled visibility into cloud application usage, allowing you to monitor and control the flow of sensitive information. This visibility is crucial for compliance with various regulatory standards such as GDPR, HIPAA, and SOX. CASBs can identify and classify sensitive data stored in the cloud, monitor its movement, and enforce compliance policies.
CASBs play a vital role in managing who has access to cloud applications and data. They integrate with existing identity management systems to provide secure authentication and Single Sign-On (SSO) capabilities. This ensures that only authorized users can access sensitive cloud resources.
In this context, Microsoft Defender for Cloud Apps, a leading CASB solution, plays a pivotal role in securing cloud environments. It offers comprehensive protection across several dimensions of cloud security. With its advanced capabilities in data protection, threat detection, and seamless integration with various cloud services, it represents a robust solution for managing and securing cloud applications. Defender for Cloud Apps extends its functionality to monitor a wide range of cloud applications, thereby ensuring that organizations have the tools they need to secure their cloud footprint effectively.
With the exponential growth in cloud adoption, the importance of CASBs cannot be overstated. They are not just tools for security; they are essential components of a modern cloud strategy. CASBs bridge the gap between the dynamic nature of cloud services and the need for robust security and compliance. They enable us to harness the power of the cloud while ensuring that data and applications remain secure and compliant with internal and external regulations.
With that said, let’s dive deeper into Microsoft Defender for Cloud Apps and learn more about its potential.
Deploy Microsoft Defender for Cloud Apps
While the new name makes perfect sense, I know I’ll have to deal with numerous questions about the difference between it and Microsoft Defender for Cloud, the new name for Azure Security Center and Azure Defender. Defender for Cloud is all about protecting workloads in Azure (and AWS & GCP, hence the name change from Azure Defender to Defender for Cloud), whereas Defender for Cloud Apps is all about spotting shadow IT, managing SaaS service access by your end-users, and applying policy.
Let’s start with how it works – MDCA needs access to data on what apps your users are browsing on the internet. You can continuously upload logs from your on-premises firewalls and proxy servers, integrate directly with a set of cloud services with API connections, and use Microsoft Defender for Endpoint as an agent for MDCA. The number of cloud services that can be integrated into MDCA is increasing; at the time of writing, they are:
The list of supported firewalls and proxies is too long to list, but you can find it here. It includes all the usual suspects plus cloud-based “firewalls” such as Zscaler and iboss. You can also use Syslog or FTP with “container appliances” to upload custom logs to MDCA, and you can customize the log parser if you need to.
As mentioned, if you’re using Defender for Endpoint (MDE) Plan 2 on Windows 10/11, it’s an excellent way to gather data for MDCA. Note that while MDE also supports Android, iOS, Linux, and MacOS, they’re not supported as agents for MDCA today, and Defender for Business (in public preview) and Defender for Endpoint Plan 1 (included in Microsoft 365 E3) also aren’t supported.
Since both MDCA and Endpoint Plan 2 are part of Microsoft 365 E5 licensing, this is less of a hurdle than you might think (see flavors below). The steps to integrate them are really simple: a single slider in each portal needs to be enabled.
The power this brings is not to be underestimated; you get a full 360 view of all services accessed by your users, no matter where they’re working and how they’re connecting, and you can apply policies to them.
Shadow IT Discovery
OK, once you have data flowing into Defender for Cloud Apps through any of the methods above, you’ll start getting Cloud Discovery reports. This will tell you what service categories are most used, which apps are most used by your users, and if there’s the usage of high/medium and low-risk apps. Commonly known as shadow IT, this is the usage of apps that the business isn’t aware of, including the potential storage of sensitive data in these locations. It’s vital that this is discovered and managed, and Defender for Cloud Apps helps you a lot with this task.
Defender for Cloud Apps Cloud Discovery dashboard
Based on this data, you can start digging into the riskiest apps with high usage and identify why they’re being used and what the risks are. There’s a built-in catalog of 30,036 apps (and growing; the last time I looked, it was just over 27,000). Each app/cloud service in the catalog has an overall score from 1-10, based on four categories: General, Security, Compliance and Legal.
Defender for Cloud Apps catalog listing
The point of the catalog is to give you instant visibility into the security stance (perhaps of a service you’ve just found out is used by the entire finance department) and regulatory compliance of an app without having to spend hours digging through their website or requesting more information from them. For instance, if your organization requires suppliers to adhere to a specific compliance regulation, you can filter the catalog to identify any application in use that doesn’t.
The next step is to sanction or unsanction an app. The latter will block access if you’re using Defender for Endpoint, Zscaler, or iboss, and there are options to download a script to add the block to on-premises firewalls. But even if you’re not outright blocking the use of these apps, it does allow you to track down the users and suggest an alternative app with a better security track record.
Another way that I find this discovery useful is by letting me find popular apps that I can publish through Azure Active Directory for users to add governance around their usage.
Using Defender for Cloud Apps
You can use several types of policies to detect risky behavior and suspicious activity and, in some cases, automatically remediate the issue.
Activity policies use the APIs of integrated applications and let you build custom alerts for multiple failed sign-ins and large amounts of file downloads or logins from unusual countries or regions. Anomaly detection uses User and Entity Behavioral Analytics (UEBA) and Machine Learning, and for most detections, it takes seven days to establish a baseline so it can identify what’s unusual. Signals used in these policies include risky IP addresses, inactive accounts, locations, devices, user agents, etc.
Malware detection across Box, Dropbox, Google Workspace, and Office 365 (when used with Defender for Office 365) is one of these policies.
Defender for Cloud Apps activity policy to catch ransomware
OAuth app policies keep an eye on apps that are granted permissions in Azure AD, either by end-users (if you allow this) or by administrators. We covered the risks and mitigations in-depth in an article and webinar.
File policies bring a built-in DLP engine to inspect content across 100+ file types and allow you to take automated action when the content matches your criteria. You can create policies for publicly shared files, files shared with a specific domain or with a specific set of unauthorized users, and even for specific high-risk file extensions.
Access policies are a very cool concept, essentially combining the best of Azure AD Conditional Access policies with the app control of MDAC. You deploy the apps using Conditional Access App Control, and this lets you not only block access to applications based on the user’s device, for instance, but it also allows you to use session policies to control what a user can do in the app. You can monitor all activity, block all downloads, block specific activities, require step-up authentication for sensitive tasks, protect files on download or upload, block malware, and educate users on protecting sensitive files.
Defender for Cloud Apps cloud discovery anomaly detection policy
Finally, App discovery policies alert you to new cloud services that are being used (to continue the fight against Shadow IT), and cloud discovery anomaly detection policies alert you to unusual activity in cloud apps.
Unlike many other security applications, what I like about Defender for Cloud Apps is that it creates many default policies for you “out of the box,” so you’re getting good protection even before you create your own policies.
Alerts from these policies can be sent as emails or text messages, or you can use a Power Automate playbook to notify the right people. You can also automatically disable a user account, require the user to sign in again, or confirm them as compromised to automatically contain a potential attack.
As you can see, you can provide granular control over what your users can and can’t do in cloud applications, and if they’re working from home (on Windows 10/11 devices), they’re still under your purview. Note that it’s not only end-user SaaS services that are protected with Defender for Cloud Apps: AWS, GCP, and Azure admin access and usage can also be monitored and controlled.
The integration with the rest of the Microsoft 365 Defender stack is also strong; here’s an example of a Data Loss Prevention policy being used to control sensitive data in third-party apps.
Microsoft 365 Data Loss Prevention Policy integration
Flavors of Defender for Cloud Apps
There are three flavors of Defender for Cloud Apps; the full version we’ve described so far is part of Microsoft 365 E5 licensing (or a stand-alone license). With Office 365 E5, you get Office 365 Cloud App Security, which only has a catalog of about 750 cloud apps (that are similar in functionality to Office 365), only manual upload of firewall logs for analysis, app control, and threat detections for office type apps only and Conditional Access App Control for Office 365 apps only.
On the other hand, Cloud App Discovery is part of Azure Active Directory Premium P1 and brings the full catalog of cloud apps and both manual and automatic log upload but no information protection / DLP or threat detections at all (hence the name “discovery”).
Here’s a deep dive on licensing if you really have trouble going to sleep. Alternatively, I appeared on an episode of the Sysadmin DOJO Podcast discussing this exact topic:
Defender for Cloud Apps for Microsoft 365
There’s quite a steep price jump from Microsoft 365 E3 to E5. Today, if your business collaboration is built on Office 365, digital transformation is the aim of the business, and people are working from anywhere, the power of Defender for Cloud Apps, with Defender for Endpoint as the agent, makes it a lot easier to convince the bean counters.
If you’re an MSP and have clients with strong security and compliance needs (financial industry, lawyers, medical facilities, etc.), even if they’re an SMB, consider upgrading to E5. This doesn’t just give you Defender for Cloud Apps; it also offers Defender for Identity along with a whole heap of other security features.
To properly protect your Hyper-V virtual machines, use Altaro VM Backup to backup and replicate your virtual machines securely. We work hard perpetually to give our customers confidence in their Hyper-V backup strategy.
To keep up to date with the latest Hyper-V best practices, become a member of the Hyper-V DOJO now (it’s free).
As you can tell, Defender for Cloud Apps is a powerful tool with numerous uses. Its comprehensive features, ranging from shadow IT detection to robust policy enforcement and integration with a broad spectrum of cloud services, make it an indispensable asset for any organization leveraging cloud technology.
This solution not only enhances security but also streamlines compliance, offering a seamless blend of protection and convenience. The versatility of Defender for Cloud Apps is further underscored by its adaptability across various cloud environments, including AWS, GCP, and Azure. This adaptability ensures that businesses can maintain a high security posture while embracing the flexibility of cloud services.
To learn more, visit the Ninja training page (each Microsoft security product has one), which is a set of links to webinars, docs pages, blog articles, interactive guides, product videos, and GitHub repositories.
Data is seen as the “new gold” for enterprise organizations as it is the lifeblood of the business revenue stream. No matter what industry, product, or solution a business offers, most companies have embraced data-driven processes to meet modern business challenges in today’s world. It underscores the importance for organizations to protect their data at all costs.
Data Loss Prevention (DLP) solutions provide the capabilities for businesses to protect their data. Companies must include their cloud SaaS solutions as part of their overall DLP strategies. The Microsoft 365 cloud SaaS solution provides robust DLP capabilities built into the platform. We will look at how to protect your business data in Microsoft 365 with DLP and backup.
Before diving into the Microsoft 365 DLP solution, let’s look at what DLP is in general and why do companies need it. Most organizations have sensitive data that would be highly damaging to fall into the wrong hands. Data, including financial data, trade secrets, personally identifiable information (PII) data for customers, health records, or other traditionally sensitive information such as social security numbers (SSNs) or credit card numbers (CCNs) is deemed sensitive.
What is Data Loss Prevention (DLP)?
Data Loss Prevention (DLP) refers to the set of tools and solutions that protect against the loss, leak, misuse, or unauthorized access of sensitive data. It’s a critical aspect of complying with stringent regulations in today’s data-driven world. Failure to implement effective DLP measures can lead to severe consequences, including steep fines and regulatory violations.
DLP is a framework that enforces remediation with protective measures that prevent users from accidentally or intentionally sharing data that places a business at risk. Data Loss Prevention is often categorized as a compliance concern for businesses since most compliance frameworks require organizations to proactively protect sensitive data.
Maintaining strict adherence to compliance regulations is beneficial to customers, end-users, and businesses as it helps protect everyone involved. However, compliance can present challenges as organizations move into cloud Software-as-a-Service (SaaS) environments.
Often, businesses have a solution that helps with DLP and other compliance concerns in on-premises environments. However, as they move to cloud SaaS and other cloud offerings, the traditional tools and solutions are no longer relevant to modern cloud architectures. As a result, organizations often must rethink their tooling and strategies for DLP as they migrate business-critical data to the cloud.
Data leaks can be catastrophic
A significant driver for giving due attention to compliance and DLP initiatives is the destructive nature of data breaches. The sheer financial repercussions alone can be substantial. The IBM Cost of a Data Breach 2023 Report helps to emphasize the fiscal implications of a data breach event. Note the following findings for 2023 derived from the experiences of more than 550 global organizations:
As the numbers show, a data breach can ruin a business financially. Part of the cost of a data breach event is also the regulatory compliance implications as a result. These can be significant. For example, in cases of gross negligence leading to a data breach, the General Data Protection Regulation (GDPR) can fine a business as much as €20 million or 4% of the global turnover, whichever is more.
Compliance is no longer a “nice to have” for businesses. Current compliance regulations have “real teeth” to impose fines and other legal ramifications.
- $4.45 million – the average cost of data breaches in 2023, representing a 15% increase over a three-year period
- 51% of organizations plan on investing in cybersecurity – causes include data breaches – particularly in incident response, planning, testing, employee training, and advanced threat detection tools
- $1.76 million – the average a company saves by investing in cybersecurity and AI automation
- 1 in 3 breaches were detected by an organization’s security teams or tools
- $470,000 – the average cost of ransomware that didn’t involve law enforcement
- Since 2020, healthcare data breaches have increased by 53.3%
- 82% of all data breaches involved data stored in the cloud
In Cloud SaaS, DLP is Your Responsibility
Organizations may misunderstand the responsibilities of cloud service providers when they move their data to cloud SaaS environments like Microsoft 365. Many may assume protecting their data is now solely the cloud service provider’s responsibility. While hyperscale cloud service providers like Microsoft provide robust cloud architectures that do well to help protect your data from loss, the burden of responsibility for business-critical data rests with the cloud SaaS customer.
Cloud service providers such as Microsoft operate on a “Shared Responsibility Model” that places responsibility for the data itself with the customer. In the “Shared Responsibility in the cloud,” note specifically the section of “Responsibility always retained by the customer.” Among the responsibilities that fall within the organization is the responsibility for information and data.
The shared responsibility model defined by Microsoft for cloud environments
Given that information and data are the customer’s responsibility, organizations must take the compliance and security of their data seriously.
Cloud SaaS Backups are Essential
Often, Data Loss Prevention (DLP) focuses on the data leak aspect of losing data. However, DLP also indirectly relates to data protection. Most organizations today have a solid on-premises backup solution they use to protect mission-critical workloads running in on-premises enterprise data centers.
However, as mentioned earlier, there is a notion that data backups are no longer needed once data is migrated to cloud SaaS environments. This idea can prove to be a grave mistake for organizations that suffer data loss from human error or a malicious attack at the hands of ransomware.
The shared responsibility model used by hyperscale cloud service providers such as Microsoft places all aspects of protecting your information and data, including backups. Backing up ALL your data, including Office 365 workloads, is the cornerstone of any data protection strategy and business continuity plan.
What is Microsoft 365 Data Loss Prevention (DLP)
Microsoft has not left organizations on their own regarding Data Loss Prevention (DLP) in the Microsoft 365 cloud SaaS environment. Microsoft has baked DLP into the Microsoft 365 SaaS environment using DLP policies.
Microsoft 365 DLP is part of the Microsoft 365 Compliance tools that protect your sensitive data, no matter where it is stored and accessed. Microsoft 365 DLP policies allow businesses to monitor end-user activities and how users access sensitive data, whether at rest, in transit, or in use.
You can log into the Microsoft 365 Compliance Center here:
Microsoft 365 Compliance Center
The DLP policies then allow taking protective action based on sensitive data access. For example, Microsoft 365 DLP policies can take action when a user attempts to copy sensitive data from the sanctioned Microsoft 365 business environment to an unapproved location.
Additionally, it can block the sharing of sensitive information in an email or other restrictions defined in the DLP policy. Other protective actions that can be defined in the DLP policy include:
- Warn a user they may be trying to share a sensitive item inappropriately
- Block the sharing and, via a policy tip, allow the user to override the block and capture the user’s justification
- Block the sharing without the override option
- For data at rest, sensitive items can be locked and moved to a secure quarantine location
- With Teams chat, the sensitive information will not be displayed
Navigating to Data Loss Prevention in Microsoft 365 Compliance Center
Visibility is essential for DLP to ensure your sensitive data is compliant. Microsoft 365 DLP outputs the monitored activity events to the Microsoft 365 Audit Log, unified auditing, and “event viewer” of sorts for your Microsoft 365 cloud environment. It provides visibility to user and administrator activities in your organization.
As mentioned, the Microsoft 365 Audit Log is “unified.” This aspect of the logging capabilities in Microsoft 365 is important for DLP enforcement as it allows easy searching of the audit log for activities performed in different Microsoft 365 services. In addition, the sheer breadth of cloud services offered in Microsoft 365 is staggering, so the unified logging capabilities provide a single-pane-of-glass view for activities affecting your Microsoft 365 security and compliance.
To take advantage of the Microsoft 365 Compliance Center auditing, you need to start recording user and admin activity.
Configuring Microsoft 365 Auditing to record user and admin activity
Microsoft 365 DLP vs. Microsoft Information Protection (MIP)
Many are confused with the various offerings from Microsoft related to compliance and data loss prevention. Microsoft Information Protection (MIP) helps discover, classify, and protect sensitive information. It is a suite of technologies rather than a single product. The capabilities of MIP include the Data Loss Prevention (DLP) capabilities found in Microsoft 365.
- Sensitive information types (SITs)
- Azure Information Protection (AIP) unified labeling client, now Microsoft Information Protection
- Azure Information Protection (AIP) unified labeling Scanner, now Microsoft Information Protection
- Double Key Encryption (DKE)
- Office 365 Message Encryption (OME)
- Service encryption with Customer Key
- SharePoint Information Rights Management (IRM)
- Rights Management connector
- Microsoft Cloud App Security (MCAS)
- Microsoft Information Protection (MIP) SDK
- Data Loss Prevention (DLP)
Data Loss Prevention (DLP) is Not a Substitute for Cybersecurity
It is essential to understand that while DLP is required to satisfy regulatory compliance demands and prevent data leak catastrophes, it is not an all-inclusive cybersecurity solution. While DLP should be part of your overall cybersecurity stance, it does not protect your environment from hackers.
Data Loss Prevention helps organizations enforce governance restrictions with business-critical and sensitive data. However, it does not protect your environment from a ransomware attack, stolen credentials, phishing emails, malicious third-party applications, and other threats in the cloud.
On the other hand, strong cybersecurity measures do not protect your organization from data leak events when users transmit or share data accidentally or intentionally. DLP helps organizations protect from insider threats, while other cybersecurity measures and technologies help protect them from outside threats posed by attackers and other malicious activities.
Microsoft has other products that help organizations protect from malicious threats such as email compromise and credential phishing. Microsoft Defender for Office 365 provides deep inspection and can sandbox executables to understand if it is legitimate based on intent and behavior. Advanced artificial intelligence (AI) and machine learning (ML) in ATP help to protect your business-critical and sensitive data from attackers. Learn more about that solution here:
365 Total Protection from Hornetsecurity offers comprehensive protection for Microsoft cloud services – specially developed for Microsoft 365 and seamlessly integrated to provide comprehensive protection for Microsoft cloud services. Easy to set up and extremely intuitive to use, 365 Total Protection simplifies your IT Security management from the very start.
Data Loss Prevention (DLP) is Not a Substitute for Backup
Although Data Loss Prevention sounds like backup, as you can see, it’s not the same thing. Your information governance plan for your business should include DLP, Information Protection, AND Backup.
Office 365, Exchange Online, and SharePoint Online / OneDrive for Business uses various data protection technologies to ensure your data is highly available and protected against hardware failure. Still, there’s NO backup in a separate system and no way to “go back in time.” Make sure you complement DLP and Information Protection with solid third-party backup services for Office 365, such as Altaro’s Office 365 Backup.
Microsoft 365 DLP Default Policy
In the Microsoft 365 Compliance Center, a default Data Loss Prevention (DLP) policy is listed, aptly named Default Office 365 DLP policy. The policy contains two safeguards by default, helping to protect organizations from data leaks involving credit card numbers. Let’s take a closer look at the default DLP policy, as it helps to get a feel for the configurable policy settings.
Viewing and editing the default Data Loss Prevention (DLP) policy in Microsoft Compliance Center
The default DLP policy already configured in your Microsoft 365 environment applies to Exchange email, SharePoint sites, and OneDrive accounts. The great thing about Microsoft 365 DLP policies is you can effectively implement DLP policies across multiple services at the same time. As you see below, the policy applies to Exchange email, SharePoint sites, and OneDrive accounts.
Services assigned to the default Microsoft 365 DLP policy
The default DLP policy contains two advanced DLP rules out of the box. The advanced rules contain conditions and actions that define the protection requirements for the policy. You can edit the existing rules or create new ones. The two default rules in the advanced DLP ruleset are:
- Items containing 1-9 credit card numbers shared externally
- Items with 10 or more credit card numbers shared externally
Default advanced rules contained in the Microsoft 365 DLP policy
You can see how the policy rules are configured if you edit one of the default policies. Under Conditions, the Sensitive info types are set to Credit Card Number.
Sensitive info types configured for Credit Card Number
It is configured to look for the CCNs that are shared with people outside my organization.
Data shared outside the organization
The Microsoft 365 DLP policies, by default, are configured for user notifications. These notify the following:
- The person who sent, shared, or modified the content
- Owner of the SharePoint site or OneDrive account
You can also configure additional notification rules to send emails to other recipients.
- Owner of the SharePoint or OneDrive content
Notification rules for the Microsoft DLP policy
Another configurable setting in the Microsoft 365 DLP policy settings is to allow overrides. This setting allows users to override policy restrictions in Exchange, SharePoint, OneDrive, and Teams. It is a setting that needs to be used with caution as it can potentially violate compliance and governance.
As seen below, you can additionally require a business justification to override. Admins can also choose to receive alerts with user override activity.
Allowing user overrides from M365 services
One of the really nice features Microsoft has built into the Microsoft 365 DLP policy configuration wizard is templates. Depending on the type of compliance, industry, and other factors, the templates make it much easier to start with a good baseline of DLP policy settings.
Using Microsoft 365 DLP templates
Microsoft 365 Endpoint DLP
With Microsoft 365 DLP, organizations must monitor the actions taken on sensitive data and help prevent the unintentional sharing of those items. However, there is another aspect – the endpoint.
Microsoft 365 Endpoint data loss prevention (Endpoint DLP) provides the capabilities to extend the activity monitoring and protection capabilities to sensitive items physically stored on the endpoint. These may include Windows 10, 11, and macOS (currently in public preview) devices.
To access and use Endpoint DLP functionality, you must have one of these subscriptions or add-ons.
- Microsoft 365 E5 compliance
- Microsoft 365 A5 compliance
- Microsoft 365 E5 information protection and governance
The Endpoint DLP solution allows companies to onboard the devices into the Microsoft 365 compliance solution and monitor activities and actions taken on the endpoint. In addition, using DLP policies, protective actions can be enforced to provide DLP guardrails for the clients.
There are specific activities Microsoft 365 Endpoint DLP allows monitoring and acting upon with Windows 10, Windows 11, and macOS devices. These include the following:
- Microsoft 365 A5 information protection and governance
- Upload to cloud service or access by unallowed browsers
- Copy to USB or other removable media
You can also monitor specific file types, including:
- Copy to a Bluetooth device
Configuring Microsoft 365 Endpoint DLP settings
To configure Microsoft 365 Endpoint DLP settings, navigate to Data Loss Prevention (DLP) > Endpoint DLP settings. As you can see below, you can configure policy settings controlling:
- Browser and domain restrictions to sensitive data
- Additional settings for endpoint DLP
- Always audit file activity for devices
Configuring Endpoint DLP settings
As an example, let’s set up unallowed browsers. Under Browser and domain restrictions to sensitive data > Unallowed browsers > Add or edit unallowed browsers.
Adding Unallowed Browsers in a Microsoft 365 Endpoint DLP policy
Next, you will select or add the executable for the unallowed browser for your Endpoint DLP policy.
Choosing unallowed browsers for your Endpoint DLP policy
Onboarding devices into Microsoft 365 Endpoint DLP
You must enable device monitoring and onboard your endpoints before you can monitor and protect sensitive items on a device. You can enable device management and onboard devices using the Microsoft 365 Compliance portal. Onboarding is accomplished by downloading and running the script on the endpoint.
You can also onboard devices using Group Policy, Microsoft Endpoint Configuration Manager, Mobile Device Management tools, and onboarding virtual desktop infrastructure (VDI) devices.
Onboarding devices into Microsoft 365 Endpoint DLP
Does DLP Cover All Your Data Loss Needs?
Compliance and governance are both extremely important initiatives for organizations today. Most compliance regulations require Data Loss Prevention (DLP) and helps prevent the accidental or intentional sharing of sensitive data outside the sanctioned environment.
Microsoft 365 Data Loss Prevention (DLP) is a solution from Microsoft that helps organizations effectively meet the challenges of protecting their business-critical and sensitive data from leaking outside their Microsoft 365 environment. The policy-driven engine of Microsoft 365 allows effective building and application policies to control how data can be shared, accessed, and transmitted from Microsoft 365.
It allows control of both the data that resides in the Microsoft 365 environment and the data that physically resides on the endpoint. By configuring both aspects of Microsoft 365 DLP, organizations can effectively prevent unauthorized data access of sensitive information. As covered, DLP is not an all-inclusive cybersecurity solution.
Organizations must combine DLP with other security solutions, such as Microsoft’s Defender for Office 365 or Hornetsecurity’s 365 Total Protection for protecting against phishing attacks, ransomware, and other threats, plus a backup solution such as Office 365 Backup. You can also bundle both together in 365 Total Protection Enterprise Backup.