Quarantine Content with Cloud App Security

This will be a short post highlighting one of the simple things Microsoft cloud administrators can do to support data governance in their environments: forcibly quarantine content based on its sensitivity label, if it is uploaded to forbidden workspace.

In this example, a company that falls under nuclear power regulations wants to ensure that employees do not upload regulated content to their OneDrives or to SharePoint Online. I created a new Information Protection label and a DLP policy, so I get some automatic labeling right off the bat:

Sensitivity Label - Automatic - Word Web
Sensitivity Label – Automatic – Word Web.

Just in case, I still have sensitivity labels enabled in the Word web app, for users to apply on their own.

New Sensitivity Label
New Sensitivity Label: PowerWumpus.

Regular readers may take note of “PowerWumpus”. “Wumpus” is my go-to for some other keyword-based sensitive information types, so “PowerWumpus” for a new label based on this “nuclear power” regulatory requirement.

My goal is to prevent users from uploading sensitive content to either of these service platforms. However, I can’t prevent an authorized person from uploading – if they have permission to handle the file and they have access to the workspace, then they can upload it.

However, what I can do is watch those spaces and take steps to enforce this policy after the fact. I could delete the file, but that seems heavy-handed if it’s a new policy. Instead, what I’ll do is quarantine the file, so that only the file owner can access it, even if it’s in a shared space.

Cloud App Security - DLP Policy Match
Cloud App Security – DLP Policy Match.

While my stated goal as a data security officer might be to prevent users from uploading sensitive content to a governed space, my real goal is to prevent that content from living there. While I can’t prevent it from being uploaded by an authorized user, I have other steps I can take:

  1. Should this user even be authorized?
  2. If they should be authorized, I can monitor what sort of content gets uploaded.
  3. I can create notifications – to the user, to monitors, to site collection owners – triggered when inappropriate content is uploaded.
  4. I can go further and take steps to make the content inaccessible, or even delete it, if necessary.

Cloud App Security (CAS) is a sort of all-inclusive blanket that often gets overlooked by organizations seeking to move services to the cloud. It’s easy to focus on just Exchange, or SharePoint, or OneDrive and Teams. Often if there isn’t a way to address a data security issue in one of the Saas services, CAS has ways to dig deeper and reach more broadly to improve your data security posture.

Leave a Reply

Your email address will not be published. Required fields are marked *