Cloud App Security lets you investigate files and set policies based on Azure Information Protection classification labels, enabling greater visibility and control of your sensitive data in the cloud. Integrating Azure Information Protection with Cloud App Security is as easy as selecting one single checkbox.
By integrating Azure Information Protection into Cloud App Security, you can leverage the full power of both services and secure files in your cloud, including:
- The ability to view all classified files in a central location
- The ability to perform investigation according to classification level, and quantify exposure of sensitive data over your cloud applications
- The ability to create policies to make sure classified files are being handled properly
To enable this feature you will need both a Cloud App Security license and a license for Azure Information Protection Premium P1 or P2. As soon as both licenses are in place, Cloud App Security will sync the organizations labels from the Azure Information Protection service.
How it works
You are probably familiar with file classification labels in Azure Information Protection. You can see the Azure Information Protection classification tags in Cloud App Security. As soon as you integrate Cloud App Security with Azure Information Protection, Cloud App Security scans files as follows:
- Cloud App Security retrieves the list of all the classification labels used in your tenant. This is performed every hour to keep the list up to date.
- Cloud App Security then scans the files for classification labels, as follows: a. If you enabled automatic scan (see below), all new or modified files will be added to the scan queue. b. If you set a file policy (see below) to search for classification labels, these files will be added to the scan queue for classification labels.
- As noted above, these scans are for the classification labels discovered in the initial scan Cloud App Security performs to see which classification labels are used in your tenant. External labels, classification labels set by someone external to your tenant, are added to the list of classification labels. If you don't want to scan for these, select the Only scan files for Azure Information Protection classification labels from this tenant checkbox (see below).
- After you enable Azure Information Protection on Cloud App Security, all new files that are added to Office 365 will be scanned for classification labels as well.
How to integrate Azure Information Protection with Cloud App Security
Enable Azure Information Protection
This is all you have to do to integrate Azure Information Protection with Cloud App Security: Enable automatic scan to enable searching for Azure Information Protection classification labels on your Office 365 files without the need to create a policy. After you enable this, if you have files in your cloud environment that are labeled with Azure Information Protection classification labels, you will see them in Cloud App Security.
To enable Cloud App Security to scan files with content inspection enabled for classification labels:
- In Cloud App Security, under the settings cog, select the General settings page.
- Under Azure Information Protection, select Automatically scan files for Azure Information Protection classification labels.
After enabling Azure Information Protection, you will be able to see files that have classification labels and filter them per label in Cloud App Security.
Automatic scan will not scan existing files until they are modified again. To scan existing files for Azure Information Protection classification labels, you must have at least one Content inspection File policy. If you have none, create a new File policy, delete all the preset filters, check the Content inspection option. Then, under Content inspection, click Include files that match a preset expression and select any predefined value, and save the policy. This will enable content inspection which will automatically detect Azure Information Protection classification labels.
Set internal and external tags
By default, Cloud App Security will scan classification labels that were defined in your organization as well as external ones that were defined by other organizations.
To ignore classification labels set external to your organization, in the Cloud App Security portal, under General settings, under Azure security settings select Ignore Azure Information Protection classification labels from other tenants.
Control file exposure
- If this is the document you labeled with an Azure Information Protection classification label:
- You will be able to see this file in Cloud App Security, in the Files page, by filtering for the classification label:
You can get more information about those files and their classification labels in the file drawer.
In the Files page, click on the relevant file to see if it has any classification labels:
- You can click on the classification label to view more information or to see the full list of classification labels:
- Then, you can create file policies in Cloud App Security to control files that are shared inappropriately and find files that are labeled and were recently modified.
- In addition, you can trigger alerts on activities related to classified files.
When Azure Identity Protection labels are disabled on a file, the disabled labels will appear as disabled in Cloud App Security. Deleted labels will not be displayed.
Policy #1 - confidential data that is externally shared on Box:
- Create a file policy.
- Set the policy’s name, severity and category.
- Add the following filters to find all confidential data that is externally shared on Box:
Policy #2 - restricted data that was recently modified outside the Finance folder on SharePoint:
- Create a file policy.
- Set the policy’s name, severity and category.
- Add the following filters to find all restricted data that was recently modified, and add exclude the Finance folder in the folder selection option:
You can also choose to set alerts, user notification or take immediate action for these policies. Learn more about governance actions.
Integration with Azure Rights Management
Your organization must have Azure Rights Management licensed and activated to integrate between Cloud App Security and Azure RMS. These two separate steps can be found in Activating Azure Rights Management.
Cloud App Security currently supports Native protection for Office files (2016 and up). PDF and image files will be available in future versions.
This feature is currently available for files that are stored in SharePoint Online and OneDrive for Business. More cloud apps will be supported in future versions.
After Cloud App Security is connected to your Office 365 service, you will be able to use the Cloud App Security RMS integration features that enable you to protect documents with RMS directly in the Cloud App Security portal, as follows:
- From the Files page, select the file you want to protect and then click the three dots at the end of the file's row and choose Protect.
- You will be asked to choose one of your organization's classification labels to use to protect the file, and click Protect.
After you choose a classification label and click protect, Cloud App Security will apply the classification label and protect the original file. T
It is recommended to apply company wide RMS classification labels on files, so all users in the organization will be able to access these files, including the original owner of the file. The owner of the file, the sharing policy of the file and the list of users who already have access to it do not change when the file becomes protected.
If users want to access the protected file, they have to have the RMS sharing app installed on their device. For more information see the Technical overview and protection details for the Microsoft Rights Management sharing application.
You can revert this action at any time in the Governance log by clicking the Revert button at the end of the row of the previously taken Protect action.
For more information about how Cloud App Security and Azure Information Protection work together, see Protect data against user mistakes