针对用户错误保护数据Protect data against user mistakes

过渡到移动方式和云后,员工的工作效率显著提高,但是用户、设备、应用与本地及云中的数据之间的复杂交互也为 IT 团队制造了新的盲区。While the transition to mobility and the cloud has substantially increased employee productivity, the complex interaction between users, devices, apps, and data – on-premises as well as in the cloud – has generated new blind spots for IT teams. 尽管组织可能不接受这种转移,但员工已经接受了。Even though organizations may not embrace this transition, employees already are. 由于这些元素之间的交互和攻击媒介的复杂性在增加,安全性仍然是企业的最大挑战。As the interactions between these components and the sophistication of attack vectors increases, security remains a top challenge for enterprises. IT 人员致力于维持企业数据可见性和对企业数据的控制和保护。IT staffs struggle to maintain visibility, control, and protection of corporate data.

数据控制资源可针对用户错误保护企业数据并防止数据丢失,是实现保护资源同时保持用户高效的重要环节。Data control resources that protect corporate data from user mistakes and prevent data loss are important steps toward securing your resources while enabling users to be productive.

企业移动性 + 安全性可提供哪些帮助?How can Enterprise Mobility + Security help you?

企业移动性 + 安全性 (EMS) 可使 IT 深入了解本地和云中的用户、设备和数据活动。Enterprise Mobility + Security (EMS) enables IT to gain deeper visibility into user, device, and data activity on-premises and in the cloud. 通过 EMS,IT 可以借助更强的控制力和执行力,针对用户错误保护企业数据。With EMS, IT can protect corporate data from user mistakes with stronger controls and enforcement. IT 将能够通过针对已发现的应用程序的用户、上传/下载流量、使用模式和交易,应用强大的报表和分析功能,来监视风险检测。IT will be able to monitor risk detection by using powerful reporting and analytics on users, upload/download traffic, usage patterns, and transactions for discovered applications.

为满足此方案的要求,EMS 使用 Cloud App SecurityAzure 信息保护To address the requirements of this scenario, EMS uses Cloud App Security and Azure Information Protection. 通过实施这些技术,组织将能够:By implementing these technologies, organizations will be able to have:

  • 全面了解员工的云应用使用情况和影子 ITComplete visibility into employee cloud app usage and Shadow IT
  • 应用粒度级别控制和数据策略,以在云应用中持续保护数据Granular-level control and data policies for on-going data protection in cloud apps
  • 实现数据的持久性分类和保护,以确保数据随时受到保护 - 无需考虑数据的存储位置或共享对象Persistent data classification and protection that ensures data is protected at all times—regardless of where its stored or with whom it's shared
  • 安全地与组织内外的人员共享数据Ability to safely share data with people inside and outside of your organization
  • 直观控制数据分类和保护Intuitive controls for data classification and protection
  • 了解和控制用户和 IT 的共享数据Visibility and control of shared data for users and IT

下图总结了此方案涉及的功能以及如何使用这些功能保护资源:The following diagram summarizes the capabilities involved in this scenario and how they are used to protect your resources:

图示:Cloud App Security 和 Azure 信息保护协同工作以保护本地和云中的数据。

在下面的简短视频中,可以快速概览企业移动性 + 安全性 (EMS) 如何让 IT 人员了解更多信息,并能掌控一切:Here's a short video to give you a quick introduction to how Enterprise Mobility + Security (EMS) enables IT to gain deeper visibility and control:

实现本解决方案的方式How to implement this solution

执行以下步骤以实现 Cloud App SecurityAzure 信息保护Follow these steps to implement Cloud App Security and Azure Information Protection:

  • 步骤 1:发现使用中的云应用并使用策略进行控制Step 1: Discover cloud apps in use and control them with policy
  • 步骤 2:保护本地或云中的数据Step 2: Protect data on-premises or in the cloud

如何针对用户错误保护数据How to protect data against user mistakes

现今大多数企业都在使用云应用程序,云中存储的企业数据超过本地存储的企业数据的时代将很快到来。Cloud applications are in use by most enterprises today, and we will soon reach a time where more corporate data will be stored in the cloud than on-premises. 很多时候,用户会在未经公司同意或公司不知情的情况下从其设备上使用 SaaS 应用,这会导致影子 IT 的云使用率增加。Many times, users will be using SaaS apps from their devices without their company’s consent or knowledge, which causes an increase in Shadow IT usage of cloud. 此结论根据多项研究结果得出,研究显示 80% 的员工表示其出于工作需要在未经批准的情况下使用 SaaS 应用。This conclusion comes from studies showing that 80% of employees admitted to using unapproved SaaS apps for corporate usage. Cloud App Security 提供组织中正在使用的所有云应用的详细总览。Cloud App Security provides a detailed overview of all cloud apps being used in the organization. 它会标识访问应用程序的所有用户和 IP 地址。It identifies all users and IP addresses accessing an application. 还能对超过 13,000 个云应用执行风险评估,并基于 60 多项参数提供每个应用的自动风险评分。It also conducts a risk assessment for more than 13,000 cloud apps and provides an automated risk score for each app based on more than 60 parameters.

执行步骤 1 以发现环境中的云应用,并实施策略以控制这些应用。Follow step 1 to discover the cloud apps in your environment and implement policies to control these apps. 此解决方案的第二个阶段将实现 Azure 信息保护,目的是保护数据并进行分类,这有助于减少用户出错和误用数据的情况。The second stage of this solution will implement Azure Information Protection to protect and classify data, which can mitigate users' mistakes and data misuse.

步骤 1:发现使用中的云应用并使用策略进行控制Step 1: Discover cloud apps in use and control them with policy

使用 Cloud App Security 的第一步是发现应用The first step to use Cloud App Security is to discover your apps. 如果跳过此步骤,则不会有可进行分析和使用策略进行限制的应用。If you skip this step, there will be no apps to analyze and to restrict using policies. 如果没有启动发现流程,Cloud App Security 仪表板中的“发现”选项将显示以下消息:If you didn’t start the discover process, the Discover option in the Cloud App Security dashboard will show the following message:

显示消息的屏幕截图,消息指示用户尚未上传 Cloud Discovery 日志。

发现组织中正在使用哪些应用是确保企业敏感数据受到保护的第一步。Discovering which apps are in use across your organization is the first step in making sure your sensitive corporate data is protected. 发现过程完成后,Cloud Discovery 仪表板下将会显示发现的应用的列表。Once the discover process is finished, you will be able to see a list of apps that were discovered under the Cloud Discovery dashboard.

屏幕截图,显示 Cloud Discovery 仪表板和发现的应用的列表。

每个应用都有一个分数,表示该云应用的可信度和可靠性。Each app has a score that represents the credibility and reliability of the cloud apps. 查看应用排名时,会注意到三个用于创建排名的类别:常规、安全性和合规性。When accessing the app’s rank, you will notice that there are three categories that are used to create this rank: General, Security, and Compliance. 每个类别都具有测试期间会进行测试的特定属性。Each category has certain attributes that are tested during the discovery process. 如果某个属性不是完全相容的,会显示一部分,可以访问该属性的详细信息以了解其部分显示的原因。If one attribute is not fully compliant, it will show as partial and you can access the details of that attribute to understand why it is shown as partial.

屏幕截图,显示“HTTP 安全标头”属性的详细信息。

下一步是控制使用策略发现的应用程序的行为。The next step is to control the behavior of the applications that were discovered using policies. 此功能使 IT 人员能够微调已发现的应用程序和与组织关联的风险级别。This capability enables IT to fine tune the applications discovered and the associated risk level to your organization. 策略有不同类型;应首先创建的策略取决于组织的业务要求。There are different types of policies; which one you should create first depends on the business requirement of your organization. 默认情况下异常检测策略为启用状态,因此不需要为其配置新的策略便可运行。By default, the Anomaly detection policy is enabled, so it's not necessary to configure a new policy for it to work. 但是,可以微调默认策略中要针对其发出警告的异常类型。But you can fine tune which types of anomalies you want to be alerted about in the default policy.


配置策略后,便可调查可能发生的违反当前策略的情况。Once the policy is configured, you can investigate potential violations to a policy that is currently in place. 在此特定方案中,需要验证云中是否存在任何个人身份信息 (PII)。In this particular scenario, you want to verify if there is any Personally Identifiable Information (PII) shared in the cloud. 有关此活动类型的信息,请通过“文件策略”查看。The information about this type of activity is available via File Policy. 将要查看的文件级策略是 PII 合规性策略。The file-level policy you will be looking at is the PII compliance policy. 此策略旨在识别包含个人身份信息(已公开共享)的文件,并提供用于调查和修正的选项。The purpose of this policy is to identify files containing personally identifiable information that are publicly shared and also provide options for investigation and remediation.


在此特定情况中,对于此策略,有三个匹配项,也就是说有三个文件与此策略相匹配。In this particular case, there are three matches for this policy, which means that there are three files that match this policy. 可以单击其中一个文件以调查文件的名称和位置。You can click on one to investigate the file name and its location.

步骤 2:保护本地或云中的数据Step 2: Protect data on-premises or in the cloud

实现此解决方案之前,请先查看 Azure 信息保护的要求。Before implementing this solution, review the requirements for Azure Information Protection.

Microsoft Azure 信息保护可帮助在创建数据时对数据进行分类和添加标记。Microsoft’s Azure Information Protection helps you classify and label your data at the time of creation. 然后可将保护(加密 + 身份验证 + 使用权)应用于敏感数据。Protection (encryption + authentication + use rights) can then be applied to sensitive data. 分类标记和保护会始终伴随数据,以便数据可识别并随时受到保护,而无需考虑其存储位置和共享对象。Classification labels and protection are persistent, traveling with the data so that it’s identifiable and protected at all times, regardless of where it’s stored or with whom it’s shared. 计划实现信息保护策略和标签时,请使用以下指南:When planning to implement information protection policies and labels, use the following guidelines:

  • 根据机密性分类数据Classify data based on sensitivity
  • 首先分类机密性最高的数据Start with the data that is most sensitive
  • IT 可以设置自动规则;用户可进行补充IT can set automatic rules; users can complement them
  • 关联可视标记和保护等操作Associate actions such as visual markings and protection

Azure 信息保护附带默认标签,但是可以自定义并创建用户可在信息保护栏中看到的自己的标签或子标签。Azure Information Protection comes with default labels, however you can customize and create your own labels or sub-labels that users see on the Information Protection bar.


标签是写入文档的元数据。Labels are metadata written to documents. 标签以明文形式呈现,以便 DLP 引擎等其他系统可以读取。Labels are in clear text so that other systems such as a DLP engine can read it.

在以下示例中,可以看到在“机密”标签下创建的自定义子标签:In the following example, you can see custom sub-labels that were created under Secret label:

屏幕截图,显示在“机密”标签下创建的自定义子标签。Screenshot showing the custom sub-labels that were created under the "Secret" label.

在定义使用(默认或自定义)标签的方式后,配置标签以应用权限管理保护Once you define how you will be using your labels (default or custom ones), configure a label to apply Rights Management protection.

通过 Azure 信息保护,将数据分类和保护控件集成到 Office 和其他常见应用程序。With Azure Information Protection, data classification and protection controls are integrated into Office and other common applications. 此集成提供简单的单击选项以保护用户处理的数据。This integration provides simple one-click options to secure data that users are working on. 在 Azure 门户中,管理员可以将预定义的模式(如“信用卡号”或“美国社会保障号”)用作自动分类的条件。In the Azure portal, an administrator can apply predefined patterns, such as “Credit card numbers” or “USA Social Security Numbers” as a condition for automatic classification. 或者,管理员可以使用文本模式和正则表达式来定义自定义字符串或模式。Alternately, they can use text patterns and regular expressions to define a custom string or pattern.

配置标签的条件时,可以自动将标签分配到文档/电子邮件,或者也可以提示用户选择建议的标签。When you configure conditions for a label, you can automatically assign a label to a document/email or, you can prompt users to select the label that you recommend. 有关如何执行此配置的详细信息,请阅读如何配置 Azure 信息保护的自动和建议分类的条件Read How to configure conditions for automatic and recommended classification for Azure Information Protection for more information on how to perform this configuration.


有关数据分类和保护的详细信息,请阅读使用分类、标记和保护来保护数据For more information about data classification and protection read Secure data using classification, labeling and protection.

后续步骤Next steps

Microsoft Cloud App Security 提供了一个全面的解决方案,可用于发现、监视、控制和保护云应用程序中的活动和数据。Microsoft Cloud App Security provides a holistic solution to discover, monitor, control and protect activities and data in cloud applications. Cloud App Security 可帮助 IT 管理员使用 Azure 信息保护直接在 Cloud App Security 控制台中进行加密。Cloud App Security helps IT admins to encrypt directly from Cloud App Security console using Azure Information Protection. 通过与 Azure 信息保护进行集成,现在可以根据需要对 SharePoint Online 和 One Drive for Business 中存储的文件进行一般保护。Through integration with Azure Information Protection, now you can apply generic protection for files stored in SharePoint Online and One Drive for Business if you see a need. 若要详细了解 Cloud App Security 与 Azure 信息保护的集成,请参阅 Azure 信息保护集成For more information about the integration between Cloud App Security and Azure Information Protection, please read Azure Information Protection integration.