Cloud Data Loss Prevention Hybrid Multicloud Security

Cloud Apps Security, Protect your files in a Secure MultiCloud World

After the rise of hybrid cloud within a single vendor, we have reached the next step of complexity with multicloud. It is not realistic to believe in a single vendor cloud world. There is going to be a continuous battle between cloud service for new customers, convert existing customers to their platform and in some ways, integration needs to happen between different cloud services. Microsoft knows that too. Look at what they are trying to do around the integration of DropBox and Box in Microsoft Teams, around Azure Information Protection to on-premises systems and their plans to extend AIP  or rather MIP towards non-Microsoft platforms.

Cloud Apps Security (CAS)  is another example that shows that Microsoft understands that it can hope for Cloud Service Domination but reality might be different or the timeframe for that domination might be a bit longer than anticipated. So what is this CAS thing? Well, look at CAS as a centralized dashboard you can use to identify, control, protect and do threat analysis of your cloud services. Supported at this time are Box, DropBox, GoogleDrive, OneDrive for Business and SharePoint Online. CAS can be found as a separate entity in your Office 365 Admin, that is, if you have an existing license for it. You can trial it for 30 days.

A limitation I want to start with from the beginning is the fact that CAS only supports Enterprise versions of the existing cloud services. It will not support personal Dropbox, Box or OneDrive. So this is something to keep in mind.

As it is is today, CAS can identify which cloud services are being used based on traffic logs. You upload your traffic logs from your local connection and CAS will identify any cloud services are being used as Shadow IT. Since this is based on traffic logs, you need a device that will capture those. If you are a fully remote employee, whose traffic is not going through a BlueCoat or SonicWall or other appliances, the discovery can only do so much.

The second functionality is the investigation. Investigation allows you to do deep dive analysis of what is going on your cloud services. It can retrieve everything from an activity log, user interactions, and any file investigations. Since this was a test for me, identifying what the potential is of CAS so I really focused on files and the ability to detect and protect the content of files. I created a policy (which I will discuss in detail later in this post) to detect and protect files containing PII like an SSN. When a document triggers that policy, this will be reported in the investigation option under files.

Screen Shot 2018-02-12 at 10.32.03 AM

The third part of CAS is control. It is in this section where you are going to define policies to protect your content in your files. We are going to create a policy to protect all files in my Box, GoogleDrive, OneDrive for Business and SharePoint online when they contain PII information like SSN. There are multiple ways to create policies, start from scratch, start from a template, etc. I always try to go for the minimal path of resistance, so not a surprise here, I will start with a template.

Screen Shot 2018-02-12 at 10.50.41 AM.png

Now, what was striking to me is that it said built-in-DLP engine. So that means (at least for now) CAS is not using the same DLP Engine as Office 365. It uses its own DLP engine to identify certain sensitive types of data. Later on, you will see that the options for specific PII are very limited in comparison with what Office 365 already has built-in. To create the policy based on a template, just click the + attached to it.

A policy has a number of settings you can choose to define or not. Some are mandatory, some are optional, they define the reach and actions of your policy. In my policy, I want to protect my SSN numbers. In the first section, I can define the severity of the policy, any potential filters, pretty much the reach of your policy. In my policy where I want to protect everything, I don’t have to define any filters.

Screen Shot 2018-02-12 at 10.59.09 AM

In the second section, I am going to define what exactly I am looking for. I want to identify files that contain US: PII: Social Security Number. Those are loaded through a preset in the setting, you can define your own regular expression if you want to look for something that isn’t covered. You also need to define where to look exactly, you can let the engine look in the content, metadata, and filename. Last part is to define how many occurrences will trigger the policy.

Screen Shot 2018-02-12 at 11.25.33 AM

Next part is to set up how your alerts need to be generated. You can create an alert for each matching file, send an email or even a text message, like in my example.

Screen Shot 2018-02-12 at 11.25.57 AM.png

And now comes the cool part, in my opinion, the governance rules. If a file is matched against the policy what needs to happen. These actions as you can see in the next image are defined per cloud service. Some cloud services will support different governance actions. They can go from removing the shared link, restrict permissions and my favorite, put the file in quarantine. For the Box environment, I choose the user quarantine while for OneDrive for Business and SharePoint Online are going to go for an admin quarantine.

Screen Shot 2018-02-12 at 11.26.05 AM

Screen Shot 2018-02-12 at 11.26.13 AM

Let’s start by explaining what quarantine means. When a document is put quarantine it is replaced by a text file like e.g. TEST SSN copy.docx.QUARANTINE.txt and when you open the document this is shown.

Screen Shot 2018-02-12 at 6.38.46 PM

Depending on the fact if the quarantine is admin or user based, the quarantine folder will be either be created in a centralized location or within in the user’s environment. If it is a user based, the end-user will still have the option to go into the quarantine folder and get the document. In an admin based quarantine, the document is stored in a centralized location and based on the permissions of that location the user still has access or not.

When an alert is created, it will be part of the alert section in CAS. At the same time, if you defined for an email or text message to be sent, that will happen as well.

Screen Shot 2018-02-12 at 6.45.18 PM

When you go to the CAS dashboard, you will see the alert based on your configuration.

Screen Shot 2018-02-12 at 6.44.17 PM.png

Alerts can be left open, they also can be dismissed and resolved. This way you can keep track of which alerts you still have to act on and which ones are resolved. When we go more into detail of a single alert you will see that it will tell you all the information you need. It also allows you to perform certain actions on it. E.g. if this was a false positive, you can use the restore from admin quarantine to put the document back to its original location.

Screen Shot 2018-02-12 at 6.44.47 PM

So, this is only specific use case. Even with this basic version of CAS, a lot of possibilities are available. There are however a number of limitations that CAS has, that are pretty significant.

  • Only Enterprise versions of Cloud Services are covered in CAS.
  • Only Cloud Services are covered after all this is still a hybrid world, so what do we do with legacy ECMS like FileNet, OpenText, etc.
  • Very limited sensitive data classification, which is weird to me, since Microsoft has done such a great job in other services in Office 365, why this separate engine

I am looking forward to seeing more of this in the next few months. Keep posted…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: