Microsoft Defender for Cloud Apps data protection series: Understand your data types

[Guest Keith_Fleming]

The second blog in our series helps shed light on when to use Microsoft Defender for Cloud Apps and Microsoft Purview to protect your data. In the first blog, how to define a use case establishes important fundamentals for the rest of the series.

 

 

 

Today, we will review common scenarios and methods for protecting different data types. We will also provide context on the different data types because this is a key component in how Microsoft and the industry views compliance.

 

 

 

What type of data do you want to protect?

 

 

 

 

The type of data an organization wishes to protect is the next critical component of defining a use case. The data loss prevention (DLP) policies in Defender for Cloud Apps and Purview are designed to protect data in different stages. When you align the data type to the right use case you will generally see a better outcome.

 

 

 

Data in use

 

 

 

 

Data in use refers to data that is being actively worked on at a given point in time. For example, an end user having a document open in Microsoft Word or Microsoft Excel on their desktop. Data in use can also refer to files that are actively open in SaaS apps such as Word Online, Excel Online, or even non-Microsoft apps (Box, Dropbox, etc.…).

 

 

 

For Microsoft apps, it is common to protect data in use such as files or emails with a sensitivity label applied via an auto-labeling policy in Purview. These can be automatically applied, or a sensitivity label can be recommended based on the content contained in the file.

 

Defender for Cloud Apps can help protect data in use for non-Microsoft applications through the use of file policies and near real-time file scanning.

 

 

 

Common data in use scenarios

 

 

 

 

Use Case	Data Type	Solution
Automatically apply a default label to all Microsoft Office documents	Data in use	Purview default label policy
Automatically apply a sensitivity label to all Microsoft Office documents containing sensitive information types	Data in use	Client side auto-labeling in Purview with a sensitive type defined in the label
Automatically apply a label to Office documents stored in non-Microsoft SaaS apps with near real-time scan	Data in use	Defender for Cloud Apps file policy scoped to non-Microsoft SaaS app and office file extensions
Automatically apply governance (quarantine, trash, remove links) actions to documents stored in Office or non-Microsoft SaaS apps with near real-time scan	Data in use	Defender for Cloud Apps file policy scoped to specific app

 

 

 

 

 

Data in motion

 

 

 

 

Data moving between different boundaries is considered, “in motion.” For instance, when a user has accessed a document library in SharePoint Online and downloads the file to their mobile device. The document now exists in multiple locations. This also applies when data moves in the opposite direction from an endpoint to SharePoint Online or between different SharePoint sites. For files that contain a sensitivity labels, keep in mind the label will travel with the file wherever it goes. Since the label travels with the file, any permissions that are defined as part of the label will also travel with the file.Session policies in Defender for Cloud Apps allow you to selectively decide which actions to take based on file content specific to web applications. If an organization is using a chromium-based browser, it is possible to install a site as an app as a workaround and block access to native client apps. Session policies can apply to both managed and unmanaged devices while Endpoint DLP can enforce strong controls on managed devices.

 

 

 

Site and group container labels with app enforced restrictions allow you to globally block downloading of files, sharing, and OneDrive client synchronization for all unmanaged devices.

 

 

 

Common data in motion scenarios

 

 

 

 

Use Case	Data Type	Solution
Block downloads, copy, print to non-Microsoft SaaS applications in a browser	Data in motion	Defender for Cloud Apps session policy with download controls
	Data in motion	Purview sensitivity labels with encryption settings
Block download, print, and sync to SharePoint and OneDrive on unmanaged devices	Data in motion	Group or site container label + app-enforced restrictions
Block uploads to Office or non-Microsoft SaaS applications	Data in motion	Defender for Cloud Apps session policy with upload controls
Apply a label on downloads from non-Microsoft SaaS apps in a browser session	Data in motion	Defender for Cloud Apps session policy with download and protect controls

 

 

 

 

 

Data at rest

 

 

 

 

Once a file has been saved and closed, the file is stored at rest on a disk. This could be on an end users PC, within a network file share, or in a SaaS app in the cloud. Because data can exist for long periods at rest, it might be subject to retention requirements, which govern how long content is maintained or if it’s deleted in certain scenarios.

 

 

 

Auto-labeling policies for SharePoint, OneDrive and Exchange can be used to apply a sensitivity label to files containing sensitive content which already exist in Microsoft workloads. It’s important to note in this scenario that the files must contain sensitive content to match.

 

Purview DLP policies for SharePoint and OneDrive give the ability to remove external access to files containing sensitive content along with user notification of prohibited actions.

 

 

 

File policies in Defender for Cloud Apps can be used to in SharePoint Online, PDF files, or to 3rd party workloads. These policies can also remove shared links, quarantine, or delete files.

 

 

 

Common data at rest scenarios

 

 

 

 

Use Case	Data Type	Solution
Automatically apply a label to Office documents containing sensitive information types in SharePoint Online and OneDrive	Data at rest	Service side auto-labeling for SharePoint and OneDrive
Automatically apply a label to PDF documents stored in SharePoint Online and OneDrive	Data at rest	Defender for Cloud Apps file policy scoped to PDF
Automatically apply a label only to specific folder within SharePoint Online	Data at rest	Defender for Cloud Apps file policy scoped to a folder using "apply to" filter
Automatically apply a label to PDF files in Office 365	Data at rest	Defender for Cloud Apps file policy scoped to a PDF extension
Automatically apply a label to Office documents stored in non-Microsoft SaaS apps at rest scan	Data at rest	Defender for Cloud Apps file policy scoped to non-Microsoft SaaS app and office file extensions
Automatically apply governance (quarantine, trash, remove links) actions to documents stored in Office or non-Microsoft SaaS apps with backlog scan	Data at rest	Defender for Cloud Apps file policy scoped to specific app

 

 

 

 

 

Conclusion

 

 

 

 

It’s important to understand which data types you want to protect to create the appropriate policy. Organizations often find that depending on the scenario it can be either be satisfied by Purview or Defender for Cloud Apps. Both services provide protection and help an organization to cover all their bases across different use cases.

 

 

 

Keep on the lookout for the final article in our series which will discuss best practices for creating policies in Defender for Cloud Apps.

 

As always, we would love to hear your feedback. Have questions on specific scenarios that aren’t mentioned here, or would you like to have them updated in the tables provided above? Please comment and let us know or ask your questions in the Tech Community!

 

Continue reading...