Label and Protect your sensitive information: discover, classify and deploy policy
Published Mar 09 2021 09:00 AM 6,933 Views

Authored with Idan Basre, Product Manager, Microsoft Cloud App Security


Microsoft Cloud App Security and Microsoft Information Protection are a dynamic duo, here to protect data wherever it resides in your applications. If you've never been introduced, Microsoft Information Protection gives you the ability to take your files through the many stages of your workloads: Google Drive, Workday, Salesforce, Box, Exchange, Teams, SharePoint, OneDrive, and more. Regardless of your platform, we’ve got you covered. 

Information protection is a key component of a CASB, and should deliver an integratednuanced understanding of your organization’s sensitive-labeled data as it's leveraged in your cloud environment. This brief two-minute video demonstrates the deep reach of information protection in Microsoft Cloud App Security: 


In Microsoft Cloud App Security, Microsoft’s CASB solution, security and compliance capabilities sit between users and your organization’s cloud environment. Administrators can sanction and unsanction apps, manage their users, the activities of individual users and the files that are being modified, as well as any files that might be at risk. Microsoft Cloud App Security also brings control to in-session real-time policies, blocking uploads or preventing certain activities being conducted in real-time. Organizations are increasingly adopting SaaS applications to access their data wherever it sits. This brings greater risk to data that sits outside the corporate network, which customers have framed in three key areas 

First, customers have shared that they need to “control sensitive data in non-Microsoft applications.”  Customers require a deep understanding of the sensitive data in their cloud applications and the ability to control it. 

Second, customers asked to "control end-users using sensitive data on unmanaged devices." In remote work scenarios, end users frequently bring their own unmanaged devices into an organization’s environment. It's imperative to control which applications end users have access to and how end users leverage sensitive information in their organization. 

The third scenario customers requested pertains to “the new normal of leveraging more and more SaaS appsWe need to prevent users from oversharing." Users that overshare sensitive information can be harmful and cause damage by sharing with colleagues who dont need access to this data, or potentially sharing sensitive information outside of an organization without a justifiable business reason. 


Control sensitive data in non-Microsoft applications 

It’s getting tougher to validate where your sensitive data is and maintain appropriate control over its access and use. With a unified, holistic view of file locationswhether at rest or in transit (real-time control), you can authoritatively manage data in Microsoft Cloud App Security. Admins have the power to discover sensitive files and decide to control them, protect them, make them private to external sharing, or notify the file owner if files are being shared inappropriately. 

The screenshot below displays a file page with different kinds of files, filtered by Box The file is labeled with a classification that results in encryption 


With a clear governance policy, every workload has its own governance section with ability to notify specific users, remove external users or direct shared links, place certain files in quarantine via the admin quarantine page, or trash a file entirely. If organizations are leveraging sensitivity labels, the “Apply or Remove” action powerfully protects files with a sensitivity label, which encrypts the file. Should the file travel outside your organization, any non-permissioned recipient would not be able to see it. Below is a screenshot of the policy that can be enforced: 


Control end-users using sensitive data on unmanaged devices 

End users accessing data on unmanaged devices is a reality. In order to protect data, Microsoft Cloud App Security uses a real-time, data-in-transit solution that blocks downloads of sensitive data files to unmanaged devices. When organizational users try to download these files, the download action can be blocked by defining in a policy which sensitive information types should be protected from this action when using an unmanaged device. Here, we see the screen that the user would encounter when this policy is deployed: 



You can choose and organize sensitive information types from over 200 sensitive information types pre-loaded into Microsoft Cloud App Security. Our product team is continually adding to these sensitive data types, but if you cannot find the one you want, you can also define your own custom data type. During policy creation, the more detailed admins are about the selection of these data types, the higher the rates of “true positive” results, and strongest possibility to receive appropriate notifications on your desired sensitive information type. These types are also customizable.  

In addition, a session policy can control and block real-time activities. For example, Cloud App Security can block in real time copy or print activities for files with sensitive data. Whether it’s Microsoft data or not, the admin controls the activity, the user, and their properties by the app leveraged in sessions. The admin can also control devices leveraged in sessions (managed or unmanaged), IP addresses, locations, specific users, and more. When a user from an unmanaged device tries to cut, copy or print data from a file that contains a sensitive data type, it’s blocked. Even if a user is in a private browser session mode, these actions can be monitored. 

You can also block file downloads or encrypt files on the fly. Even if users from unmanaged devices download sensitive files, the file is protected when Microsoft Information Protection sensitivity labels are applied, thereby encrypting the file. If a user tries to open a sensitive file without the correct credentials, the open action will also be blocked. 


Prevent users from oversharing 

There’s no doubt that oversharing harms your organization. Users with good intentions, but a poor understanding of the data they’re leveraging, is a common scenario. The same is true of well-intentioned users who don’t realize compliance and security policies are being infringed upon by sharing sensitive data. Admins can remove external sharing and direct sharing links from one central location, leveraging integration with Microsoft Cloud App Security in the Microsoft 365 Compliance Center, as shown here: 


When you create a policy in Microsoft Information Protection, it leverages the Microsoft 365 Compliance Center. Choose which policy should be applied in order to granularly permit or exclude users and devices, and instances of cloud buckets and applications you want to control. When you apply this policy to non-Microsoft applications, you can also restrict different workloads with the deep capabilities of Microsoft Cloud App Security. 

To benefit from this powerful combination, configure Cloud App Security and your DLP policies. Then explore the activity alerts in the Activity Explorer of Microsoft Information Protection. With labels, workloads, users and all the data you need to control sensitive information in your organization, you’re assured that your data is safe. In the future, you will be able to apply labels and protect files with even greater granularity.  

For further training and information, view Idan’s twenty-minute discussion on information protection in Microsoft Cloud App Security: 


We welcome your feedback or relevant use cases and requirements for this pillar of Cloud App Security by emailing and mention Information Protection. 


Learn more 

For further information on how your organization can benefit from Microsoft Cloud App Security, connect with us at the links below: 

Join the conversation on Tech Community 

Stay up to date—subscribe to our blog.  

Upload a log file from your network firewall or enable logging via Microsoft Defender for Endpoint to discover Shadow IT in your network. 

Learn more—download Top 20 use cases for CASB. 

Connect your cloud apps to detect suspicious user activity and exposed sensitive data. 

Search documentation on Microsoft Cloud App Security 

Enable out-of-the-box anomaly detection policies and start detecting cloud threats in your environment. 

Understand your licensing options .  

Continue with more advanced use cases across information protection, compliance, and more. 

Follow the Microsoft Cloud App Security Ninja blog and learn about Ninja Training 

Go deeper with these interactive guides: 


To experience the benefits of full-featured CASB, sign up for a free trial—Microsoft Cloud App Security. 

Follow us on LinkedIn as #CloudAppSecurity. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity on Twitter, and Microsoft Security on LinkedIn for the latest news and updates on cybersecurity. 

Version history
Last update:
‎Nov 02 2021 04:59 PM
Updated by: