Step-by-Step guide to control data access using Azure cloud app security (based on content type)
In my recent blog posts, I explained few features of azure cloud app security. In this post also, I am going to explain another feature of it. if you not read my previous posts you still can access it using,
Step-by-Step guide to manage Impossible travel activity alert using Azure cloud app security – http://www.rebeladmin.com/2018/09/step-step-guide-manage-impossible-travel-activity-alert-using-azure-cloud-app-security/
Step-by-Step guide to block data download using Azure Cloud App security – http://www.rebeladmin.com/2018/09/step-step-guide-block-data-download-using-azure-cloud-app-security/
In applications, we are using different type of data. Some of these types of data are very sensitive. Credit card numbers, social security numbers, phone numbers are some examples for that. using cloud app security, we can control access to files contains sensitive data. In my demo environment I have salesforce app. it contains some files with credit card information. I do not want anyone to download these files. Let’s see how we can do it using cloud app security.
Before we start, we need to integrate salesforce with cloud app security. I have explain it in details in my previous post http://www.rebeladmin.com/2018/09/step-step-guide-block-data-download-using-azure-cloud-app-security/ so I am not going to repeat it in here ?.
1. Once integration is done, go to https://portal.cloudappsecurity.com and login as global administrator
2. Go to Settings | Conditional Access App Control
3. Now we should be able to see salesforce under conditional access app control apps tab.
4. Click on session control to create new session control policy.
5. Then under create policy click on Session policy
6. In policy window, provide a name for policy and select control file download (with DLP) option under session control type.
7. Under activity filters, define app equals salesforce filter.
8. Under the file filters, create filter file type equals documents
9. Under content inspection section, click on tick box on top to enable this feature first. Then select All Countries: Finance: Credit card number under Include files that match a preset expression option.
10. Under the actions sections click on Block
11. I also like to receive alert if someone try to download these contents. To do that, specify email address under send alert as email section. At the end click on create to activate the policy.
12. Now it’s time for testing. In salesforce I shared a word doc with sales team which include credit card number.
13. Then I log in to https://myapps.microsoft.com as sales user.
14. From the app list, I open up salesforce app.
15. On launch it says access to application is monitored. Click on continue to salesforce link.
16. When I click on download, I get file blocked error as expected.
17. The error file says the file contain data which is not allowed to download.
18. When I log in to my email, I can see email alert also.
As we can see the policy works as expected. it blocks download of the sensitive content. This marks the end of this blog post. If you have any further questions feel free to contact me on firstname.lastname@example.org also follow me on twitter @rebeladm to get updates about new blog posts.