Managed organizations sensitive file with MCAS
In this article, we illustrate how using Microsoft Cloud App Security (MCAS), organizations can protect the files in respective SaaS services (taking Office 365 as an example).
In today’s era, as "data" is considered a key crown jewel across any organization, it is a prime target for adversaries and cybercriminals.
Organizations today also want to enable users to work comfortably, accessing data from anywhere (empowering remote/hybrid work amidst COVID19 pandemic). This mandate is achieved securely with MCAS, i.e. an administrator can get visibility to protect files and manage file-sharing restrictions for the employees within SaaS platforms – no matter what storage services they use.
Let us get started with Step 1 – wherein, we would need to enable File Monitoring in MCAS. Go to settings > File Tab > and enable the checkbox for “enable file monitoring” (Figure 1 and 2).
Figure 1
Figure 2
To gain access to the data/apps, we need to use application connectors and choose the app we want to manage (the access is managed via API).
Go To: Connected apps >> select Edit settings > and checkbox Office 365 Files (Figure 3,4 and 5)
Figure 3
Figure 4
Figure 5
After nearly ~30 min (depending on the amount of data and users) go to ‘Files’ under ‘Investigate’ and run a query for stating the files shared externally (Figure 6). As a follow up, we would also create a search policy to alert all external file share.
Figure 6
Once you get the results, you can filter for "public internet/public with links/external users" to gain a better understanding of where data is shared within your organization (Figure 7).
Figure 7
From there it is easy to create a search policy (which can be used for scanning and alerting) - Just click on "+ New Policy from Search" and you move through to (Figure 8).
Figure 8
The policy will alert for files that have been externally shared with users outside of the organization. We also can get alerts for any DLP policy match for sensitive data like an ID number or credit card (Illustrated the template in figure 9).
Figure 9
Choose "Send policy-match digest to file owner" to notify users that shared data has hit DLP policy with external users (also an admin alert) OneDrive / SharePoint (Figure 10).
Figure 10
Once you click on create, you need to wait until the scan is complete as per the policy configured and an alert appears (Figure 11).
Figure 11
Once the alert is created you can go ahead and expand specific alerts and investigate each of them (Figure 12 and 13).
Figure 12
Figure 13
In this article, we illustrated how organizations connected to a SaaS service (Office 365) could protect their data, using sophisticated MCAS DLP policies to identify and combat internal/external threats. This way – organizations can have adequate control over their data through MCAS, irrespective of the SaaS services used within the organization.