Community Blog

Using Azure Information Protection Policies to Control Document Flow at the Firewall

by Community Manager on ‎03-07-2019 12:23 AM - last edited on ‎03-08-2019 02:37 PM by (732 Views)

Data security is increasingly top of mind as organizations look to implement solutions to meet GDPR and other compliance standards. Palo Alto Networks Vince Bryant and Francesco Vigo discuss several challenges to ensuring your data is secure, including:

 

  • Accidental or inadvertent exposure or loss of assets
  • Inconsistent use of data and security solutions across multiple office locations
  • Data breaches, including specific campaigns targeting IP theft of doxing
  • Malicious data exfiltration by unhappy employees

 

Palo Alto Networks next generation firewalls can now detect documents that are using Azure Information Protection labels, allowing you to enforce policies at the network level that can prevent sensitive information from being sent outside of your organization.

 

How It Works

Azure Information Protection embeds unique labels within documents, spreadsheets, presentations and emails. These labels are used to apply the corresponding policy, which can be enforced by the Microsoft or Adobe application or via Microsoft Cloud Application Security service. Users can also create protected documents that add an additional level of protection by encrypting the document data.

 

You can now configure your firewall to search for Microsoft Information Protection labels for the supported file types both in protected and unprotected use cases.

Image of Microsoft Information Protection Labels

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

In addition to having more visibility into the document flow through your network, you can configure the next generation firewall policy to alert when these files traverse the firewall, and block the file transfer for sensitive documents. These policies can also be applied to remote offices and mobile users who are connecting to the corporate network via GlobalProtect or GlobalProtect Cloud Service. Please see this article to learn how to create these policies.

 

Implementation Considerations

There are some cases where you would want to allow protected documents to pass through the firewall. This could include sending protected files to a data room or SaaS-based file storage platform.

 

Once you have setup your data filtering policies, you can attach them to specific security policies.

 

Image of Security Policies

 

You should apply the data filtering to the security policy for all the outgoing internet activity, including the unsanctioned applications. In this example, we refer to this as "allow-outgoing."

 

Image of Security policy allow outgoing

 

This configuration also has a policy setup for Box, which is a sanctioned application. You don't have to apply the data filtering policy to this traffic because employees should be able to send these documents to the Box platform. Alternatively, you could setup another policy to provide informational alerts to track this activity.

 

Image of alternative policyinformational alerts.png

 

The data filtering policies can be configured to be as granular as the policies you are implementing in Azure Information Protection, allowing you to enforce those policies at the network level.

 

Authors: Vince Bryant @vbryant and Francesco Vigo @fvigo 

Ask Questions Get Answers Join the Live Community
Labels