Control Document Flow with Azure Policies

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cyber Elite
Cyber Elite

Using Azure Information Protection Policies to Control Document Flow at the Firewall

Data security is increasingly top of mind as organizations look to implement solutions to meet GDPR and other compliance standards. Palo Alto Networks Vince Bryant and Francesco Vigo discuss several challenges to ensuring your data is secure, including:


  • Accidental or inadvertent exposure or loss of assets
  • Inconsistent use of data and security solutions across multiple office locations
  • Data breaches, including specific campaigns targeting IP theft of doxing
  • Malicious data exfiltration by unhappy employees



Palo Alto Networks next generation firewalls can now detect documents that are using Azure Information Protection labels, allowing you to enforce policies at the network level that can prevent sensitive information from being sent outside of your organization.


How It Works

Azure Information Protection embeds unique labels within documents, spreadsheets, presentations and emails. These labels are used to apply the corresponding policy, which can be enforced by the Microsoft or Adobe application or via Microsoft Cloud Application Security service. Users can also create protected documents that add an additional level of protection by encrypting the document data.


You can now configure your firewall to search for Microsoft Information Protection labels for the supported file types both in protected and unprotected use cases.

Microsoft Information Protection Labels.png

















In addition to having more visibility into the document flow through your network, you can configure the next generation firewall policy to alert when these files traverse the firewall, and block the file transfer for sensitive documents. These policies can also be applied to remote offices and mobile users who are connecting to the corporate network via GlobalProtect or Prisma Access. Please see this article to learn how to create these policies.


Implementation Considerations

There are some cases where you would want to allow protected documents to pass through the firewall. This could include sending protected files to a data room or SaaS-based file storage platform.


Once you have setup your data filtering policies, you can attach them to specific security policies.


Security Policies.png


You should apply the data filtering to the security policy for all the outgoing internet activity, including the unsanctioned applications. In this example, we refer to this as "allow-outgoing."


Security policy allow outgoing.png


This configuration also has a policy setup for Box, which is a sanctioned application. You don't have to apply the data filtering policy to this traffic because employees should be able to send these documents to the Box platform. Alternatively, you could setup another policy to provide informational alerts to track this activity.


alternative policy.pnginformational alerts.png


The data filtering policies can be configured to be as granular as the policies you are implementing in Azure Information Protection, allowing you to enforce those policies at the network level.


Authors: Vince Bryant @vbryant and Francesco Vigo @fvigo 

1 Comment
Register or Sign-in
About the Author
I drink and I know things
Top Liked Authors