Using Azure Information Protection Policies to Control Document Flow at the Firewall
Data security is increasingly top of mind as organizations look to implement solutions to meet GDPR and other compliance standards. Palo Alto Networks Vince Bryant and Francesco Vigo discuss several challenges to ensuring your data is secure, including:
- Accidental or inadvertent exposure or loss of assets
- Inconsistent use of data and security solutions across multiple office locations
- Data breaches, including specific campaigns targeting IP theft of doxing
- Malicious data exfiltration by unhappy employees
Palo Alto Networks next generation firewalls can now detect documents that are using Azure Information Protection labels, allowing you to enforce policies at the network level that can prevent sensitive information from being sent outside of your organization.
How It Works
Azure Information Protection embeds unique labels within documents, spreadsheets, presentations and emails. These labels are used to apply the corresponding policy, which can be enforced by the Microsoft or Adobe application or via Microsoft Cloud Application Security service. Users can also create protected documents that add an additional level of protection by encrypting the document data.
You can now configure your firewall to search for Microsoft Information Protection labels for the supported file types both in protected and unprotected use cases.
In addition to having more visibility into the document flow through your network, you can configure the next generation firewall policy to alert when these files traverse the firewall, and block the file transfer for sensitive documents. These policies can also be applied to remote offices and mobile users who are connecting to the corporate network via GlobalProtect or Prisma Access. Please see this article to learn how to create these policies.
There are some cases where you would want to allow protected documents to pass through the firewall. This could include sending protected files to a data room or SaaS-based file storage platform.
Once you have setup your data filtering policies, you can attach them to specific security policies.
You should apply the data filtering to the security policy for all the outgoing internet activity, including the unsanctioned applications. In this example, we refer to this as "allow-outgoing."
This configuration also has a policy setup for Box, which is a sanctioned application. You don't have to apply the data filtering policy to this traffic because employees should be able to send these documents to the Box platform. Alternatively, you could setup another policy to provide informational alerts to track this activity.
The data filtering policies can be configured to be as granular as the policies you are implementing in Azure Information Protection, allowing you to enforce those policies at the network level.
Authors: Vince Bryant @vbryant and Francesco Vigo @fvigo