Use Case: Classify and Secure Files using AIP Labels
Skyhigh enables you to detect sensitive data in co-authored and auto-save-enabled documents by using Microsoft Azure Information Protection (AIP) labels. This allows organizations to protect sensitive files with AIP labels shared in sanctioned services, such as SharePoint, OneDrive, and more. For details on the supported sanctioned services, see About Skyhigh CASB for Azure Information Protection.
Suppose your organization manages sensitive financial records, such as accounting and bank account information, which are co-authored, auto-save enabled, and stored in SharePoint. These documents are protected using AIP labels to ensure confidentiality. Access to these documents is restricted to authorized personnel only, preventing unauthorized viewing or editing.
To protect these sensitive financial records from data leaks while facilitating secure collaboration among authorized users, you can create a classification rule using the Document Properties condition. This rule enables the classification engine to scan the document metadata for applied AIP labels and classify the documents as sensitive based on these labels. This process ensures that only users with the appropriate permissions can access and modify the financial records, thereby maintaining data integrity and ensuring security of critical information.
To create a document property classification with AIP labels:
- Make sure that you create and configure sensitivity labels and their policies in Microsoft Purview. For details, refer to the Microsoft Help topic.
- Integrate Skyhigh CASB with Microsoft Azure Information Protection. For details, see Configure Azure Information Protection in Skyhigh CASB.
- Create a classification using the Document Properties condition. Perform the initial steps of creating your classification using the Document Properties condition as provided in steps 1 to 4 in the Create a Classification using Document Property Sets section.
- On the Document Property name cloud card, configure the following:
- Name and Description. Enter a name and optional description for the document property. For example, Financial Document Property Sets.
- Add Property. To specify the AIP label criteria, click Add Custom Property.
- Property. Enter the AIP label string. For example, enter MSIP_Label_2e9b8054-9679-4872-8dd3-5579002e4dcb_Enabled to detect files with active AIP labels.
- Operator. Select is one of from the operator list.
- Value. Enter True as the value for the selected property and operator.
NOTE: You can also configure AIP label criteria with MSIP_Label_ef7be660-c794-4b91-a602-b8f49ed621f7_Method as the property and Standard or Privileged as the values to detect files with automatic or explicit labels.
- Click Save.
- Your new custom Document Property Set is available in the cloud card. To add it to your classification, click Done.
- Click Save. Your new classification is saved to the selected category on the Classifications page.
- Use the newly created classification to define a data loss prevention policy for SharePoint. For details, see Create a Sanctioned DLP Policy.