In the last couple of years, Microsoft has demonstrated its extraordinary ability to turn vision into reality, as witnessed by Microsoft’s repeatedly being named as a Leader in Gartner’s Magic Quadrant, in both the business intelligence and security landscapes.
In the Power BI and Microsoft Cloud App Security teams, two of the named leaders in the Analytics and BI, and Cloud Access Security Broker (CASB) markets (respectively), we have identified an opportunity to provide an even more comprehensive solution by bringing these two technologies together to help users and organizations securely uncover and collaborate on insights while eliminating the security risks and threats inherent in bringing their content into the cloud, especially during these complicated pandemic times.
Using Cloud App Security, it is possible to detect and control risky Power BI sessions in real time, thus reducing the chance of damage that could be caused by content and data being accessed by malicious actors.
This partnership, first publicly announced at the end of 2019, has continued to evolve and deepen. We’d like to take the opportunity here to recap the capabilities that currently exist and are available to organizations that (or might be do so in the future). Some of these capabilities you may have already tried; others have been launched just recently.
The capabilities covered in this article are:
- Set real-time controls to enforce risky user sessions in Power BI
- Investigate Power BI user activity with Cloud App Security activity log
- Create custom policies to alert on suspicious user activity in Power BI
- Work with Cloud App Security built-in anomaly detections
- Power BI admin role in Cloud App Security portal
Real-time controls
With Cloud App Security, organizations can monitor and control, in real time, risky Power BI sessions such as user access from unmanaged devices or infrequent locations. Security administrators can define policies to control user actions, such as downloading reports with sensitive information.
For example, if a user connects to Power BI from outside of their country, the session can be monitored by Cloud App Security’s real-time controls, and risky actions, such as downloading data tagged with a “Highly Confidential” sensitivity label, can be blocked immediately.
Figure 1: Cloud App Security real-time controls in Power BI service
Additional resources
- Power BI documentation: Work with real-time controls
- Cloud App Security documentation: Work with real-time controls
Investigate Power BI user activity with the Cloud App Security activity log
The Cloud App Security activity log includes a large portion of the Power BI activity as captured in the Office 365 audit log, which contains information about all user and admin activities, as well as sensitivity label information for relevant activities such as apply, change, and remove label.
Cloud App Security brings you the following added value:
- Advanced filters for improved search and exploration of activities. For example, activity log filters can be used to look for all user “remove” activities where the sensitivity label Confidential is removed from Power BI reports and/or datasets.
- Quick actions that can be carried out as part of the activity investigation process.
Figure 2.1: Power BI audit events in Cloud App Security activity log
Figure 2.2: Quick governance actions in Cloud App Security activity log
Additional resources
Learn about Cloud App Security activity log
Create custom policies to alert on suspicious user activity in Power BI
After you’ve investigated user activity, be it in the Office 365 audit log or in the Cloud App Security activity log, you probably have a good understanding of which, how, and by whom content is being accessed and modified.
The next step is to leverage Cloud App Security’s activity policy feature to define your own custom rules, to help you detect user behavior that deviates from the norm, and even possibly act upon it automatically, if it seems too dangerous.
Some examples of scenarios that can be detected using activity policies:
- Massive sensitivity label removal. For example: alert me when sensitivity labels are removed by a single user from 20 different reports in a time window shorter than 5 minutes.
- Encrypting sensitivity label downgrade. For example: alert me when a report that was with the ‘Highly confidential’ sensitivity label is now classified as ‘Public’.
- Sensitivity label change by an unauthorized user. For example: alert me when a user who is not a dataset owner applies, changes, or removes a sensitivity label.
- Massive download of content. For example: alert me when a single user performs more than 20 export operations in a time window shorter than 5 minutes.
- Unauthorized users are accessing confidential datasets. For example: alert me when someone outside a predefined security group is viewing an executive report.
Note: The unique identifiers (Ids) of Power BI artifacts and sensitivity labels can be found using Power BI REST APIs. See Get datasets or Get reports.
Additional resources
Learn about Cloud App Security activity policies
Built-in anomaly detections
Cloud App Security’s anomaly detection policies provide out-of-the-box user behavioral analytics and machine learning so that you are ready from the outset to run advanced threat detection across your cloud environment. When an anomaly detection policy identifies a suspicious behavior, it triggers a security alert. For example:
- Multiple Power BI report sharing: Alerts you when a user performs an unusual number of Power BI report sharing activities, compared to the learned baseline.
- Suspicious Power BI sharing: Alerts you when a potentially sensitive Power BI report is suspiciously shared outside of your organization.
- Impossible travel: This detection identifies by the same user (in a single or multiple sessions) originating from geographically distant locations within a time window shorter than the time it takes to travel from the first location to the second. This indicates that a different user is using the same credentials.
Additional resources
Learn about Cloud App Security built-in anomaly detections
Power BI admin role in Cloud App Security portal
Cloud App Security provides an app-specific admin role that can be used to grant Power BI admins only the permissions they need to access Power BI-relevant data in the portal, such as alerts, users at risk, activity logs, and other Power BI-related information.
However, it doesn’t stop there; this role not only provides access to the information listed above – it can also be used to create custom policies and detections such as those presented earlier in this article.
Power BI admins! Contact your global security admin today to learn more and start leveraging Cloud App Security for your needs.
Additional resources
Learn how to create the Power BI admin role in the Cloud App Security portal – Manage admin roles