Safeguarding sensitive information is important, and Microsoft's suite of tools and services offers robust solutions to address this imperative. Among these, Data Loss Prevention (DLP) policies play an important role in ensuring the security and compliance of data across various Microsoft applications and platforms.
In this article, we will explore the DLP policies, with a particular focus on their implementation within the Microsoft Fabric environment. We'll explore the significance of DLP policies in Microsoft Fabric, compare them to DLP policies in Power BI, examine the tangible benefits they provide, and shed light on the intricacies of DLP services.
Additionally, we'll discuss the different types of data sensitivity that DLP policies can identify, elucidate the actions taken when DLP detects potential issues, and provide a step-by-step guide on how to create a DLP policy specifically tailored for Power BI.
By the end of this comprehensive exploration, you'll have a firm grasp of how DLP policies contribute to a secure and compliant data ecosystem in the Microsoft Fabric framework.
Table of Contents:
What is the DLP Policy in Power BI
Purpose of DLP policy in Power BI
Sensitivity Info Types
What is the DLP Policy in Microsoft Fabric?
A DLP policy in Microsoft Fabric is a set of rules and procedures that an organization implements to protect its sensitive data in Microsoft 365 and Azure. The policy defines what data is considered sensitive, how it should be handled, and what actions should be taken if the data is at risk of being lost or compromised.
DLP policies in Microsoft Fabric can be used to protect sensitive data in a variety of ways, including:
Preventing sensitive data from being shared externally: DLP policies can be used to block users from sending sensitive data via email, messaging apps, or other cloud services.
Encrypting sensitive data: DLP policies can be used to encrypt sensitive data at rest or in transit.
Monitoring and controlling access to sensitive data: DLP policies can be used to monitor and control who has access to sensitive data and how they are using it.
DLP Policy in Power BI
A DLP policy in Power BI is a type of DLP policy that is specifically designed to protect sensitive data in Power BI datasets. DLP policies in Power BI can be used to:
Identify sensitive data in Power BI datasets.
Prevent users from accessing sensitive data in Power BI datasets.
Encrypt sensitive data in Power BI datasets.
Monitor and control how sensitive data is used in Power BI datasets.
Purpose of DLP Policy in Power BI
The purpose of a DLP policy in Power BI is to help organizations protect their sensitive data from being lost or compromised. DLP policies in Power BI can be used to comply with industry regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
There are two different DLP services that will protect your sensitive data in Power BI:
Microsoft Purview DLP policies for Power BI
Microsoft Defender for Cloud Apps
1. Microsoft Purview DLP policies for Power BI
This service can help you find and track sensitive data in Power BI datasets. It can also send you alerts when sensitive data is found.
2. Microsoft Defender for Cloud Apps
This service can help you block, log, or alert when certain user activities happen, such as when a user tries to download a report with sensitive data.
Which service should you use?
If you have Power BI Premium, you can use both services. If you don't have Power BI Premium, you can use Microsoft Defender for Cloud Apps.
Data Sensitivity in DLP Policy
Types of Data Sensitivity in DLP Policy:
Sensitive Information Type
Think of sensitivity labels like tags that you put on different things to show how sensitive or important they are. These labels help you organize and protect your stuff.
In Power BI, these labels are used to sort data from not-so-secret to super-secret. When you set up rules for Data Loss Prevention (DLP) in Power BI, you can make these rules check if a dataset has a certain sensitivity label. These labels can be put on by a person or automatically by a computer program.
Here are some situations where you might use a DLP rule with a sensitivity label:
Regulatory Compliance: If you have a label for data that needs to follow a specific law, you can make a rule to tell your security team when someone uses that label on a dataset in Power BI.
Reminders: Let's say you have a label for super-secret data. You can use a rule to remind people about how to handle this data properly when they look at it in Power BI.
Sensitive Info Types (SITs)
Not all data is the same. Some data is super-secret, like personal ID numbers, while other data is less sensitive, like the names of cities. These sensitive information types (SITs) help you figure out which data needs extra protection.
Some examples of SITs are things like credit card numbers or health information. Depending on what your company does, you might not use all of them.
SITs work by looking for specific patterns in text. For example, they can find the pattern of a credit card number in a bunch of text.
You can use the ones that Microsoft already set up, or you can make your own if you have special data patterns. For example, if your company has a special employee ID number format, you can make an SIT for that.
Once you set up an SIT, your DLP rules will use it to check datasets in Power BI. They look for these SITs when data is uploaded or updated.
Here are some cases where you might use DLP rules with SITs:
Regulatory Compliance: If there are rules about how certain types of data should be handled, you can set up a rule to tell your security team if they find this data in Power BI.
Internal Rules: Sometimes, you might want to remind people about special data types. You can make a rule to send a message when someone looks at this data in Power BI.
What happens when a DLP Rule Finds a problem?
Once you've figured out how to use sensitivity labels and SITs with DLP (Data Loss Prevention) for your work, the next thing to think about is what happens when a DLP rule finds a problem. Usually, it means letting the user know.
These notifications for DLP rules are called "policy tips. They are handy when you want to give your users more help and information while they're doing their regular work. Users are more likely to understand and pay attention to these tips if they are:
Specific: The message is directly related to the rule, so it's easier to understand.
Actionable: It offers a suggestion about what the user should do or how to get more information.
In Power BI, where you work with data, these notifications show up in the dataset settings and at the top of the dataset details page in the data hub. For example, you might see a notification saying, "This data contains credit cards, which aren't allowed in Power BI according to the Data Classification, Protection, and Usage policy."
You can make different rules for each DLP policy, and each rule can have its own policy tip that appears for users.
Let's look at an example: Imagine you're using DLP in Power BI to find financial data in datasets. You have two rules:
Rule 1: This rule finds credit card numbers, and the message tells users that it's not allowed.
Rule 2: This rule finds sensitive financial info, and the message says it needs the "Highly Restricted" label.
Rule 1 is more serious and needs immediate attention, while Rule 2 is more informative. When things are really urgent, you can set up alerts for administrators.
When deciding what notifications to show users, it's best to focus on the really important ones. Too many notifications can be overwhelming, and some might get ignored.
Users can also take action. They can report a problem if they think the DLP rule made a mistake (a false positive), or they can sometimes override the rule. These features help users and security administrators talk to each other about DLP in Power BI.
Alerting is like sending a signal to the boss (administrator) when something important happens because of the DLP rules. When you make DLP rules, you should think if you want alerts to be sent.
You use alerting when you want to:
Tell the security and compliance administrators that something happened because of DLP. You can also send an email to some specific people if you want.
Get more details about what happened.
Ask someone to check what happened.
Keep track of what's happening or leave notes about it.
See other alerts made by the same person.
Each alert can be labeled as low, medium, or high urgency. This helps decide which alerts are more important.
Here are two examples of when alerts can be used:
Example 1: You made a DLP rule to find financial data in Power BI datasets. You have two rules:
Rule 1: Find credit card numbers. It sends a high-urgency alert and an email.
Rule 2: Find financial accounts. It sends a high-urgency alert.
Example 2: You made a DLP rule for a special label in Power BI. It doesn't send a message to users. In this case, you may not want an alert because you just want to keep a record. If you need to, you can get more info from the activity explorer.
When you need an email alert, usie a special email group, like "Security and Privacy Admin Alerting."
Workspaces in Scope:
DLP rules in Power BI are meant for datasets. They look at datasets in Premium workspaces.
You can set up DLP rules for all Premium workspaces or choose some and leave others out. For example, you might not want to check certain workspaces that have test data and aren't risky. Or, you might make different rules for test workspaces.
Choose Workspaces for DLP
Decide which Premium workspaces need DLP rules: Think if all of them should have DLP or just some.
Write down which workspaces get DLP: Keep a record of which workspaces get DLP and why.
Connect DLP rules with workspace rules: If needed, update your workspace rules to include DLP details.
Think about other important places: Besides Power BI, check if you need DLP rules for files in OneDrive or SharePoint.
How to Create a DLP Policy for Power BI?
Here's a step-by-step guide on how to create a DLP (Data Loss Prevention) policy for Power BI:
STEP 1: Go to "Microsoft Purview Compliance Portal".
STEP 2: In the left side panel, click on "Data loss prevention".
STEP 3: Now, click on "Policies".
STEP 4: Click on "+ Create policy" to create a new DLP policy.
STEP 5: From the categories, choose the "custom" category.
STEP 6: After that, select the "Custom policy" template.
STEP 7: Click "Next".
STEP 8: Here enter the name and description of your DLP policy. Click "Next".
STEP 9: Now, click on "+ Add or remove admins units" to add admin unit pages. Click "Next".
Assigning admin units in a DLP policy in Microsoft Fabric allows you to specify which users or groups will be able to manage the policy. This can be useful for delegating DLP management to specific teams or individuals, or for restricting access to certain DLP policies to authorized personnel.
STEP 10: From the list, you have to turn on the toggle for "Power BI" as a location to apply the DLP policy. Click "Next".
By default, the policy will be applied to all the workspaces. But, you can manually apply to a particular workspace by searching the workspace in the search bar.
STEP 11: Now, select "Create or customize advanced DLP rules". Click "Next".
STEP 12: Customize advanced DLP rules page will appear. Click on "+ create rule" to create a new rule.
Now, enter the details:
Actions (not supported for Power BI)
In the Conditions section, you define when the rule should apply to a dataset. You can make simple or complex conditions.
Click on "+ Add condition" to create a condition.
Before creating a condition, toggle on the "Quick summary" to get a simple sentence that tells you what the rule does.
You will get the option to check for
Sensitive Info Types
When you will select any option, you will get the list of options. See the below image.
If you select a Sensitive Info Type, you need to specify how many times it should appear to trigger the rule. You can also set the confidence level.
You can add more labels or info types to the same condition group. You can say if it should match "Any of these".
If any one of the sensitivity labels in a group matches the data being tested, then the group is considered to be a match.
For example, if you have a group of sensitivity labels, such as "Credit Card Number", "Social Security Number", and "Medical Record", and you test a piece of data against that group, then if the data contains any of those sensitivity labels, the group is considered to be a match.
You have the flexibility to make multiple groups of conditions, and you can decide how they work together using either "AND" or "OR" logic.
Here's an example: Imagine you have a rule, and in that rule, you create two groups of conditions. These groups work together using "OR" logic, which means that if either of the groups is true, the rule as a whole is considered true.
In the above step, you turned on the "Quick summary". See the below image, you will get a quick summary of the rule that you have created.
In the User Notifications section, you can configure a policy tip. You can turn on notifications, select who should be notified, and write the message to users.
If you turn on user notifications, dataset owners can respond to violations. You can set options like
Allowing overrides from M365 services
Requiring a business reason for overrides
Override the rule automatically if they report it as a false positive
Assign a severity level for alerts generated by this policy. You can decide who gets email notifications and when they should be sent.
STEP 13: Click "Save".
Creating a Data Loss Prevention (DLP) policy for Power BI in Microsoft Fabric is a critical step in safeguarding sensitive data. This article explored the importance of DLP policies, their benefits, and how they function within the Microsoft ecosystem. It also covered data sensitivity, DLP responses to potential issues, and offered a guide for creating Power BI-specific DLP policies.
This knowledge empowers organizations to protect their data effectively within the Microsoft Fabric environment, emphasizing the need for ongoing policy review and refinement to maintain strong data security.