Use Case - Data Classification to Invoke User-based DLP for Uploaded Content
Recommended Implementation Details
Scenario Data being created or manipulated locally by users will be classified based on content and identity by the data classification application and securely uploaded via the Cloud Access Security Broker (CASB) inspecting content for appropriate use. If the content is not allowed to be used, the CASB will respond according to policy.
Description Cloud Access Security Broker has integration with the Data Loss Prevention (DLP) and its policy engine, it will utilize this integration to tie a user - attempting to interact with a document classified using data classification technology – to policy. If that user is inappropriately interacting with that document, the CASB will respond appropriately
IDSA Security Controls
Actions
Success Criteria
  1. Document has been successfully classified using meta data markings 
  2. DLP engine successfully detects requests to manipulate marked documents
  3. Sensitive documents are only allowed to be accessed and manipulated by authenticated users when explicitly allowed
  4. Sensitive documents violating DLP rules in the CASB are quarantined for analysis