Use Case - Data Classification to Invoke User-based Data Loss Prevention for Cloud Created Content
Recommended Implementation Details
Scenario Data being created or manipulated in the cloud by users will be classified based on content and identity by the data classification application and securely downloaded via the Cloud Access Security Broker (CASB) inspecting content for appropriate use. If the content is not allowed to be used, the CASB will respond according to policy.
Description Cloud Access Security Broker has integration with the Data Loss Prevention (DLP) and its policy engine, it will utilize this integration to tie a user - attempting to interact with a document classified using data classification technology – to policy. If that user is inappropriately interacting with that document, the CASB will respond appropriately
IDSA Security Controls
Success Criteria
  1. Document has been successfully classified using meta data markings 
  2. DLP engine successfully detects requests to manipulate marked documents
  3. Sensitive documents are only allowed to be accessed and manipulated by authenticated users when explicitly allowed
  4. Sensitive documents violating DLP rules in the CASB are quarantined for analysis