cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
New Member

DLP Policies: How to effectively lock down corporate data?

Hello,

 

I have a client with over 5000 users that all use OneDrive for their corporate data.  This corporate data is governed by  company policy.

 

With the addition of Flow for OneDrive, how can I lock down data loss from users creating easy Flows?

Reviewing the DLP policy recommendations here: https://docs.microsoft.com/en-us/flow/prevent-data-loss 

leaves a LOT to be desired.

 

It was easy for me to spin up a demo tenant and set up a Flow to copy all my OneDrive for Business (corporate tenant) to my OneDrive for Business (demo tenant).  Obviously none of the corporate security/legal/dlp/retention/etc policies apply on this second tenant.  The flow can be created from either tenant (another issue).

 

Now this client wants to shut down OneDrive for their corporate data. As great as the vision of Flow is, without the ability to turn it off for a tenant while the product matures is a significant security and legal risk to corporations that take this very seriously.

 

Is there anyway to prevent this from happening and save this client?  Separating services into categories in the flow admin portal does not provide nearly sufficient control.

 

Thanks for your advice.

Brian.

2 REPLIES 2
Community Support
Community Support

Hi @Tokolosh,

 

Have you seen these two docs on DLP:
https://docs.microsoft.com/en-us/flow/prevent-data-loss
https://flow.microsoft.com/en-us/blog/introducing-data-loss-prevention/

 

From the docs we know that we could create DLP policy to define which consumer services data may be shared with. You could create a DLP policy if you are a tenant and environment admin.

 

Best regards,
Mabel Mao

 

Community Support Team _ Mabel Mao
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Thank you for taking the time to respond Mabel!

 

Unfortunately I'm not convinced that these controls give nearly sufficient control to be deemed as "Data Loss Policies".  I would love to talk to the team that implemented this to understand how they managed to convince the MS legal team that this meets the requirements to be classified as such.

 

What if you are the IT administrator, and you decide that you want to lock down access to a users email and onedrive account? You  would probably implement MFA for 2 factor authentication.

 

Lets say that a users accidentally clicks on a link and their password is comprimised without them knowing.  Implementing MFA prevents the users information getting into the wrong hands.  Unfortunately, MFA is NOT implemented in flow.  This hackor could set up a O365 tenant with Flow (Plan 2) and use the comprimised users credentials to copy emails to another email ("same service" as far as flow is concerned as it allows multiple tenants) or onedrive content to another onedrive or attachments to onedrive....  there are literally thousands of options.

 

My questions are:

1. How, as an IT Admin do I determine that a users account has been comprimised/beings used as a connection in ANY flow be it by my tenant or another tenant?

2. How can I lock down a users Email/OneDrive to prevent flow from accessing ANY corportate data.  I don't care about "services", I just don't want access unless it is between MY tenant's email and MY tenant's onedrive.

 

 

My testing has shown this:

0. SETUP: Tenant A [Source]; Tenant B [Target].  

 

--- Play the role of the bad guy and I control Tenant A and have login for user at Tenant B.

1. Log into Tenant A (with Flow 2)

2. Create a connection to TenantB.ComprimisedO365Login

3. Create a flow to copy data and emails to TenantA

4. Result: I get a complete copy of Comprimised Users emails/OneDrive

 

--- Play the rold of the good guy to catch the bad guy

5. Log into Tenant B playing the Role of "IT Admin"

6. Try to see the data loss from the above scenario --- no indications

7. Change Flow DLP policies -- flows from steps 3 continue to run as I only used single connection sources in my flow

8. Ran all the security/reports/Azure AD lockdowns/etc... still information is copied to bad guy and there is no indication that data loss is occurring

 

 

I hope that I'm doing something wrong and that there is a simple way to prevent and detect data loss from Flow.

 

Thanks everyone!

 

Helpful resources

Announcements
Community Conference

Power Platform Community Conference

Check out the on demand sessions that are available now!

Power Platform ISV Studio

Power Platform ISV Studio

ISV Studio is designed to become the go-to Power Platform destination for ISV’s to monitor & manage published applications.

Users online (4,558)